Updates from: 05/27/2021 03:11:17
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Access Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/access-tokens.md
Previously updated : 10/26/2020 Last updated : 05/26/2021
An *access token* contains claims that you can use in Azure Active Directory B2C
This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the [overview of tokens in Azure Active Directory B2C](tokens-overview.md). > [!NOTE]
-> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
+> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens.
## Prerequisites
active-directory-b2c Configure Authentication Sample Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app.md
+
+ Title: Configure authentication in a sample web application using Azure Active Directory B2C
+description: Using Azure Active Directory B2C to sign in and sign up users in an ASP.NET web application.
++++++ Last updated : 05/25/2021+++++
+# Configure authentication in a sample web application using Azure Active Directory B2C
+
+This article uses a sample ASP.NET web application to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your web applications.
+
+> [!IMPORTANT]
+> The sample ASP.NET web application referenced in this article can't be used to call a REST API because it returns an ID token but not an access token. For a web application that is able to call a REST API, see [Secure a Web API built with ASP.NET Core using the Azure AD B2C](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C).
+
+## Overview
+
+OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign a user in to an application. This web app sample uses [Microsoft Identity Web](https://www.nuget.org/packages/Microsoft.Identity.Web). Microsoft Identity Web is a set of ASP.NET Core libraries that simplifies adding authentication and authorization support to web apps.
+
+The sign-in flow involves following steps:
+
+1. User navigates to the web app and select **Sign-in**.
+1. The app initiates authentication request, and redirects the user to Azure AD B2C.
+1. The user [sign-up or sign-in](add-sign-up-and-sign-in-policy.md), [reset the password](add-password-reset-policy.md), or sign-in with a [social account](add-identity-provider.md).
+1. Upon successful sign-in, Azure AD B2C returns an ID token to the app.
+1. The app validates the ID token, reads the claims, and returns a secure page to the user.
+
+When the ID token is expired, or the app session is invalidated, the app initiates a new authentication request, and redirects the user to Azure AD B2C. If the Azure AD B2C [SSO session](session-behavior.md) is active, Azure AD B2C issues an access token without prompting the user to sign in again. If the Azure AD B2C session expires or becomes invalid, the user is prompted to sign-in again.
+
+The sign-out flow involves following steps:
+
+1. From the app, the user selects **Sign-out**.
+1. The app clears its session cookies, and redirects the user to Azure AD B2C to terminate Azure AD B2C session.
+1. The user is redirected back to the app.
+
+## Prerequisites
+
+A computer that's running either:
+
+# [Visual Studio](#tab/visual-studio)
+
+* [Visual Studio 2019 16.8 or later](https://visualstudio.microsoft.com/downloads/?utm_medium=microsoft&utm_source=docs.microsoft.com&utm_campaign=inline+link&utm_content=download+vs2019) with the **ASP.NET and web development** workload
+* [.NET 5.0 SDK](https://dotnet.microsoft.com/download/dotnet)
+
+# [Visual Studio Code](#tab/visual-studio-code)
+
+* [Visual Studio Code](https://code.visualstudio.com/download)
+* [C# for Visual Studio Code (latest version)](https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp)
+* [.NET 5.0 SDK](https://dotnet.microsoft.com/download/dotnet)
+++
+## Step 1: Configure your user flow
+
+When a user wants to sign in to your application, the application initiates an authentication request to the authorization endpoint via a [user flow](user-flow-overview.md). The user flow defines and controls the user experience, for example during sign-up or sign-in. When the user completes the user flow, Azure AD B2C generates a token and redirects the user back to your application.
+
+If you haven't done so already, [create a user flow](add-sign-up-and-sign-in-policy.md).
+
+## Step 2: Register a web application
+
+To enable your application to sign in with Azure AD B2C, register your app in the Azure AD B2C directory. Registering your app establishes a trust relationship between the app and Azure AD B2C.
+
+During app registration, you'll specify the **Redirect URI**. The redirect URI is the endpoint to which the user is redirected by Azure AD B2C after they authenticate with Azure AD B2C. The app registration process generates an **Application ID**, also known as the **client ID**, that uniquely identifies your app. Once your app is registered, Azure AD B2C will use both the application ID and redirect URI to create authentication requests.
+
+### Register the app
+
+Follow these steps to create the app registration:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *webapp1*.
+1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+1. Under **Redirect URI**, select **Web**, and then enter `https://localhost:5001/signin-oidc` in the URL text box.
+1. Under **Permissions**, select the **Grant admin consent to openid and offline access permissions** check box.
+1. Select **Register**.
+1. Select **Overview**.
+1. Record the **Application (client) ID** for use in a later step when you configure the web application.
+
+ ![Get your application ID](./media/configure-authentication-sample-web-app/get-azure-ad-b2c-app-id.png)
++
+### Enable ID tokens
+
+For web apps that request an ID token directly from Azure AD B2C, enable the implicit grant flow in the app registration.
+
+1. In the left menu, under **Manage**, select **Authentication**.
+1. Under **Implicit grant**, select the **ID tokens** check box.
+1. Select **Save**.
+
+## Step 3: Get your tenant name
+
+To integrate your app with your Azure AD B2C tenant, you need to specify your tenant name in the app configuration file. Follow these steps to get your tenant name:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the **Overview**, copy the first part of the **Domain name**.
+
+![Get your tenant name](./media/configure-authentication-sample-web-app/get-azure-ad-b2c-tenant-name.png)
++
+## Step 4: Get the web app sample
+
+[Download the zip file](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/refs/heads/master.zip), or clone the sample web application from GitHub.
+
+```bash
+git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
+```
+
+Extract the sample file to a folder where the total character length of the path is less than 260.
+
+## Step 5: Configure the sample application
+
+In the sample folder, under the `1-WebApp-OIDC/1-5-B2C/` folder, open the **WebApp-OpenIDConnect-DotNet.csproj** project with Visual Studio or Visual Studio Code.
+
+Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the following properties of the app settings:
+
+* **Instance** - Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Client ID** - Replace `<web-app-application-id>` with the Application ID from [Step 2](#step-2-register-a-web-application).
+* **Policy name** - Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](#step-1-configure-your-user-flow).
+
+Your final configuration file should look like the following JSON:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://contoso.b2clogin.com",
+ "Domain": "contoso.onmicrosoft.com",
+ "ClientId": "<web-app-application-id>",
+ "SignedOutCallbackPath": "/signout/<your-sign-up-in-policy>",
+ "SignUpSignInPolicyId": "<your-sign-up-in-policy>"
+}
+```
+
+## Step 6: Run the sample application
+
+1. Build and run the project.
+1. Browse to https://localhost:5001.
+1. Select **SignIn/Up**.
+
+ ![Select sign-in or sign-up](./media/configure-authentication-sample-web-app/web-app-sign-in.png)
+
+1. Complete the sign-up or sign-in process.
+
+After successful authentication, you'll see your display name in the navigation bar. To view the claims that Azure AD B2C token returns to your app, select **Claims**.
+
+![Web app token's claims](./media/configure-authentication-sample-web-app/web-app-token-claims.png)
+
+## Deploy your application
+
+In a production application, the app registration redirect URI is typically a publicly-accessible endpoint where your app is running, like `https://contoso.com/signin-oidc`.
+
+You can add and modify redirect URIs in your registered applications at any time. The following restrictions apply to redirect URIs:
+
+* The reply URL must begin with the scheme `https`.
+* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application.
+
+## Next steps
+
+* Learn more [about the code sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C#about-the-code)
+* Learn how to [Enable authentication in your own web application using Azure AD B2C](enable-authentication-web-application.md)
active-directory-b2c Configure User Input https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-user-input.md
Previously updated : 03/10/2021 Last updated : 05/25/2021
zone_pivot_groups: b2c-policy-type
[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] --- In this article, you collect a new attribute during your sign-up journey in Azure Active Directory B2C (Azure AD B2C). You'll obtain the users' city, configure it as a drop-down, and define whether it's required to be provided.
+> [!NOTE]
+> This sample uses the built-in claim 'city'. Instead, you can choose one of the supported [Azure AD B2C built-in attributes](user-profile-attributes.md) or a custom attribute. To use a custom attribute, [enable custom attributes](user-flow-custom-attributes.md). To use a different built-in or custom attribute, replace 'city' with the attribute of your choice, for example the built-in attribute *jobTitle* or a custom attribute like *extension_loyaltyId*.
+ ## Prerequisites [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
The `LocalizedCollections` is an array of `Name` and `Value` pairs. The order fo
::: zone pivot="b2c-custom-policy"
-> [!NOTE]
-> This sample uses the built-in claim 'city'. Instead, you can choose one of the supported [Azure AD B2C built-in attributes](user-profile-attributes.md) or a custom attribute. To use a custom attribute, [enable custom attributes](user-flow-custom-attributes.md). To use a different built-in or custom attribute, replace 'city' with the attribute of your choice, for example the built-in attribute *jobTitle* or a custom attribute like *extension_loyaltyId*.
+## Overview
-You can gather initial data from your users by using the sign-up or sign-in user journey. Additional claims can be gathered later by using a profile edit user journey. Anytime Azure AD B2C gathers information directly from the user interactively, the Identity Experience Framework uses its [self-asserted technical profile](self-asserted-technical-profile.md). In this sample, you:
+You can gather initial data from your users by using the sign-up or sign-in user journey. Additional claims can be gathered later by using a profile edit user journey. Anytime Azure AD B2C gathers information directly from the user interactively, it uses the [self-asserted technical profile](self-asserted-technical-profile.md). In this sample, you:
1. Define a "city" claim. 1. Ask the user for their city.
To return the city claim back to the relying party application, add an output cl
</RelyingParty> ```
-## Test the custom policy
+## Upload and test your updated custom policy
+
+1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your tenant.
+1. Search for and select **Azure AD B2C**.
+1. Under **Policies**, select **Identity Experience Framework**.
+1. Select **Upload custom policy**.
+1. Upload the policy files that you previously changed.
+
+### Test the custom policy
+
+1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run now** button.
+1. From the sign-up or sign-in page, select **Sign up now** to sign up. Finish entering the user information including the city name, and then click **Create**. You should see the contents of the token that was returned.
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Make sure you're using the directory that contains your Azure AD tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your Azure AD tenant.
-3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
-4. Select **Identity Experience Framework**.
-5. Select **Upload Custom Policy**, and then upload the two policy files that you changed.
-2. Select the sign-up or sign-in policy that you uploaded, and click the **Run now** button.
-3. You should be able to sign up using an email address.
+You should
::: zone-end
active-directory-b2c Enable Authentication Web Application Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application-options.md
+
+ Title: Enable web application options using Azure Active Directory B2C
+description: Enable the use of web application options by using several ways.
++++++ Last updated : 05/25/2021+++++
+# Configure authentication in a sample web application using Azure Active Directory B2C options
+
+This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application. Before you start, familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) or [Enable authentication in your own web application](enable-authentication-web-application.md).
+
+## Use a custom domain
+
+Using a [custom domain](custom-domain.md) in your application's redirect URL provides a more seamless user experience. From the user's perspective, the user remains in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com.
+
+To use a custom domain, follow the guidance in [Enable custom domains](custom-domain.md). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the `Instance` entry with your custom domain.
+
+The following JSON shows the app settings before the change:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://contoso.b2clogin.com",
+ ...
+}
+```
+
+The following JSON shows the app settings after the change:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://login.contoso.com",
+ ...
+}
+```
+
+## Use your tenant ID
+
+You can replace your B2C tenant name in the URL with your tenant ID GUID to remove all references to ΓÇ£b2cΓÇ¥ in the URL. For example, you can change `https://account.contosobank.co.uk/contosobank.onmicrosoft.com/` to `https://account.contosobank.co.uk/<tenant ID GUID>/`
+
+To use the tenant ID, follow the guidance [Enable custom domains](custom-domain.md#optional-use-tenant-id). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the `Domain` entry with your custom domain.
+
+The following JSON demonstrates the app settings before the change:
+
+```JSon
+"AzureAdB2C": {
+ "Domain": "tenant-name.onmicrosoft.com",
+ ...
+}
+```
+
+The following JSON demonstrates the app settings after the change:
+
+```JSon
+"AzureAdB2C": {
+ "Domain": "00000000-0000-0000-0000-000000000000",
+ ...
+}
+```
+
+## Support advanced scenarios
+
+The `AddMicrosoftIdentityWebAppAuthentication` method in the Microsoft identity platform API lets developers add code for advanced authentication scenarios or subscribe to OpenIdConnect events. For example, you can subscribe to OnRedirectToIdentityProvider, which allows you to customize the authentication request your app sends to Azure AD B2C.
+
+To support advanced scenarios, open the `Startup.cs`, and in the `ConfigureServices` function, replace the `AddMicrosoftIdentityWebAppAuthentication` with the following code snippet:
+
+```csharp
+// Configuration to sign-in users with Azure AD B2C
+
+//services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
+
+services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApp(options =>
+{
+ Configuration.Bind("AzureAdB2C", options);
+ options.Events ??= new OpenIdConnectEvents();
+ options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProviderFunc;
+});
+```
+
+The code above adds the OnRedirectToIdentityProvider event with a reference to the *OnRedirectToIdentityProviderFunc* method. Add the following code snippet to the `Startup.cs` class.
+
+```csharp
+private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+{
+ // Custom code here
+
+ // Don't remove this line
+ await Task.CompletedTask.ConfigureAwait(false);
+}
+```
+
+You can pass parameters between your controller and the *OnRedirectToIdentityProvider* function using context parameters.
++
+## Prepopulate the sign-in name
+
+During a sign-in user journey, your app may target a specific user. When targeting a user, an application can specify in the authorization request, the `login_hint` query parameter with the user sign-in name. Azure AD B2C automatically populates the sign-in name, and the user only needs to provide the password.
+
+To prepopulate the sign-in name, follow these steps:
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. If you're using a custom policy, add the required input claim as described in [Set up direct sign-in](direct-signin.md#prepopulate-the-sign-in-name).
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.LoginHint = "emily@contoso.com";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Redirect sign-in to an external identity provider
+
+If you configured the sign-in journey for your application to include social accounts, such as Facebook, LinkedIn, or Google, you can specify the `domain_hint` parameter. This query parameter provides a hint to Azure AD B2C about the social identity provider that should be used for sign-in. For example, if the application specifies `domain_hint=facebook.com`, the sign-in flow goes directly to the Facebook sign-in page.
+
+To redirect sign-in to an external identity provider, follow these steps:
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Check the domain name of your external identity provider. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. In the *OnRedirectToIdentityProviderFunc* function, add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.DomainHint = "facebook.com";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Specify the UI language
+
+Language customization in Azure AD B2C allows your user flow to accommodate different languages to suit your customer needs. For more information, see [Language customization](language-customization.md).
+
+To set the preferred language, follow these steps:
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.UiLocales = "es";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Pass a custom query string parameter
+
+With custom policies you can pass a custom query string parameter, for example when you want to [dynamically change the page content](customize-ui-with-html.md?pivots=b2c-custom-policy#configure-dynamic-custom-page-content-uri).
++
+To pass a custom query string parameter, follow these steps:
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.Parameters.Add("campaignId", "123");
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Pass ID token hint
+
+Azure AD B2C allows relying party applications to send an inbound JWT as part of the OAuth2 authorization request. The JWT token can be issued by a relying party application or an identity provider, and it can pass a hint about the user or the authorization request. Azure AD B2C validates the signature, issuer name, and token audience, and extracts the claim from the inbound token.
+
+To include an ID token hint in the authentication request, follow these steps:
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. In your custom policy, define an [ID token hint technical profile](id-token-hint.md).
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ // The idTokenHint variable holds your ID token
+ context.ProtocolMessage.IdTokenHint = idTokenHint
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Account controller
+
+If you want to customize the **Sign-in**, **Sign-up** or **Sign-out** actions, you are encouraged to create your own controller. Having your own controller allows you to pass parameters between your controller and the authentication library. The `AccountController` is part of `Microsoft.Identity.Web.UI` NuGet package, which handles the sign-in and sign-out actions. You can find its implementation in the [Microsoft Identity Web library](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Controllers/AccountController.cs).
+
+The following code snippet demonstrates a custom `MyAccountController` with the **SignIn** action. The action passes a parameter named `campaign_id` to the authentication library.
+
+```csharp
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
++
+namespace mywebapp.Controllers
+{
+ [AllowAnonymous]
+ [Area("MicrosoftIdentity")]
+ [Route("[area]/[controller]/[action]")]
+ public class MyAccountController : Controller
+ {
+
+ [HttpGet("{scheme?}")]
+ public IActionResult SignIn([FromRoute] string scheme)
+ {
+ scheme ??= OpenIdConnectDefaults.AuthenticationScheme;
+ var redirectUrl = Url.Content("~/");
+ var properties = new AuthenticationProperties { RedirectUri = redirectUrl };
+ properties.Items["campaign_id"] = "1234";
+ return Challenge(properties, scheme);
+ }
+
+ }
+}
+
+```
+
+In the `_LoginPartial.cshtml` view, change the sign-in link to your controller
+
+```
+<form method="get" asp-area="MicrosoftIdentity" asp-controller="MyAccount" asp-action="SignIn">
+```
+
+In the `OnRedirectToIdentityProvider` in the `Startup.cs` calls, you can read the custom parameter:
+
+```csharp
+private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+{
+ // Read the custom parameter
+ var campaign_id = (context.Properties.Items.ContainsKey("campaign_id"))
+
+ // Add your custom code here
+
+ await Task.CompletedTask.ConfigureAwait(false);
+}
+```
+
+## Role-based access control
+
+With [authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction) you can use [role-based authorization](/aspnet/core/security/authorization/roles), [claims-based authorization](/aspnet/core/security/authorization/claims), or [policy-based authorization](/aspnet/core/security/authorization/policies) to check if the user is authorized to access a protected resource.
+
+In the *ConfigureServices* method, add the *AddAuthorization* method, which adds the authorization model. The following example creates a policy named `EmployeeOnly`. The policy checks that a claim `EmployeeNumber` exists. The value of the claim must be one of the following IDs: 1, 2, 3, 4 or 5.
+
+```csharp
+services.AddAuthorization(options =>
+ {
+ options.AddPolicy("EmployeeOnly", policy =>
+ policy.RequireClaim("EmployeeNumber", "1", "2", "3", "4", "5"));
+ });
+```
+
+Authorization in ASP.NET Core is controlled with [AuthorizeAttribute](/aspnet/core/security/authorization/simple) and its various parameters. In its most basic form, applying the `[Authorize]` attribute to a controller, action, or Razor Page, limits access to that component's authenticated users.
+
+Policies are applied to controllers by using the `[Authorize]` attribute with the policy name. The following code limits access to the `Claims` action to users authorized by the `EmployeeOnly` policy:
+
+```csharp
+[Authorize(Policy = "EmployeeOnly")]
+public IActionResult Claims()
+{
+ return View();
+}
+```
+
+## Next steps
+
+- Learn more: [Introduction to authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction)
active-directory-b2c Enable Authentication Web Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application.md
+
+ Title: Enable authentication in a web application using Azure Active Directory B2C building blocks
+description: The building blocks of Azure Active Directory B2C to sign in and sign up users in an ASP.NET web application.
++++++ Last updated : 05/25/2021+++++
+# Enable authentication in your own web application using Azure Active Directory B2C
+
+This article shows you how to add Azure Active Directory B2C (Azure AD B2C) authentication to your own ASP.NET web application. Learn how create an ASP.NET Core web application with ASP.NET Core middleware that uses the [OpenID Connect](openid-connect.md) protocol. Use this article in conjunction with [Configure authentication in a sample web application](configure-authentication-sample-web-app.md), substituting the sample web app with your own web app.
+
+## Prerequisites
+
+Review the prerequisites and integration steps in [Configure authentication in a sample web application](configure-authentication-sample-web-app.md).
+
+## Create a web app project
+
+You can use an existing ASP.NET MVC web app project or create new one. To create a new project, open a command shell, and enter the following command:
+
+```dotnetcli
+dotnet new mvc -o mywebapp
+```
+
+The preceding command:
+
+* Creates a new MVC web app.
+* The `-o mywebapp` parameter creates a directory named *mywebapp* with the source files for the app.
+
+## Add the authentication libraries
+
+First, add the Microsoft Identity Web library. This is a set of ASP.NET Core libraries that simplify adding Azure AD B2C authentication and authorization support to your web app. The Microsoft Identity Web library sets up the authentication pipeline with cookie-based authentication. It takes care of sending and receiving HTTP authentication messages, token validation, claims extraction, and more.
+
+To add the Microsoft Identity Web library, install the packages by running the following commands:
+
+# [Visual Studio](#tab/visual-studio)
+
+```dotnetcli
+dotnet add package Microsoft.Identity.Web
+dotnet add package Microsoft.Identity.Web.UI
+```
+
+# [Visual Studio Code](#tab/visual-studio-code)
+
+```dotnetcli
+Install-Package Microsoft.Identity.Web
+Install-Package Microsoft.Identity.Web
+```
++++
+## Initiate the authentication libraries
+
+The Microsoft Identity Web middleware uses a startup class that runs when the hosting process starts. In this step, you add the necessary code to initiate the authentication libraries.
+
+Open `Startup.cs` and add the following `using` declarations at the beginning of the class:
+
+```csharp
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
+```
+
+Because Microsoft Identity Web uses cookie-based authentication to protect your web app, the following code sets the *SameSite* cookie settings. Then it reads the `AzureAdB2C` application settings and initiates the middleware controller with its view.
+
+Replace the `ConfigureServices(IServiceCollection services)` function with the following code snippet.
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+ services.Configure<CookiePolicyOptions>(options =>
+ {
+ // This lambda determines whether user consent for non-essential cookies is needed for a given request.
+ options.CheckConsentNeeded = context => true;
+ options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+ // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
+ options.HandleSameSiteCookieCompatibility();
+ });
+
+ // Configuration to sign-in users with Azure AD B2C
+ services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
+
+ services.AddControllersWithViews()
+ .AddMicrosoftIdentityUI();
+
+ services.AddRazorPages();
+
+ //Configuring appsettings section AzureAdB2C, into IOptions
+ services.AddOptions();
+ services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
+}
+```
+
+The following code adds the cookie policy, and uses the authentication model. Replace the `Configure` function, with the following code snippet.
+
+```csharp
+public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+{
+ if (env.IsDevelopment())
+ {
+ app.UseDeveloperExceptionPage();
+ }
+ else
+ {
+ app.UseExceptionHandler("/Home/Error");
+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+ app.UseHsts();
+ }
+
+ app.UseHttpsRedirection();
+ app.UseStaticFiles();
+
+ // Add the Microsoft Identity Web cookie policy
+ app.UseCookiePolicy();
+ app.UseRouting();
+ // Add the ASP.NET Core authentication service
+ app.UseAuthentication();
+ app.UseAuthorization();
+
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapControllerRoute(
+ name: "default",
+ pattern: "{controller=Home}/{action=Index}/{id?}");
+
+ // Add endpoints for Razor pages
+ endpoints.MapRazorPages();
+ });
+};
+```
+
+## Add the UI elements
+
+To add user interface elements, use a partial view that contains logic for checking whether a user is signed in or not. If the user is not signed in, the partial view renders the sign-in button. If the user is signed in, it shows the user's display name and sign-out button.
+
+Create a new file `_LoginPartial.cshtml` inside the `Views/Shared` folder with the following code snippet:
+
+```razor
+@using System.Security.Principal
+@if (User.Identity.IsAuthenticated)
+{
+ <ul class="nav navbar-nav navbar-right">
+ <li class="navbar-text">Hello @User.Identity.Name</li>
+ <!-- The Account controller is not defined in this project. Instead, it is part of Microsoft.Identity.Web.UI nuget package and
+ it defines some well known actions such as SignUp/In, SignOut and EditProfile-->
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="EditProfile">
+ <button type="submit" class="btn btn-primary" style="margin-right:5px">Edit Profile</button>
+ </form>
+ </li>
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">
+ <button type="submit" class="btn btn-primary">Sign Out</button>
+ </form>
+ </li>
+ </ul>
+}
+else
+{
+ <ul class="nav navbar-nav navbar-right">
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">
+ <button type="submit" class="btn btn-primary">Sign Up/In</button>
+ </form>
+ </li>
+ </ul>
+}
+```
+
+Modify your `Views\Shared\_Layout.cshtml` to include the *_LoginPartial.cshtml* file you added. The *_Layout.cshtml* file is a common layout that provides the user with a consistent experience as they navigate from page to page. The layout includes common user interface elements such as the app header, and footer.
+
+> [!NOTE]
+> Depending on the .NET Core version and whether you're adding sign-in to an existing app, the UI elements might look different. If so, be sure to include *_LoginPartial* in the proper location within the page layout.
+
+Open the */Views/Shared/_Layout.cshtml* and add the following `div` element.
+
+```razor
+<div class="navbar-collapse collapse">
+...
+</div>
+```
+
+Replace this element with the following Razor code:
+
+```razor
+<div class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
+ <li><a asp-area="" asp-controller="Home" asp-action="Claims">Claims</a></li>
+ </ul>
+ <partial name="_LoginPartial" />
+</div>
+```
+
+The preceding Razor code includes a link to the `Claims` action you'll create in the next step.
+
+## Add the claims view
+
+To view the ID token claims under the `Views/Home` folder, add the `Claims.cshtml` view.
+
+```razor
+@using System.Security.Claims
+
+@{
+ ViewData["Title"] = "Claims";
+}
+<h2>@ViewData["Title"].</h2>
+
+<table class="table-hover table-condensed table-striped">
+ <tr>
+ <th>Claim Type</th>
+ <th>Claim Value</th>
+ </tr>
+
+ @foreach (Claim claim in User.Claims)
+ {
+ <tr>
+ <td>@claim.Type</td>
+ <td>@claim.Value</td>
+ </tr>
+ }
+</table>
+```
+
+In this step, you add the `Claims` action that links the *Claims.cshtml* view to the *Home* controller. It uses the `[Authorize]` attribute, which limits access to the Claims action to authenticated users.
+
+In the `/Controllers/HomeController.cs` controller, add the following action.
+
+```csharp
+[Authorize]
+public IActionResult Claims()
+{
+ return View();
+}
+```
+
+## Add the app settings
+
+Azure AD B2C identity provider settings are stored in the `appsettings.json` file. Open appsettings.json and add the following settings:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://<your-tenant-name>.b2clogin.com",
+ "ClientId": "<web-app-application-id>",
+ "Domain": "<your-b2c-domain>",
+ "SignedOutCallbackPath": "/signout/<your-sign-up-in-policy>",
+ "SignUpSignInPolicyId": "<your-sign-up-in-policy>"
+}
+```
+
+The required information is described in the [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) article. Use the following settings:
+
+* **Instance** - Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Client ID** - Replace `<web-app-application-id>` with the Application ID from [Step 2](configure-authentication-sample-web-app.md#step-2-register-a-web-application).
+* **Policy name** - Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](configure-authentication-sample-web-app.md#step-1-configure-your-user-flow).
+
+## Run your application
+
+1. Build and run the project.
+1. Browse to https://localhost:5001.
+1. Select **SignIn/Up**.
+1. Complete the sign-up or sign-in process.
+
+After you successfully authenticate, you will see your display name in the navigation bar. To view the claims the Azure AD B2C token return to your app, select **Claims**.
+
+## Next steps
+
+* Learn how to [customize and enhance the Azure AD B2C authentication experience for your web app](enable-authentication-web-application-options.md)
active-directory-b2c Identity Provider Azure Ad Single Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md
Previously updated : 03/17/2021 Last updated : 05/26/2021
At this point, the Azure AD identity provider has been set up, but it's not yet
1. Under the **Social identity providers**, select **Contoso Azure AD**. 1. Select **Save**. 1. To test your policy, select **Run user flow**.
-1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
1. Select the **Run user flow** button. 1. From the sign-up or sign-in page, select **Contoso Azure AD** to sign in with Azure AD Contoso account.
active-directory-b2c Implicit Flow Single Page Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/implicit-flow-single-page-application.md
Many modern applications have a single-page app front end that is written primar
The recommended way of supporting single-page applications is [OAuth 2.0 Authorization code flow (with PKCE)](./authorization-code-flow.md).
-Some frameworks, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the implicit grant flow. In these cases, Azure Active Directory B2C (Azure AD B2C) supports the OAuth 2.0 authorization implicit grant flow. Thee flow is described in [section 4.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). In implicit flow, the app receives tokens directly from the Azure Active Directory (Azure AD) authorize endpoint, without any server-to-server exchange. All authentication logic and session handling is done entirely in the JavaScript client with either a page redirect or a pop-up box.
+Some frameworks, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the implicit grant flow. In these cases, Azure Active Directory B2C (Azure AD B2C) supports the OAuth 2.0 authorization implicit grant flow. The flow is described in [section 4.2 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). In implicit flow, the app receives tokens directly from the Azure Active Directory (Azure AD) authorize endpoint, without any server-to-server exchange. All authentication logic and session handling is done entirely in the JavaScript client with either a page redirect or a pop-up box.
Azure AD B2C extends the standard OAuth 2.0 implicit flow to more than simple authentication and authorization. Azure AD B2C introduces the [policy parameter](user-flow-overview.md). With the policy parameter, you can use OAuth 2.0 to add policies to your app, such as sign-up, sign-in, and profile management user flows. In the example HTTP requests in this article, **{tenant}.onmicrosoft.com** is used as an example. Replace `{tenant}` with the name of your tenant if you have one and have also created a user flow.
active-directory-b2c Oauth2 Error Technical Profile https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/oauth2-error-technical-profile.md
+
+ Title: Define an OAuth2 custom error technical profile in a custom policy
+
+description: Define an OAuth2 custom error technical profile in a custom policy in Azure Active Directory B2C.
+++++++ Last updated : 05/26/2021++++
+# Define an OAuth2 custom error technical profile in an Azure Active Directory B2C custom policy
+
+This article describes how to handle an OAuth2 custom error with Azure Active Directory B2C (Azure AD B2C). Use this technical profile if something logic goes wrong within your policy. The technical profile returns error to your OAuth2 or OpenId Connect relying party application.
+
+To handle custom OAuth2 error message:
+
+1. Define an OAuth2 error technical profile.
+1. Set the error code, and error message claims.
+1. From the user journey, call the OAuth2 error technical profile.
+
+## OAuth2 error
+
+The error is return with the following data:
+
+- **error** - `access_denied`
+- **error_description** - The error message using the convention `AAD_Custom_<errorCode>: <errorMessage>`.
+- **Correlation ID** - The Azure AD B2C correlation ID.
+- **Timestamp** - The timestamp of the error.
+
+The following example demonstrates a custom error message return to the https://jwt.ms app:
+
+```http
+https://jwt.ms/#error=access_denied&error_description=AAD_Custom_1234%3a+My+custom+error+message%0d%0aCorrelation+ID%3a+233bf9bd-747a-4800-9062-6236f3f69a47%0d%0aTimestamp%3a+2021-03-25+14%3a01%3a23Z%0d%0a
+```
+
+## Protocol
+
+The **Name** attribute of the **Protocol** element needs to be set to `None`. Set the **OutputTokenFormat** element to `OAuth2Error`.
+
+The following example shows a technical profile for `ReturnOAuth2Error`:
+
+```xml
+<!--
+ <ClaimsProviders> -->
+ <ClaimsProvider>
+ <DisplayName>Token Issuer</DisplayName>
+ <TechnicalProfiles>
+ <TechnicalProfile Id="ReturnOAuth2Error">
+ <DisplayName>Return OAuth2 error</DisplayName>
+ <Protocol Name="None" />
+ <OutputTokenFormat>OAuth2Error</OutputTokenFormat>
+ <CryptographicKeys>
+ <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
+ </CryptographicKeys>
+ <InputClaims>
+ <InputClaim ClaimTypeReferenceId="errorCode" />
+ <InputClaim ClaimTypeReferenceId="errorMessage" />
+ </InputClaims>
+ </TechnicalProfile>
+ </TechnicalProfiles>
+ </ClaimsProvider>
+<!--
+</ClaimsProviders> -->
+```
+
+## Input claims
+
+The **InputClaims** element contains a list of claims required to return OAuth2 error.
+
+| ClaimReferenceId | Required | Description |
+| | -- | -- |
+| errorCode | Yes | The error code. |
+| errorMessage | Yes | The error message. |
+
+## Cryptographic keys
+
+The CryptographicKeys element contains the following key:
+
+| Attribute | Required | Description |
+| | -- | -- |
+| issuer_secret | Yes | An X509 certificate (RSA key set). Use the `B2C_1A_TokenSigningKeyContainer` key you configure in [Get started with custom policies](custom-policy-get-started.md).|
+|
+
+## Invoke the technical profile
+
+You can call the OAuth2 error technical profile from a user journey, or sub journey. Set the [orchestration step](userjourneys.md#orchestrationsteps) type to `SendClaims` with a reference to your OAuth2 error technical profile.
+
+If your user journey or sub journey already has another `SendClaims` orchestration step, set the `DefaultCpimIssuerTechnicalProfileReferenceId` attribute to the token issuer technical profile.
+
+In the following example:
+
+- The user journey `SignUpOrSignIn-Custom` sets the `DefaultCpimIssuerTechnicalProfileReferenceId` to the token issuer technical profile `JwtIssuer`.
+- The eighth orchestration step checks whether the `errorCode` exists. If yes, call the `ReturnOAuth2Error` technical profile to return the error.
+- If `errorCode` doesn't exist, the ninth orchestration step issues the token.
+
+```xml
+<UserJourney Id="SignUpOrSignIn-Custom" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer">
+ <OrchestrationSteps>
+ ...
+ <OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="ReturnOAuth2Error">
+ <Preconditions>
+ <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
+ <Value>errorCode</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ </OrchestrationStep>
+
+ <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
+
+ </OrchestrationSteps>
+ <ClientDefinition ReferenceId="DefaultWeb" />
+</UserJourney>
+```
+
+## Next steps
+
+Learn about [UserJourneys](userjourneys.md)
+
active-directory-b2c Page Layout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/page-layout.md
Previously updated : 04/05/2021 Last updated : 05/26/2021
Azure AD B2C page layout uses the following version of the [jQuery library](http
## Self-asserted page (selfasserted)
+**2.1.6**
+- Fixed password error get cleared when typing too quickly on a different field.
+
+**2.1.5**
+- Fixed cursor jumps issue on iOS when editing in the middle of the text.
+ **2.1.4** - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6.
Azure AD B2C page layout uses the following version of the [jQuery library](http
> [!TIP] > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select.
+**2.1.5**
+- Fixed an issue on tab order when idp selector template is used on sign in page.
+- Fixed an encoding issue on sign-in link text.
+ **2.1.4** - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6.
active-directory-b2c Relyingparty https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/relyingparty.md
Previously updated : 03/15/2021 Last updated : 05/26/2021
The **UserJourneyBehaviors** element contains the following elements:
| - | -- | -- | | SingleSignOn | 0:1 | The scope of the single sign-on (SSO) session behavior of a user journey. | | SessionExpiryType |0:1 | The authentication behavior of the session. Possible values: `Rolling` or `Absolute`. The `Rolling` value (default) indicates that the user remains signed in as long as the user is continually active in the application. The `Absolute` value indicates that the user is forced to reauthenticate after the time period specified by application session lifetime. |
-| SessionExpiryInSeconds | 0:1 | The lifetime of Azure AD B2C's session cookie specified as an integer stored on the user's browser upon successful authentication. |
+| SessionExpiryInSeconds | 0:1 | The lifetime of Azure AD B2C's session cookie specified as an integer stored on the user's browser upon successful authentication. The default is 86,400 seconds (24 hours). The minimum is 900 seconds (15 minutes). The maximum is 86,400 seconds (24 hours). |
| JourneyInsights | 0:1 | The Azure Application Insights instrumentation key to be used. | | ContentDefinitionParameters | 0:1 | The list of key value pairs to be appended to the content definition load URI. | |ScriptExecution| 0:1| The supported [JavaScript](javascript-and-page-layout.md) execution modes. Possible values: `Allow` or `Disallow` (default).
active-directory-b2c Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/service-limits.md
Previously updated : 02/02/2021 Last updated : 05/12/2021
This article contains the usage constraints and other service limits for the Azu
## End user/consumption related limits
-The following end-user related service limits apply to all authentication and authorization protocols supported by Azure AD B2C, including SAML, Open ID Connect, OAuth2, and ROPC.
+The following end-user related service limits apply to all authentication requests to Azure AD B2C. The table below illustrates the **peak** token issuances for default user flow and custom policy configurations.
-|Category |Limit |
+|User Journey | Limit |
|||
-|Number of requests per IP address per Azure AD B2C tenant |6,000/5min  |
-|Total number of requests per Azure AD B2C tenant |12,000/min |
-
-The number of requests can vary depending on the number of directory reads and writes that occur during the Azure AD B2C user journey. For example, a simple sign-in journey that reads from the directory consists of 1 request. If the sign-in journey must also update the directory, this operation is counted as an additional request.
+|Combined sign up and sign in | 2,400/min |
+|Sign up | 1,200/min |
+|Sign in | 2,400/min |
+|Password reset | 1,200/min |
+|Profile edit | 2,400/min |
+|ROPC | 10,000/min |
+|||
+
+|Category | Limit |
+|||
+|Tokens issued per IP address per Azure AD B2C tenant |240/min  |
+|||
## Azure AD B2C configuration limits The following table lists the administrative configuration limits in the Azure AD B2C service.
-|Category |Limit |
-|||
-|Number of scopes per applicationΓÇ» |1000 |
-|Number of [custom attributes](user-profile-attributes.md#extension-attributes) per user <sup>1</sup> |100 |
-|Number of redirect URLs per application |100 |
-|Number of sign out URLs per application  |1  |
-|String Limit per Attribute |250 Chars |
-|Number of B2C tenants per subscription |20 |
-|Levels of [inheritance](custom-policy-overview.md#inheritance-model) in custom policies |10 |
-|Number of policies per Azure AD B2C tenant |200 |
-|Maximum policy file size |400 KB |
+|Category |Type |Limit |
+||||
+|Maximum string length per attribute |User|250 Chars |
+|Maximum number of [`Identities`](user-profile-attributes.md#identities-attribute) in a user create operation | User|7 |
+|Number of scopes per applicationΓÇ» |Application|1000 |
+|Number of [custom attributes](user-profile-attributes.md#extension-attributes) per user <sup>1</sup> |Application|100 |
+|Number of redirect URLs per application |Application|100 |
+|Number of sign-out URLs per application  |Application|1  |
+|Levels of policy [inheritance](custom-policy-overview.md#inheritance-model) |Custom policy|10 |
+|Maximum policy file size |Custom policy|400 KB |
+|Number of B2C tenants per subscription |Azure Subscription|20 |
+|Number of policies per Azure AD B2C tenant | Tenant|200 |
<sup>1</sup> See also [Azure AD service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md).
active-directory-b2c Tenant Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tenant-management.md
Previously updated : 05/18/2021 Last updated : 05/26/2021
Azure AD B2C relies the Azure AD platform. The following Azure AD features can b
| [Roles and administrators](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.| | [Custom domain names](../active-directory/fundamentals/add-custom-domain.md) | You can use Azure AD custom domains for administrative accounts only. | [Consumer accounts](user-overview.md#consumer-user) can sign in with a username, phone number, or any email address. You can use [custom domains](custom-domain.md) in your redirect URLs.| | [Conditional Access](../active-directory/conditional-access/overview.md) | Fully supported for administrative and user accounts. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Lean how to configure Azure AD B2C [conditional access](conditional-access-user-flow.md).|
+| [Premium P1](https://azure.microsoft.com/pricing/details/active-directory) | Fully supported for Azure AD premium P1 features. For example, [Password Protection](../active-directory/authentication/concept-password-ban-bad.md), [Hybrid Identities](../active-directory/hybrid/whatis-hybrid-identity.md), [Conditional Access](../active-directory/roles/permissions-reference.md#), [Dynamic groups](../active-directory/enterprise-users/groups-create-rule.md), and more. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md).|
+| [Premium P2](https://azure.microsoft.com/pricing/details/active-directory.md) | Fully supported for Azure AD premium P2 features. For example, [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md), and [Identity Governance](../active-directory/governance/identity-governance-overview.md). | A subset of Azure AD Identity Protection features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to [Investigate risk with Identity Protection](identity-protection-investigate-risk.md) and configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md). |
## Other Azure resources in your tenant
active-directory-b2c Troubleshoot Custom Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/troubleshoot-custom-policies.md
Previously updated : 04/08/2021 Last updated : 05/25/2021
You can include the correlation ID in your Azure AD B2C tokens. To include the c
1. Open the extensions file of your policy. For example, <em>`SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`**</em>. 1. Search for the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it. 1. Locate the [ClaimsSchema](claimsschema.md) element. If the element doesn't exist, add it.
-1. Add the city claim to the **ClaimsSchema** element.
+1. Add the correlation ID claim to the **ClaimsSchema** element.
```xml <!--
You can include the correlation ID in your Azure AD B2C tokens. To include the c
</BuildingBlocks>--> ```
-1. Open the relying party file of your policy. For example, <em>`SocialAndLocalAccounts/`**`SignUpOrSignIn.xml`**</em> file. The output claim will be added to the token after a successful user journey and sent to the application. Modify the technical profile element in the relying party section to add the city as an output claim.
+1. Open the relying party file of your policy. For example, <em>`SocialAndLocalAccounts/`**`SignUpOrSignIn.xml`**</em> file. The output claim will be added to the token after a successful user journey and sent to the application. Modify the technical profile element in the relying party section to add the `correlationId` as an output claim.
```xml <RelyingParty>
active-directory-b2c Tutorial Create User Flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-create-user-flows.md
Previously updated : 04/26/2021 Last updated : 05/21/2021 zone_pivot_groups: b2c-policy-type
-# Tutorial: Create user flows in Azure Active Directory B2C
+# Tutorial: Create user flows and custom policies in Azure Active Directory B2C
[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
active-directory Migrate Adal Msal Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-adal-msal-java.md
MSAL offers the following benefits:
MSAL for Java is the auth library we recommend you use with the Microsoft identity platform. No new features will be implemented on ADAL4J. All efforts going forward are focused on improving MSAL.
+You can learn more about MSAL and get started with an [overview of the Microsoft Authentication Library](msal-overview.md).
+ ## Differences If you have been working with the Azure AD for developers (v1.0) endpoint (and ADAL4J), you might want to read [What's different about the Microsoft identity platform?](../azuread-dev/azure-ad-endpoint-comparison.md).
active-directory Migrate Python Adal Msal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-python-adal-msal.md
The following table lists an API in ADAL for Python, and the one to use in its p
| ADAL for Python API | MSAL for Python API | | - | - |
-| [AuthenticationContext](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext) | [PublicClientApplication or ConfidentialClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.__init__) |
-| N/A | [get_authorization_request_url()](https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.get_authorization_request_url) |
-| [acquire_token_with_authorization_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_authorization_code) | [acquire_token_by_authorization_code()](https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.acquire_token_by_authorization_code) |
-| [acquire_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token) | [acquire_token_silent()](https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.acquire_token_silent) |
-| [acquire_token_with_refresh_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_refresh_token) | N/A |
+| [AuthenticationContext](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext) | [PublicClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.__init__) or [ConfidentialClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.__init__) |
+| N/A | [PublicClientApplication.acquire_token_interactive()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_interactive) |
+| N/A | [ConfidentialClientApplication.initiate_auth_code_flow()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.initiate_auth_code_flow) |
+| [acquire_token_with_authorization_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_authorization_code) | [ConfidentialClientApplication.acquire_token_by_auth_code_flow()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_by_auth_code_flow) |
+| [acquire_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token) | [PublicClientApplication.acquire_token_silent()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_silent) or [ConfidentialClientApplication.acquire_token_silent()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_silent) |
+| [acquire_token_with_refresh_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_refresh_token) | These two helpers are intended to be used during [migration](#migrate-existing-refresh-tokens-for-msal-python) only: [PublicClientApplication.acquire_token_by_refresh_token()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_refresh_token) or [ConfidentialClientApplication.acquire_token_by_refresh_token()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_by_refresh_token) |
| [acquire_user_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_user_code) | [initiate_device_flow()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.initiate_device_flow) | | [acquire_token_with_device_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_device_code) and [cancel_request_to_get_token_with_device_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.cancel_request_to_get_token_with_device_code) | [acquire_token_by_device_flow()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_device_flow) | | [acquire_token_with_username_password()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_username_password) | [acquire_token_by_username_password()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_username_password) |
active-directory Msal Node Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-node-migration.md
Most of the public methods in ADAL Node have equivalents in MSAL Node:
|-|--|--| | `acquireToken` | `acquireTokenSilent` | Renamed and now expects an [account](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#accountinfo) object | | `acquireTokenWithAuthorizationCode` | `acquireByAuthorizationCode` | |
-| `acquireTokenWithClientCredentials` | `acquireTokenByClientCredentials` | |
+| `acquireTokenWithClientCredentials` | `acquireTokenByClientCredential` | |
| `acquireTokenWithRefreshToken` | `acquireTokenByRefreshToken` | | | `acquireTokenWithDeviceCode` | `acquireTokenByDeviceCode` | Now abstracts user code acquisition (see below) | | `acquireTokenWithUsernamePassword` | `acquireTokenByUsernamePassword` | |
In MSAL Node, promises are used instead:
```javascript const cca = new msal.ConfidentialClientApplication(msalConfig);
- cca.acquireTokenByClientCredentials(tokenRequest).then((response) => {
+ cca.acquireTokenByClientCredential(tokenRequest).then((response) => {
// do something with the authentication response }).catch((error) => { console.log(error);
active-directory Quickstart V2 Aspnet Core Webapp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md
Title: "Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app | Azure"
+ Title: "Quickstart: Add sign-in with Microsoft Identity to an ASP.NET Core web app | Azure"
description: In this quickstart, you learn how an app implements Microsoft sign-in on an ASP.NET Core web app by using OpenID Connect
active-directory Quickstart V2 Windows Desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-windows-desktop.md
Title: "Quickstart: Sign in users and call Microsoft Graph in a Universal Windows Platform desktop app | Azure"
+ Title: "Quickstart: Sign in users and call Microsoft Graph in a Windows desktop app | Azure"
description: In this quickstart, learn how a Windows desktop .NET (XAML) application can get an access token and call an API protected by the Microsoft identity platform.
active-directory Refresh Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/refresh-tokens.md
+
+ Title: Microsoft identity platform refresh tokens | Azure
+
+description: Learn about refresh tokens emitted by the Azure AD.
++++++++ Last updated : 05/25/2021+++++
+# Microsoft identity platform refresh tokens
+
+When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. This allows a client to use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them.
+
+## Prerequisites
+
+Before reading through this article, it's recommended that you go through the following articles:
+
+* [ID tokens](id-tokens.md) in the Microsoft identity platform.
+* [Access tokens](access-tokens.md) in the Microsoft identity platform.
+
+## Refresh token lifetime
+
+Refresh tokens have a significantly longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
+
+## Refresh token expiration
+
+Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle rejections by the sign-in service gracefully when this occurs. This is done by sending the user to an interactive sign-in prompt to sign in again.
+
+### Token timeouts
+
+Using [token lifetime configuration](active-directory-configurable-token-lifetimes.md#refresh-and-session-token-lifetime-policy-properties), the lifetime of refresh tokens can be reduced or lengthened. This setting changes the length of time that a refresh token can go without use. For example, consider a scenario where a user doesn't open an app for more than 90 days. When the app attempts to use that 90+ day old refresh token, it will find that it has expired. Additionally, an admin can require that second factors be used on a regular cadence, forcing the user to manually sign in at specific intervals. These scenarios include:
+
+* Inactivity: refresh tokens are only valid for a period dictated by the `MaxInactiveTime`. If the token isn't used (and replaced by the new token) within that time period, it will no longer be usable.
+* Session age-out: If `MaxAgeSessionMultiFactor` or `MaxAgeSessionSingleFactor` have been set to something other than their default (Until-revoked), then reauthentication will be required after the time set in the MaxAgeSession* elapses. This is used to force users to reauthenticate with a first or second factor periodically.
+* Examples:
+ * The tenant has a MaxInactiveTime of five days, and the user went on vacation for a week. As such, Azure AD hasn't seen a new token request from the user in seven days. The next time the user requests a new token, they'll find their Refresh Token has been revoked, and they must enter their credentials again.
+ * A sensitive application has a `MaxAgeSessionMultiFactor` of one day. A user will be required to go through MFA once more through an interactive prompt if they sign in again after a period of one day. For example, if a user logs in on Monday, and on Tuesday after 25 hours have elapsed.
+
+Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in [single page apps](reference-third-party-cookies-spas.md) are always limited to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them.
+
+### Revocation
+
+Refresh tokens can be revoked by the server because of a change in credentials, user action, or admin action. Refresh tokens fall into two classes: tokens issued to confidential clients (the rightmost column) and tokens issued to public clients (all other columns).
+
+| Change | Password-based cookie | Password-based token | Non-password-based cookie | Non-password-based token | Confidential client token |
+||--|-||--||
+| Password expires | Stays alive | Stays alive | Stays alive | Stays alive | Stays alive |
+| Password changed by user | Revoked | Revoked | Stays alive | Stays alive | Stays alive |
+| User does SSPR | Revoked | Revoked | Stays alive | Stays alive | Stays alive |
+| Admin resets password | Revoked | Revoked | Stays alive | Stays alive | Stays alive |
+| User revokes their refresh tokens [via PowerShell](/powershell/module/azuread/revoke-azureadsignedinuserallrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |
+| Admin revokes all refresh tokens for a user [via PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) | Revoked | Revoked |Revoked | Revoked | Revoked |
+| Single sign-out [on web](v2-protocols-oidc.md#single-sign-out) | Revoked | Stays alive | Revoked | Stays alive | Stays alive |
+
+## Next steps
+
+* Learn about [configurable token lifetimes](active-directory-configurable-token-lifetimes.md)
+* Check out [Primary Refresh Tokens](../devices/concept-primary-refresh-token.md) for more details on primary refresh tokens.
active-directory Scenario Desktop Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token.md
To sign in a domain user on a domain or Azure AD joined machine, use Integrated
### Constraints - Integrated Windows Authentication is usable for *federated+* users only, that is, users created in Active Directory and backed by Azure AD. Users created directly in Azure AD without Active Directory backing, known as *managed* users, can't use this authentication flow. This limitation doesn't affect the username and password flow.-- IWA is for apps written for .NET Framework, .NET Core, and Universal Windows Platform (UWP) platforms. - IWA doesn't bypass [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md). If MFA is configured, IWA might fail if an MFA challenge is required, because MFA requires user interaction. IWA is non-interactive, but MFA requires user interactivity. You don't control when the identity provider requests MFA to be performed, the tenant admin does. From our observations, MFA is required when you sign in from a different country/region, when not connected via VPN to a corporate network, and sometimes even when connected via VPN. Don't expect a deterministic set of rules. Azure AD uses AI to continuously learn if MFA is required. Fall back to a user prompt like interactive authentication or device code flow if IWA fails.
active-directory V2 Permissions And Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-permissions-and-consent.md
Previously updated : 04/14/2021 Last updated : 05/25/2021
The access token is valid for a short time. It usually expires in one hour. At t
For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](active-directory-v2-protocols.md).
+## Incremental and dynamic consent
+With the Microsoft identity platform endpoint, you can ignore the static permissions defined in the app registration information in the Azure portal and request permissions incrementally instead. You can ask for a bare minimum set of permissions upfront and request more over time as the customer uses additional app features. To do so, you can specify the scopes your app needs at any time by including the new scopes in the `scope` parameter when [requesting an access token](#requesting-individual-user-consent) - without the need to pre-define them in the application registration information. If the user hasn't yet consented to new scopes added to the request, they'll be prompted to consent only to the new permissions. Incremental, or dynamic consent, only applies to delegated permissions and not to application permissions.
+
+Allowing an app to request permissions dynamically through the `scope` parameter gives developers full control over your user's experience. You can also front load your consent experience and ask for all permissions in one initial authorization request. If your app requires a large number of permissions, you can gather those permissions from the user incrementally as they try to use certain features of the app over time.
+
+[Admin consent](#using-the-admin-consent-endpoint) done on behalf of an organization still requires the static permissions registered for the app, so you should set those permissions for apps in the app registration portal if you need an admin to give consent on behalf of the entire organization. This reduces the cycles required by the organization admin to set up the application.
+ ## Requesting individual user consent In an [OpenID Connect or OAuth 2.0](active-directory-v2-protocols.md) authorization request, an app can request the permissions it needs by using the `scope` query parameter. For example, when a user signs in to an app, the app sends a request like the following example. (Line breaks are added for legibility.)
active-directory Howto Vm Sign In Azure Ad Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md
Previously updated : 05/10/2021 Last updated : 05/20/2021
az ssh vm --ip 10.11.123.456
For customers who are using previous version of Azure AD login for Linux that was based on device code flow, complete the following steps. 1. Uninstall the AADLoginForLinux extension on the VM.
- 1. Using Azure CLI: `az vm extension delete -g MyResourceGroup -n MyVm -n AADLoginForLinux`
+ 1. Using Azure CLI: `az vm extension delete -g MyResourceGroup --vm-name MyVm -n AADLoginForLinux`
1. Enable System assigned managed identity on your VM. 1. Using Azure CLI: `az vm identity assign -g myResourceGroup -n myVm` 1. Install the AADSSHLoginForLinux extension on the VM
active-directory Directory Self Service Signup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/directory-self-service-signup.md
Previously updated : 12/02/2020 Last updated : 05/19/2021
# What is self-service sign-up for Azure Active Directory?
-This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure AD). If you want to take over a domain name from an unmanaged Azure AD organization, see [Take over an unmanaged directory as administrator](domains-admin-takeover.md).
+This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure AD). If you want to take over a domain name from an unmanaged Azure AD organization, see [Take over an unmanaged tenant as administrator](domains-admin-takeover.md).
## Why use self-service sign-up? * Get customers to services they want faster * Create email-based offers for a service * Create email-based sign-up flows that quickly allow users to create identities using their easy-to-remember work email aliases
-* A self-service-created Azure AD directory can be turned into a managed directory that can be used for other services
+* A self-service-created Azure AD tenant can be turned into a managed tenant that can be used for other services
## Terms and definitions * **Self-service sign-up**: This is the method by which a user signs up for a cloud service and has an identity automatically created for them in Azure AD based on their email domain.
-* **Unmanaged Azure AD directory**: This is the directory where that identity is created. An unmanaged directory is a directory that has no global administrator.
-* **Email-verified user**: This is a type of user account in Azure AD. A user who has an identity created automatically after signing up for a self-service offer is known as an email-verified user. An email-verified user is a regular member of a directory tagged with creationmethod=EmailVerified.
+* **Unmanaged Azure AD tenant**: This is the tenant where that identity is created. An unmanaged tenant is a tenant that has no global administrator.
+* **Email-verified user**: This is a type of user account in Azure AD. A user who has an identity created automatically after signing up for a self-service offer is known as an email-verified user. An email-verified user is a regular member of a tenant tagged with creationmethod=EmailVerified.
## How do I control self-service settings? Admins have two self-service controls today. They can control whether:
-* Users can join the directory via email
+* Users can join the tenant via email
* Users can license themselves for applications and services ### How can I control these capabilities? An admin can configure these capabilities using the following Azure AD cmdlet Set-MsolCompanySettings parameters:
-* **AllowEmailVerifiedUsers** controls whether a user can create or join a directory. If you set that parameter to $false, no email-verified user can join the directory.
+* **AllowEmailVerifiedUsers** controls whether users can join the tenant by email validation. To join, the user must have an email address in a domain which matches one of the verified domains in the tenant. This setting is applied company-wide for all domains in the tenant. If you set that parameter to $false, no email-verified user can join the tenant.
* **AllowAdHocSubscriptions** controls the ability for users to perform self-service sign-up. If you set that parameter to $false, no user can perform self-service sign-up.
-AllowEmailVerifiedUsers and AllowAdHocSubscriptions are directory-wide settings that can be applied to a managed or unmanaged directory. Here's an example where:
+AllowEmailVerifiedUsers and AllowAdHocSubscriptions are tenant-wide settings that can be applied to a managed or unmanaged tenant. Here's an example where:
-* You administer a directory with a verified domain such as contoso.com
-* You use B2B collaboration from a different directory to invite a user that does not already exist (userdoesnotexist@contoso.com) in the home directory of contoso.com
-* The home directory has the AllowEmailVerifiedUsers turned on
+* You administer a tenant with a verified domain such as contoso.com
+* You use B2B collaboration from a different tenant to invite a user that does not already exist (userdoesnotexist@contoso.com) in the home tenant of contoso.com
+* The home tenant has the AllowEmailVerifiedUsers turned on
-If the preceding conditions are true, then a member user is created in the home directory, and a B2B guest user is created in the inviting directory.
+If the preceding conditions are true, then a member user is created in the home tenant, and a B2B guest user is created in the inviting tenant.
For more information on Flow and PowerApps trial sign-ups, see the following articles:
These two parameters can be used in conjunction to define more precise control o
Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true ```
-The following flowchart explains the different combinations for these parameters and the resulting conditions for the directory and self-service sign-up.
+The following flowchart explains the different combinations for these parameters and the resulting conditions for the tenant and self-service sign-up.
![flowchart of self-service sign-up controls](./media/directory-self-service-signup/SelfServiceSignUpControls.png)
-The details of this setting can be retrieved by the following powershell cmdlet Get-MsolCompanyInformation. For more infromation on this, see [Get-MsolCompanyInformation](/powershell/module/msonline/get-msolcompanyinformation).
+The details of this setting can be retrieved by the following PowerShell cmdlet Get-MsolCompanyInformation. For more information on this, see [Get-MsolCompanyInformation](/powershell/module/msonline/get-msolcompanyinformation).
```powershell Get-MsolCompanyInformation | Select AllowEmailVerifiedUsers, AllowAdHocSubscriptions
For more information and examples of how to use these parameters, see [Set-MsolC
* [Azure PowerShell](/powershell/azure/) * [Azure Cmdlet Reference](/powershell/azure/get-started-azureps) * [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings)
-* [Close your work or school account in an unmanaged directory](users-close-account.md)
+* [Close your work or school account in an unmanaged tenant](users-close-account.md)
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Office 365 E3_USGOV_DOD | ENTERPRISEPACK_USGOV_DOD | b107e5a3-3e60-4c0d-a184-a7e4395eb44c | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS_AR_DOD (fd500458-c24c-478e-856c-a6067a8376cd)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)| Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams for DOD (AR) (fd500458-c24c-478e-856c-a6067a8376cd)<br/>Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Office Online (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SharePoint Online (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | | Office 365 E3_USGOV_GCCHIGH | ENTERPRISEPACK_USGOV_GCCHIGH | aea38a85-9bd5-4981-aa00-616b411205bf | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS_AR_GCCHIGH (9953b155-8aef-4c56-92f3-72b0487fce41)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams for GCCHigh (AR) (9953b155-8aef-4c56-92f3-72b0487fce41)<br/>Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Office Online (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SharePoint Online (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | | OFFICE 365 E4 | ENTERPRISEWITHSCAL | 1392051d-0cb9-4b7a-88d5-621fee5e8711 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>MCOVOICECONF (27216c54-caf8-4d0d-97e2-517afb5c08f6)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 3) (27216c54-caf8-4d0d-97e2-517afb5c08f6)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
-| OFFICE 365 E5 | ENTERPRISEPREMIUM | c7df2760-2c81-4ef7-b578-5b5392b571df | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | OFFICE 365 CLOUD APP SECURITY (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>MICROSOFT FORMS (PLAN E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>AUDIO CONFERENCING (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>OFFICE 365 ADVANCED THREAT PROTECTION (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
+| OFFICE 365 E5 | ENTERPRISEPREMIUM | c7df2760-2c81-4ef7-b578-5b5392b571df | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>DYN365_CDS_O365_P3 (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>CDS_O365_P3 afa73018-811e-46e9-988f-f75d2b1b8430)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>MIP_S_EXCHANGE (cd31b152-6326-4d1b-ae1b-997b625182e6)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>GRAPH_CONNECTORS_SEARCH_INDEX (a6520331-d7d4-4276-95f5-15c0933bc757)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>CONTENT_EXPLORER (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>CONTENTEXPLORER_STANDARD (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>EXCEL_PREMIUM (531ee2f8-b1cb-453b-9c21-d2180d014ca5)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>KAIZALA_STANDALONE (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>DESKLESS (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>POWER_VIRTUAL_AGENTS_O365_P3 (ded3d325-1bdc-453e-8432-5bac26d7a014)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>PROJECT_O365_P3 (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>COMMUNICATIONS_COMPLIANCE (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | AZURE RIGHTS MANAGEMENT (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>COMMON DATA SERVICE - O365 P3 (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>COMMON DATA SERVICE FOR TEAMS_P3 (afa73018-811e-46e9-988f-f75d2b1b8430)<br/>CUSTOMER LOCKBOX (9f431833-0334-42de-a7dc-70aa40db46db)<br/>DATA CLASSIFICATION IN MICROSOFT 365 (cd31b152-6326-4d1b-ae1b-997b625182e6)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>GRAPH CONNECTORS SEARCH WITH INDEX (a6520331-d7d4-4276-95f5-15c0933bc757)<br/>INFORMATION BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>INFORMATION PROTECTION AND GOVERNANCE ANALYTICS ΓÇô PREMIUM (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>INFORMATION PROTECTION AND GOVERNANCE ANALYTICS ΓÇô STANDARD (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>INFORMATION PROTECTION FOR OFFICE 365 ΓÇô PREMIUM (efb0351d-3b08-4503-993d-383af8de41e3)<br/>INFORMATION PROTECTION FOR OFFICE 365 ΓÇô STANDARD (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>INSIGHTS BY MYANALYTICS (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>M365 COMMUNICATION COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>MICROSOFT 365 ADVANCED AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MICROSOFT 365 APPS FOR ENTERPRISE (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFT 365 AUDIO CONFERENCING (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MICROSOFT 365 DEFENDER (bf28f719-7844-4079-9c78-c1307898e192)<br/>MICROSOFT 365 PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MICROSOFT BOOKINGS(199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MICROSOFT COMMUNICATIONS DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>MICROSOFT CUSTOMER KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>MICROSOFT DATA INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>MICROSOFT DEFENDER FOR OFFICE 365 (PLAN 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>MICROSOFT DEFENDER FOR OFFICE 365 (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>MICROSOFT EXCEL ADVANCED ANALYTICS (531ee2f8-b1cb-453b-9c21-d2180d014ca5)<br/>MICROSOFT FORMS (PLAN E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>MICROSOFT INFORMATION GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>MICROSOFT KAIZALA (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>MICROSOFT MYANALYTICS (FULL) (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>MICROSOFT PLANNER (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT RECORDS MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>MICROSOFT SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>MICROSOFT TEAMS (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>OFFICE 365 ADVANCED SECURITY MANAGEMENT (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>OFFICE 365 PRIVILEGED ACCESS MANAGEMENT (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>OFFICE FOR THE WEB (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>POWER AUTOMATE FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>POWER VIRTUAL AGENTS FOR OFFICE 365 P3 (ded3d325-1bdc-453e-8432-5bac26d7a014)<br/>POWERAPPS FOR OFFICE 365 PLAN 3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PREMIUM ENCRYPTION IN OFFICE 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>PROJECT FOR OFFICE (PLAN E5) (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>RETIRED - MICROSOFT COMMUNICATIONS COMPLIANCE (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>SHAREPOINT (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TO-DO (PLAN 3) (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>WHITEBOARD (PLAN 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>YAMMER ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
| OFFICE 365 E5 WITHOUT AUDIO CONFERENCING | ENTERPRISEPREMIUM_NOPSTNCONF | 26d45bd9-adf1-46cd-a9e1-51e9a5524128 | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | OFFICE 365 CLOUD APP SECURITY (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>MICROSOFT FORMS (PLAN E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>OFFICE 365 ADVANCED THREAT PROTECTION (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | | OFFICE 365 F3 | DESKLESSPACK | 4b585984-651b-448a-9e53-3b10f069cf7f | BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>CDS_O365_F1 (90db65a7-bf11-4904-a79f-ef657605145b)<br/>DESKLESS (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>DYN365_CDS_O365_F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>FLOW_O365_S1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>FORMS_PLAN_K (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>INTUNE_365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>KAIZALA_O365_P1 (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_S1 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>POWER_VIRTUAL_AGENTS_O365_F1 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a)<br/>PROJECT_O365_F3 (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>WHITEBOARD_FIRSTLINE_1 (36b29273-c6d0-477a-aca6-6fbe24f538e3)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | COMMON DATA SERVICE - O365 F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>COMMON DATA SERVICE FOR TEAMS_F1 (90db65a7-bf11-4904-a79f-ef657605145b)<br/>EXCHANGE ONLINE KIOSK (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>FLOW FOR OFFICE 365 K1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>MICROSOFT AZURE RIGHTS MANAGEMENT SERVICE (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>MICROSOFT FORMS (PLAN F1) (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>MICROSOFT KAIZALA PRO PLAN 1 (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>MICROSOFT PLANNER (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>MICROSOFT STREAM FOR O365 K SKU (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>MICROSOFT TEAMS (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE FOR THE WEB (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICE MOBILE APPS FOR OFFICE 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWER VIRTUAL AGENTS FOR OFFICE 365 F1 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a)<br/>POWERAPPS FOR OFFICE 365 K1 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>PROJECT FOR OFFICE (PLAN F) (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>SHAREPOINT KIOSK (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TO-DO (FIRSTLINE) (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>YAMMER ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | | OFFICE 365 GCC G3 | ENTERPRISEPACK_GOV | 535a3a29-c5f0-42fe-8215-d3b9e1f38c4a | RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>CONTENT_EXPLORER (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS_GOV_E3 (24af5f65-d0f3-467b-9f78-ea798c4aeffc)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2_GOV (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>OFFICESUBSCRIPTION_GOV (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>STREAM_O365_E3_GOV (2c1ada27-dbaa-46f9-bda6-ecb94445f758)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/> POWERAPPS_O365_P2_GOV (0a20c815-5e81-4727-9bdc-2b5a117850c3)<br/>FLOW_O365_P2_GOV (c537f360-6a00-4ace-a7f5-9128d0ac1e4b)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94) | AZURE RIGHTS MANAGEMENT (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>CONTENT EXPLORER (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>EXCHANGE PLAN 2G (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS FOR GOVERNMENT (PLAN E3) (24af5f65-d0f3-467b-9f78-ea798c4aeffc)<br/>INFORMATION PROTECTION FOR OFFICE 365 ΓÇô STANDARD (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>INSIGHTS BY MYANALYTICS FOR GOVERNMENT (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>MICROSOFT 365 APPS FOR ENTERPRISE G (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MICROSOFT BOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MICROSOFT STREAM FOR O365 FOR GOVERNMENT (E3) (2c1ada27-dbaa-46f9-bda6-ecb94445f758)<br/>MICROSOFT TEAMS FOR GOVERNMENT (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE 365 PLANNER FOR GOVERNMENT (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>OFFICE FOR THE WEB (GOVERNMENT) (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>POWER APPS FOR OFFICE 365 FOR GOVERNMENT (0a20c815-5e81-4727-9bdc-2b5a117850c3)<br/>POWER AUTOMATE FOR OFFICE 365 FOR GOVERNMENT (c537f360-6a00-4ace-a7f5-9128d0ac1e4b)<br/>SHAREPOINT PLAN 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) FOR GOVERNMENT (a31ef4a2-f787-435e-8335-e47eb0cafc94) |
active-directory Users Bulk Add https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-bulk-add.md
Previously updated : 12/02/2020 Last updated : 05/19/2021
Download and fill in the bulk upload CSV template to help you successfully creat
> [!WARNING] > If you are adding only one entry using the CSV template, you must preserve row 3 and add your new entry to row 4.
+>
+> Ensure that you add the ".csv" file extension and remove any leading spaces before userPrincipalName, passwordProfile, and accountEnabled.
### CSV template structure
active-directory Delegate Invitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/delegate-invitations.md
By default, all users, including guests, can invite guest users.
- **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**: With this setting, guests can access only their own profiles. Guests are not allowed to see other users' profiles, groups, or group memberships. - 5. Under **Guest invite settings**, choose the appropriate settings: ![Guest invite settings](./media/delegate-invitations/guest-invite-settings.png)
-
- - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests to invite other guests, select this radio button.
- - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**: To allow non-admin members and administrators assigned particular roles to invite guests, select this radio button.
- - **Only users assigned to specific admin roles can invite guest users**: To only allow specific administrators to invite guests, select this radio button.
- - **No one in the organization can invite guest users including admins (most restrictive)**: To restrict everyone within the organization from inviting guests, select this radio button.
-6. Under **Enable guest self-service sign up via user flows**, select **Yes** if you want to be able to create user flows that let users sign up for apps. For more information about this setting, see [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md).
+ - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.
+ - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**: To allow member users and users who have specific administrator roles to invite guests, select this radio button.
+ - **Only users assigned to specific admin roles can invite guest users**: To allow only those users with certain administrator roles to invite guests, select this radio button.
+ - **No one in the organization can invite guest users including admins (most restrictive)**: To deny everyone in the organization from inviting guests, select this radio button.
+ > [!NOTE]
+ > If **Members can invite** is set to **No** and **Admins and users in the guest inviter role can invite** is set to **Yes**, users in the **Guest Inviter** role will still be able to invite guests.
+
+6. Under **Email one-time passcode for guests**, choose the appropriate settings (for more information, see [Email one-time passcode authentication](one-time-passcode.md)):
+
+ - **Automatically enable email one-time passcode for guests in October 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in October 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
+
+ - **Enable email one-time passcode for guests effective now**. Turns on the email one-time passcode feature for your tenant.
+
+ - **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in October 2021.
+
+ > [!NOTE]
+ > Instead of the options above, you'll see the following toggle if you've enabled or disabled this feature or if you've previously opted in to the preview:
+ >
+ >![Enable Email one-time passcode opted in](media/delegate-invitations/enable-email-otp-opted-in.png)
+
+7. Under **Enable guest self-service sign up via user flows**, select **Yes** if you want to be able to create user flows that let users sign up for apps. For more information about this setting, see [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md).
![Self-service sign up via user flows setting](./media/delegate-invitations/self-service-sign-up-setting.png)
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/add-custom-domain.md
After you've verified your custom domain name, you can delete your verification
If Azure AD can't verify a custom domain name, try the following suggestions: -- **Wait at least an hour and try again**. DNS records must propagate before Azure AD can verify the domain. This process can take an hour or more.
+- **Wait at least an hour and try again.** DNS records must propagate before Azure AD can verify the domain. This process can take an hour or more.
+
+- **If you are trying to verify a child domain, verify the parent domain first.** Make sure the parent domain is created and verified first before you try to verify child domain.
- **Make sure the DNS record is correct.** Go back to the domain name registrar site. Make sure the entry is there, and that it matches the DNS entry information provided by Azure AD.
active-directory How To Dirsync Upgrade Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-dirsync-upgrade-get-started.md
# Azure AD Connect: Upgrade from DirSync Azure AD Connect is the successor to DirSync. You find the ways you can upgrade from DirSync in this topic. These steps do not work for upgrading from another release of Azure AD Connect or from Azure AD Sync.
+DirSync and Azure AD Sync are not supported and will no longer work. If you are still using these you MUST upgrade to AADConnect to resume your sync process.
+ Before you start installing Azure AD Connect, make sure to [download Azure AD Connect](https://go.microsoft.com/fwlink/?LinkId=615771) and complete the pre-requisite steps in [Azure AD Connect: Hardware and prerequisites](how-to-connect-install-prerequisites.md). In particular, you want to read about the following, since these areas are different from DirSync: * The required version of .NET and PowerShell. Newer versions are required to be on the server than what DirSync needed.
active-directory Reference Connect Dirsync Deprecated https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-dirsync-deprecated.md
# Upgrade Windows Azure Active Directory Sync and Azure Active Directory Sync
-Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Microsoft 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync (AADSync) as these tools are now deprecated and are no longer supported as of April 13, 2017.
+Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Microsoft 365. This is a great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync (AADSync) as these tools are now deprecated and do not work anymore.
-The two identity synchronization tools that are deprecated were offered for single forest customers (DirSync) and for multi-forest and other advanced customers (Azure AD Sync). These older tools have been replaced with a single solution that is available for all scenarios: Azure AD Connect. It offers new functionality, feature enhancements, and support for new scenarios. To be able to continue to synchronize your on-premises identity data to Azure AD and Microsoft 365, we strongly recommend that you upgrade to Azure AD Connect. Microsoft does not guarantee these older versions to work after December 31, 2017.
+The two identity synchronization tools that are deprecated were offered for single forest customers (DirSync) and for multi-forest and other advanced customers (Azure AD Sync). These older tools have been replaced with a single solution that is available for all scenarios: Azure AD Connect. It offers new functionality, feature enhancements, and support for new scenarios. To be able to continue to synchronize your on-premises identity data to Azure AD and Microsoft 365, you must upgrade to Azure AD Connect.
The last release of DirSync was released in July 2014 and the last release of Azure AD Sync was released in May 2015.
Azure AD Connect is the successor to DirSync and Azure AD Sync. It combines all
| April 13, 2016 |Windows Azure Active Directory Sync (ΓÇ£DirSyncΓÇ¥) and Microsoft Azure Active Directory Sync (ΓÇ£Azure AD SyncΓÇ¥) are announced as deprecated. | | April 13, 2017 |Support ends. Customers will no longer be able to open a support case without upgrading to Azure AD Connect first. | |December 31, 2017|Azure AD may no longer accept communications from Windows Azure Active Directory Sync ("DirSync") and Microsoft Azure Active Directory Sync ("Azure AD Sync").
-|April 1st, 2021| Windows Azure Active Directory Sync ("DirSync") and Microsoft Azure Active Directory Sync ("Azure AD Sync") will no longer work |
+|April 1st, 2021| Windows Azure Active Directory Sync ("DirSync") and Microsoft Azure Active Directory Sync ("Azure AD Sync") do no longer work |
## How to transition to Azure AD Connect If you are running DirSync, there are two ways you can upgrade: In-place upgrade and parallel deployment. An in-place upgrade is recommended for most customers and if you have a recent operating system and less than 50,000 objects. In other cases, it is recommended to do a parallel deployment where your DirSync configuration is moved to a new server running Azure AD Connect.
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
[!INCLUDE [preview-notice](../../../includes/active-directory-msi-preview-notice.md)]
-## When to use system-assigned or user-assigned managed identities
+## Choosing system or user-assigned managed identities
User-assigned managed identities are more efficient in a broader range of scenarios than system-assigned managed identities. See the table below for some scenarios and the recommendations for user-assigned or system-assigned.
Access required before a resource is deployed |User-assigned identity| Some reso
Audit Logging|System-assigned identity|If you need to log which specific resource carried out an action, rather than which identity, use a system-assigned identity.| Permissions Lifecycle Management|System-assigned identity|If you require that the permissions for a resource be removed along with the resource, use a system-assigned identity.
-**Using user-assigned identities to reduce administration**
+### Using user-assigned identities to reduce administration
The diagrams demonstrate the difference between system-assigned and user-assigned identities, when used to allow several virtual machines to access two storage accounts.
Security groups can also be used to reduce the number of role assignments that a
:::image type="content" source="media/managed-identity-best-practice-recommendations/system-assigned-identities-in-a-group.png" alt-text="Four virtual machines with their system-assigned identities added to a security group that has role assignments.":::
-**Multiple Managed Identities**
+### Multiple managed identities
Resources that support managed identities can have both a system-assigned identity and one or more user-assigned identities.
This model provides the flexibility to both use a shared user-assigned identity
In the example below, ΓÇ£Virtual Machine 3ΓÇ¥ and ΓÇ£Virtual Machine 4ΓÇ¥ can access both storage accounts and key vaults, depending on which user-assigned identity they use while authenticating. In the example below, ΓÇ£Virtual Machine 4ΓÇ¥ has both a user-assigned identity, giving it access to both storage accounts and key vaults, depending on which identity is used while authenticating. The role assignments for the system-assigned identity are specific to that virtual machine. :::image type="content" source="media/managed-identity-best-practice-recommendations/system-and-user-assigned-identities.png" alt-text="Four virtual machines, one with both system-assigned and user-assigned identities.":::
-**Limits**
+## Limits
View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits) and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits).
-**Maintenance**
+## Maintenance
System-assigned identities are automatically deleted when the resource is deleted, while the lifecycle of a user-assigned identity is independent of any resources with which it's associated.
Role assignments aren't automatically deleted when either system-assigned or use
Role assignments that are associated with deleted managed identities will be displayed with ΓÇ£Identity not foundΓÇ¥ when viewed in the portal. [Read more](../../role-based-access-control/troubleshooting.md#role-assignments-with-identity-not-found).
active-directory 123Formbuilder Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/123formbuilder-tutorial.md
Previously updated : 04/14/2020 Last updated : 05/25/2021
In this tutorial, you'll learn how to integrate 123FormBuilder SSO with Azure Ac
* Enable your users to be automatically signed in to 123FormBuilder SSO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
* 123FormBuilder SSO supports **SP and IDP** initiated SSO. * 123FormBuilder SSO supports **Just In Time** user provisioning.
-* Once you configure 123FormBuilder SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding 123FormBuilder SSO from the gallery
+## Add 123FormBuilder SSO from the gallery
To configure the integration of 123FormBuilder SSO into Azure AD, you need to add 123FormBuilder SSO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **123FormBuilder SSO** in the search box. 1. Select **123FormBuilder SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for 123FormBuilder SSO
+## Configure and test Azure AD SSO for 123FormBuilder SSO
Configure and test Azure AD SSO with 123FormBuilder SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in 123FormBuilder SSO.
-To configure and test Azure AD SSO with 123FormBuilder SSO, complete the following building blocks:
+To configure and test Azure AD SSO with 123FormBuilder SSO, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure 123FormBuilder SSO](#configure-123formbuilder-sso)** - to configure the single sign-on settings on application side.
- * **[Create 123FormBuilder SSO test user](#create-123formbuilder-sso-test-user)** - to have a counterpart of B.Simon in 123FormBuilder SSO that is linked to the Azure AD representation of user.
+ 1. **[Create 123FormBuilder SSO test user](#create-123formbuilder-sso-test-user)** - to have a counterpart of B.Simon in 123FormBuilder SSO that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **123FormBuilder SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **123FormBuilder SSO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<tenant_id>/metadata`
+ a. In the **Identifier** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<TENANT_ID>/metadata`
- b. In the **Reply URL** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<tenant_id>/acs`
+ b. In the **Reply URL** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<TENANT_ID>/acs`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<tenant_id>/sso`
+ In the **Sign-on URL** text box, type a URL using the following pattern: `https://www.123formbuilder.com/saml/azure_ad/<TENANT_ID>/sso`
> [!NOTE] > These values are not real. You'll need to update these value from actual URLs and Identifier which is explained later in the tutorial.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **123FormBuilder SSO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure 123FormBuilder SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. On the **Microsoft Azure AD - Single sign-on - Configure App Settings** perform the following steps:
- ![Configure Single Sign-On](./media/123formbuilder-tutorial/url3.png)
+ ![Configure Single Sign-On](./media/123formbuilder-tutorial/configuration.png)
a. If you wish to configure the application in **IDP initiated mode**, copy the **IDENTIFIER** value for your instance and paste it in **Identifier** textbox in **Basic SAML Configuration** section on Azure portal.
In this section, a user called Britta Simon is created in 123FormBuilder SSO. 12
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the 123FormBuilder SSO tile in the Access Panel, you should be automatically signed in to the 123FormBuilder SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to 123FormBuilder SSO Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to 123FormBuilder SSO Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the 123FormBuilder SSO for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the 123FormBuilder SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the 123FormBuilder SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try 123FormBuilder SSO with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure 123FormBuilder SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Agiloft Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/agiloft-tutorial.md
Previously updated : 01/17/2019 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with Agiloft
-In this tutorial, you learn how to integrate Agiloft with Azure Active Directory (Azure AD).
-Integrating Agiloft with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Agiloft with Azure Active Directory (Azure AD). When you integrate Agiloft with Azure AD, you can:
-* You can control in Azure AD who has access to Agiloft.
-* You can enable your users to be automatically signed-in to Agiloft (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Agiloft.
+* Enable your users to be automatically signed-in to Agiloft with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Agiloft, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Agiloft single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Agiloft single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Agiloft supports **SP and IDP** initiated SSO
-* Agiloft supports **Just In Time** user provisioning
+* Agiloft supports **SP and IDP** initiated SSO.
+* Agiloft supports **Just In Time** user provisioning.
-## Adding Agiloft from the gallery
+## Add Agiloft from the gallery
To configure the integration of Agiloft into Azure AD, you need to add Agiloft from the gallery to your list of managed SaaS apps.
-**To add Agiloft from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Agiloft**, select **Agiloft** from result panel then click **Add** button to add the application.
-
- ![Agiloft in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Agiloft based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Agiloft needs to be established.
-
-To configure and test Azure AD single sign-on with Agiloft, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Agiloft Single Sign-On](#configure-agiloft-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Agiloft test user](#create-agiloft-test-user)** - to have a counterpart of Britta Simon in Agiloft that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Agiloft** in the search box.
+1. Select **Agiloft** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Agiloft
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Agiloft using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Agiloft.
-To configure Azure AD single sign-on with Agiloft, perform the following steps:
+To configure and test Azure AD SSO with Agiloft, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Agiloft** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Agiloft SSO](#configure-agiloft-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Agiloft test user](#create-agiloft-test-user)** - to have a counterpart of B.Simon in Agiloft that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Agiloft** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that highlights the Identifier and Reply URL text boxes.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:-
- ```http
- https://<subdomain>.agiloft.com/<KB_NAME>
- ```
+ `https://<SUBDOMAIN>.agiloft.com/<KB_NAME>`
b. In the **Reply URL** text box, type a URL using the following pattern:-
- ```http
- https://<subdomain>.agiloft.com:443/gui2/spsamlsso?project=<KB_NAME>
- ```
+ `https://<SUBDOMAIN>.agiloft.com:443/gui2/spsamlsso?project=<KB_NAME>`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Agiloft Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:-
- ```http
- https://<subdomain>.agiloft.com/gui2/samlssologin.jsp?project=<KB_NAME>
- ```
+ `https://<SUBDOMAIN>.agiloft.com/gui2/samlssologin.jsp?project=<KB_NAME>`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Agiloft Client support team](https://www.agiloft.com/support-login.htm) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Agiloft, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Logout URL
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
-### Configure Agiloft Single Sign-On
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Agiloft.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Agiloft**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Agiloft SSO
1. In a different web browser window, log in to your Agiloft company site as an administrator. 2. Click on **Setup** (on the Left Pane) and then select **Access**.
- ![Screenshot that highlights the Access section.](./media/agiloft-tutorial/setup1.png)
+ ![Screenshot that highlights the Access section.](./media/agiloft-tutorial/access.png)
3. Click on the button **Configure SAML 2.0 Single Sign-On**.
- ![Screenshot that highlights the Configure SAML 2.0 Single Sign-On button.](./media/agiloft-tutorial/setup2.png)
+ ![Screenshot that highlights the Configure SAML 2.0 Single Sign-On button.](./media/agiloft-tutorial/setup.png)
4. A wizard dialog appears. On the dialog, click on the **Identity Provider Details** and fill in the following fields:
- ![Agiloft Configuration](./media/agiloft-tutorial/setup4.png)
+ ![Agiloft Configuration](./media/agiloft-tutorial/details.png)
a. In **IdP Entity Id / Issuer** textbox, paste the value of **Azure Ad Identifier**, which you have copied from Azure portal.
To configure Azure AD single sign-on with Agiloft, perform the following steps:
e. Click **Finish**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Agiloft.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Agiloft**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Agiloft**.
-
- ![The Agiloft link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Agiloft test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, a user called Britta Simon is created in Agiloft. Agiloft supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Agiloft, a new one is created after authentication.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Agiloft test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, a user called Britta Simon is created in Agiloft. Agiloft supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Agiloft, a new one is created after authentication.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Agiloft Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Agiloft Sign-on URL directly and initiate the login flow from there.
-When you click the Agiloft tile in the Access Panel, you should be automatically signed in to the Agiloft for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Agiloft for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Agiloft tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Agiloft for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Agiloft you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Atlassian Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/atlassian-cloud-tutorial.md
Previously updated : 11/02/2020 Last updated : 05/17/2021 # Tutorial: Integrate Atlassian Cloud with Azure Active Directory
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Atlassian Cloud supports **SP and IDP** initiated SSO
-* Atlassian Cloud supports [Automatic user provisioning and deprovisioning](atlassian-cloud-provisioning-tutorial.md)
+* Atlassian Cloud supports **SP and IDP** initiated SSO.
+* Atlassian Cloud supports [Automatic user provisioning and deprovisioning](atlassian-cloud-provisioning-tutorial.md).
## Adding Atlassian Cloud from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
c. The final attribute mappings should look as follows. ![image 4](./media/atlassian-cloud-tutorial/default-attributes-2.png)+
+ > [!NOTE]
+ > You can set multiple security policies by selecting **Authentication policies** option from the left drawer. An authentication policy allows you to specify authentication settings for different sets of users and configurations in your organization. It verifies that users who access the Atlassian organization are genuine. For more information, please refer [Authentication policies](https://support.atlassian.com/security-and-access-policies/docs/understand-authentication-policies/).
### Create an Azure AD test user
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Atlassian Cloud for which you set up the SSO
-You can also use Microsoft Access Panel to test the application in any mode. When you click the Atlassian Cloud tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Atlassian Cloud for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Atlassian Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Atlassian Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Cappm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cappm-tutorial.md
Previously updated : 06/05/2020 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with Clarity
In this tutorial, you'll learn how to integrate Clarity with Azure Active Direct
* Enable your users to be automatically signed-in to Clarity with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Clarity supports **IDP** initiated SSO
-* Once you configure Clarity you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Clarity supports **IDP** initiated SSO.
-## Adding Clarity from the gallery
+## Add Clarity from the gallery
To configure the integration of Clarity into Azure AD, you need to add Clarity from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Clarity** in the search box. 1. Select **Clarity** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Clarity
+## Configure and test Azure AD SSO for Clarity
Configure and test Azure AD SSO with Clarity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Clarity.
-To configure and test Azure AD SSO with Clarity, complete the following building blocks:
+To configure and test Azure AD SSO with Clarity, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-2. **[Configure Clarity Single Sign-On](#configure-clarity-single-sign-on)** - to configure the Single Sign-On settings on application side.
+2. **[Configure Clarity SSO](#configure-clarity-sso)** - to configure the Single Sign-On settings on application side.
1. **[Create Clarity test user](#create-clarity-test-user)** - to have a counterpart of B.Simon in Clarity that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-## Configure Azure AD single sign-on
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Clarity** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Clarity** application integration page, find the **Manage** section and select **single sign-on**.
2. On the **Select a Single sign-on method** dialog, select **SAML**.
-3. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+3. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Set up Single Sign-On with SAML** page, perform the following steps: a. In the **Identifier** text box, type a URL using the following pattern:
- `https://ca.ondemand.saml.20.post.<companyname>`
+ `https://ca.ondemand.saml.20.post.<COMPANY_NAME>`
- b. In the **Reply URL** text box, type as:
+ b. In the **Reply URL** text box, type the URL:
`https://fedsso.ondemand.ca.com/affwebservices/public/saml2assertionconsumer` > [!NOTE]
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Clarity**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Clarity Single Sign-On
+## Configure Clarity SSO
To configure single sign-on on **Clarity** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Clarity support team](mailto:catechnicalsupport@ca.com). They set this setting to have the SAML SSO connection set properly on both sides.
To configure single sign-on on **Clarity** side, you need to send the downloaded
In this section, you create a user called B.Simon in Clarity. Work with [Clarity support team](mailto:catechnicalsupport@ca.com) to add the users in the Clarity platform. Users must be created and activated before you use single sign-on.
-## Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Clarity tile in the Access Panel, you should be automatically signed in to the Clarity for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+## Test SSO
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Clarity for which you set up the SSO.
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Clarity tile in the My Apps, you should be automatically signed in to the Clarity for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Clarity with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Clarity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Efidigitalstorefront Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/efidigitalstorefront-tutorial.md
Previously updated : 02/04/2019 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with EFI Digital StoreFront
-In this tutorial, you learn how to integrate EFI Digital StoreFront with Azure Active Directory (Azure AD).
-Integrating EFI Digital StoreFront with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate EFI Digital StoreFront with Azure Active Directory (Azure AD). When you integrate EFI Digital StoreFront with Azure AD, you can:
-* You can control in Azure AD who has access to EFI Digital StoreFront.
-* You can enable your users to be automatically signed-in to EFI Digital StoreFront (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to EFI Digital StoreFront.
+* Enable your users to be automatically signed-in to EFI Digital StoreFront with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with EFI Digital StoreFront, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* EFI Digital StoreFront single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* EFI Digital StoreFront single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* EFI Digital StoreFront supports **SP** initiated SSO
+* EFI Digital StoreFront supports **SP** initiated SSO.
-## Adding EFI Digital StoreFront from the gallery
+## Add EFI Digital StoreFront from the gallery
To configure the integration of EFI Digital StoreFront into Azure AD, you need to add EFI Digital StoreFront from the gallery to your list of managed SaaS apps.
-**To add EFI Digital StoreFront from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **EFI Digital StoreFront**, select **EFI Digital StoreFront** from result panel then click **Add** button to add the application.
-
- ![EFI Digital StoreFront in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **EFI Digital StoreFront** in the search box.
+1. Select **EFI Digital StoreFront** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with EFI Digital StoreFront based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in EFI Digital StoreFront needs to be established.
+## Configure and test Azure AD SSO for EFI Digital StoreFront
-To configure and test Azure AD single sign-on with EFI Digital StoreFront, you need to complete the following building blocks:
+Configure and test Azure AD SSO with EFI Digital StoreFront using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in EFI Digital StoreFront.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure EFI Digital StoreFront Single Sign-On](#configure-efi-digital-storefront-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create EFI Digital StoreFront test user](#create-efi-digital-storefront-test-user)** - to have a counterpart of Britta Simon in EFI Digital StoreFront that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with EFI Digital StoreFront, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure EFI Digital StoreFront SSO](#configure-efi-digital-storefront-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create EFI Digital StoreFront test user](#create-efi-digital-storefront-test-user)** - to have a counterpart of B.Simon in EFI Digital StoreFront that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with EFI Digital StoreFront, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **EFI Digital StoreFront** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **EFI Digital StoreFront** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![EFI Digital StoreFront Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.myprintdesk.net/DSF`
+ `https://<COMPANY_NAME>.myprintdesk.net/DSF`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.myprintdesk.net/DSF/asp4/`
+ `https://<COMPANY_NAME>.myprintdesk.net/DSF/asp4/`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [EFI Digital StoreFront Client support team](https://www.efi.com/products/productivity-software/ecommerce-web-to-print/efi-digital-storefront/support/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with EFI Digital StoreFront, perform the fo
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure EFI Digital StoreFront Single Sign-On
-
-To configure single sign-on on **EFI Digital StoreFront** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [EFI Digital StoreFront Client support team](https://www.efi.com/products/productivity-software/ecommerce-web-to-print/efi-digital-storefront/support/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to EFI Digital StoreFront.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to EFI Digital StoreFront.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **EFI Digital StoreFront**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **EFI Digital StoreFront**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure EFI Digital StoreFront SSO
-2. In the applications list, select **EFI Digital StoreFront**.
-
- ![The EFI Digital StoreFront link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **EFI Digital StoreFront** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [EFI Digital StoreFront Client support team](https://www.efi.com/products/productivity-software/ecommerce-web-to-print/efi-digital-storefront/support/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create EFI Digital StoreFront test user In this section, you create a user called Britta Simon in EFI Digital StoreFront. Work with [EFI Digital StoreFront support team](https://www.efi.com/products/productivity-software/ecommerce-web-to-print/efi-digital-storefront/support/) to add the users in the EFI Digital StoreFront platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the EFI Digital StoreFront tile in the Access Panel, you should be automatically signed in to the EFI Digital StoreFront for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to EFI Digital StoreFront Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to EFI Digital StoreFront Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the EFI Digital StoreFront tile in the My Apps, this will redirect to EFI Digital StoreFront Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure EFI Digital StoreFront you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Github Enterprise Cloud Enterprise Account Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-enterprise-cloud-enterprise-account-tutorial.md
Previously updated : 02/12/2021 Last updated : 05/25/2021
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields: a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://github.com/enterprises/<ENTERPRISE-SLUG>`
+ `https://github.com/orgs/<ENTERPRISE-SLUG>`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://github.com/enterprises/<ENTERPRISE-SLUG>/saml/consume`
+ `https://github.com/orgs/<ENTERPRISE-SLUG>/saml/consume`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign on URL** text box, type a URL using the following pattern:
- `https://github.com/enterprises/<ENTERPRISE-SLUG>/sso`
+ `https://github.com/orgs/<ENTERPRISE-SLUG>/sso`
> [!NOTE] > Replace `<ENTERPRISE-SLUG>` with the actual name of your GitHub Enterprise Account.
After you enable SAML SSO for your GitHub Enterprise Account, SAML SSO is enable
## Test SSO with another enterprise account owner or organization member account
-After the SAML integration is set up for the GitHub enterprise account (which also applies to the GitHub organizations in the enterprise account), other enterprise account owners who are assigned to the app in Azure AD should be able to navigate to the GitHub enterprise account URL (`https://github.com/enterprises/<enterprise account>`), authenticate via SAML, and access the policies and settings under the GitHub enterprise account.
+After the SAML integration is set up for the GitHub enterprise account (which also applies to the GitHub organizations in the enterprise account), other enterprise account owners who are assigned to the app in Azure AD should be able to navigate to the GitHub enterprise account URL (`https://github.com/orgs/<enterprise account>`), authenticate via SAML, and access the policies and settings under the GitHub enterprise account.
An organization owner for an organization in an enterprise account should be able to [invite a user to join their GitHub organization](https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/inviting-users-to-join-your-organization). Sign in to GitHub.com with an organization owner account and follow the steps in the article to invite `B.Simon` to the organization. A GitHub user account will need to be created for `B.Simon` if one does not already exist.
active-directory Github Enterprise Managed User Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-enterprise-managed-user-tutorial.md
# Tutorial: Azure Active Directory single sign-on (SSO) integration with GitHub Enterprise Managed User
-In this tutorial, you'll learn how to integrate GitHub Enterprise Managed User with Azure Active Directory (Azure AD). When you integrate GitHub Enterprise Managed User with Azure AD, you can:
+In this tutorial, you'll learn how to integrate GitHub Enterprise Managed User (EMU) with Azure Active Directory (Azure AD). When you integrate GitHub Enterprise Managed User with Azure AD, you can:
* Control in Azure AD who has access to GitHub Enterprise Managed User. * Enable your users to be automatically signed-in to GitHub Enterprise Managed User with their Azure AD accounts.
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * GitHub Enterprise Managed User supports **SP and IDP** initiated SSO.
-* GitHub Enterprise Managed User supports **Just In Time** user provisioning.
-* GitHub Enterprise Managed User supports [**Automated** user provisioning](./github-enterprise-managed-user-provisioning-tutorial.md).
+* GitHub Enterprise Managed User requires [**Automated** user provisioning](./github-enterprise-managed-user-provisioning-tutorial.md).
## Adding GitHub Enterprise Managed User from the gallery
To configure the integration of GitHub Enterprise Managed User into Azure AD, yo
## Configure and test Azure AD SSO for GitHub Enterprise Managed User
-Configure and test Azure AD SSO with GitHub Enterprise Managed User using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in GitHub Enterprise Managed User.
- To configure and test Azure AD SSO with GitHub Enterprise Managed User, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure GitHub Enterprise Managed User SSO](#configure-github-enterprise-managed-user-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create GitHub Enterprise Managed User test user](#create-github-enterprise-managed-user-test-user)** - to have a counterpart of B.Simon in GitHub Enterprise Managed User that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable SAML Single Sign On in your AAD tenant.
+1. **[Configure GitHub Enterprise Managed User SSO](#configure-github-enterprise-managed-user-sso)** - to configure the single sign-on settings in your GitHub Enterprise.
## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. Ensure that you have your Enterprise URL before you begin. The ENTITY field mentioned below is the Enterprise name of your EMU-enabled Enterprise URL. For example, https://github.com/enterprises/contoso - **contoso** is the ENTITY. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
a. In the **Identifier** text box, type a URL using the following pattern:
- `https://github.com/enterprise-managed/<ENTITY>`
-
+ `https://github.com/enterprises/<ENTITY>`
+
+ > [!NOTE]
+ > Note the identifier format is different from the application's suggested format - please follow the format above. In addition, please ensure the **Identifier does not contain a trailing slash.
+
b. In the **Reply URL** text box, type a URL using the following pattern: `https://github.com/enterprises/<ENTITY>/saml/consume`
+
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern: `https://github.com/enterprises/<ENTITY>/sso`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [GitHub Enterprise Managed User Client support team](mailto:support@github.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificate-base64-download.png)
-1. On the **Set up GitHub Enterprise Managed User** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up GitHub Enterprise Managed User** section, copy the URLs below and save it for configuring GitHub below.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to GitHub Enterprise Managed User.
+In this section, you'll assign your account to GitHub Enterprise Managed User in order to complete SSO setup.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **GitHub Enterprise Managed User**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Users and groups** dialog, select your account from the Users list, then click the **Select** button at the bottom of the screen.
+1. In the **Select a role** dialog, select the **Enterprise Owner** role, then click the **Select** button at the bottom of the screen. Your account is assigned as an Enterprise Owner for your GitHub instance when you provision your account in the next tutorial.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure GitHub Enterprise Managed User SSO
-To configure single sign-on on **GitHub Enterprise Managed User** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [GitHub Enterprise Managed User support team](mailto:support@github.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create GitHub Enterprise Managed User test user
-
-In this section, a user called B.Simon is created in GitHub Enterprise Managed User. GitHub Enterprise Managed User supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GitHub Enterprise Managed User, a new one is created when you attempt to access GitHub Enterprise Managed User.
-
-GitHub Enterprise Managed User also supports automatic user provisioning, you can find more details [here](./github-enterprise-managed-user-provisioning-tutorial.md) on how to configure automatic user provisioning.
-
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
-
-#### SP initiated:
-
-* Click on **Test this application** in Azure portal. This will redirect to GitHub Enterprise Managed User Sign on URL where you can initiate the login flow.
-
-* Go to GitHub Enterprise Managed User Sign-on URL directly and initiate the login flow from there.
+To configure single sign-on on **GitHub Enterprise Managed User** side, you will require the following items:
-#### IDP initiated:
+1. The URLs from your AAD Enterprise Managed User Application above: Login URL; Azure AD Identifier; and Logout URL
+1. The account name and password for the first administrator user of your GitHub Enterprise. The credentials are provided by a password reset email from your GitHub Solutions Engineering contact.
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the GitHub Enterprise Managed User for which you set up the SSO
+### Enable GitHub Enterprise Managed User SAML SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub Enterprise Managed User tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub Enterprise Managed User for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+In this section, you'll take the information provided from AAD above and enter them into your Enterprise settings to enable SSO support.
+1. Go to https://github.com
+1. Click on Sign In at the top-right corner
+1. Enter the credentials for the first administrator user account. The login handle should be in the format: `<your enterprise short code>_admin`
+1. Navigate to https://github.com/enterprises/ `<your enterprise name>`. This information should be provided by your Solutions Engineering contact.
+1. On the navigation menu on the left, select **Settings**, then **Security**.
+1. Click on the checkbox **Enable SAML authentication**
+1. Enter the Sign on URL. This URL is the Login URL that you copied from AAD above.
+1. Enter the Issuer. This URL is the Azure AD Identifier that you copied from AAD above.
+1. Enter the Public Certificate. Please open the base64 certificate that you downloaded above and paste the text contents of that file into this dialog.
+1. Click on **Test SAML configuration**. This will open up a dialog for you to log in with your Azure AD credentials to validate that SAML SSO is configured correctly. Log in with your AAD credentials. you will receive a message **Passed: Successfully authenticated your SAML SSO identity** upon successful validation.
+1. Click **Save** to persist these settings.
+1. Please save (download, print, or copy) the recovery codes in a secure place.
+1. Click on **Enable SAML authentication**.
+1. At this point, only accounts with SSO are able to log into your Enterprise. Follow the instructions in the document below on provisioning in order to provision accounts backed by SSO.
## Next steps
-Once you configure GitHub Enterprise Managed User you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+GitHub Enterprise Managed User **requires** all accounts to be created through automatic user provisioning, you can find more details [here](./github-enterprise-managed-user-provisioning-tutorial.md) on how to configure automatic user provisioning.
active-directory Happyfox Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/happyfox-tutorial.md
Previously updated : 02/15/2019 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with HappyFox
-In this tutorial, you learn how to integrate HappyFox with Azure Active Directory (Azure AD).
-Integrating HappyFox with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate HappyFox with Azure Active Directory (Azure AD). When you integrate HappyFox with Azure AD, you can:
-* You can control in Azure AD who has access to HappyFox.
-* You can enable your users to be automatically signed-in to HappyFox (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to HappyFox.
+* Enable your users to be automatically signed-in to HappyFox with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with HappyFox, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* HappyFox single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* HappyFox single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* HappyFox supports **SP** initiated SSO
-
+* HappyFox supports **SP** initiated SSO.
-* HappyFox supports **Just In Time** user provisioning
+* HappyFox supports **Just In Time** user provisioning.
-
-## Adding HappyFox from the gallery
+## Add HappyFox from the gallery
To configure the integration of HappyFox into Azure AD, you need to add HappyFox from the gallery to your list of managed SaaS apps.
-**To add HappyFox from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **HappyFox**, select **HappyFox** from result panel then click **Add** button to add the application.
-
- ![HappyFox in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with HappyFox based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in HappyFox needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **HappyFox** in the search box.
+1. Select **HappyFox** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with HappyFox, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for HappyFox
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure HappyFox Single Sign-On](#configure-happyfox-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create HappyFox test user](#create-happyfox-test-user)** - to have a counterpart of Britta Simon in HappyFox that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with HappyFox using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HappyFox.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with HappyFox, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure HappyFox SSO](#configure-happyfox-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create HappyFox test user](#create-happyfox-test-user)** - to have a counterpart of B.Simon in HappyFox that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with HappyFox, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **HappyFox** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **HappyFox** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![HappyFox Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.happyfox.com/`
+ `https://<SUBDOMAIN>.happyfox.com/`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.happyfox.com/saml/metadata/`
+ `https://<SUBDOMAIN>.happyfox.com/saml/metadata/`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [HappyFox Client support team](https://support.happyfox.com/home) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with HappyFox, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure Ad Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to HappyFox.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **HappyFox**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure HappyFox Single Sign-On
+## Configure HappyFox SSO
1. In a different web browser window, sign-on to your HappyFox tenant as an administrator.
To configure Azure AD single sign-on with HappyFox, perform the following steps:
4. Inside SAML configuration section, paste the **Login URL** value, which you have copied from Azure portal into **SSO Target URL** textbox.
- ![Screenshot that shows the "S A M L Configuration" section with the "S S O Target U R L" textbox highlighted.](./media/happyfox-tutorial/targeturl.png)
+ ![Screenshot that shows the "S A M L Configuration" section with the "S S O Target U R L" textbox highlighted.](./media/happyfox-tutorial/target.png)
5. Open the certificate downloaded from Azure portal in notepad and paste its content in **IdP Signature** section.
- ![Screenshot that shows the "I d P Signature" section highlighted.](./media/happyfox-tutorial/cert.png)
+ ![Screenshot that shows the "I d P Signature" section highlighted.](./media/happyfox-tutorial/certificate.png)
6. Click **Save Settings** button.
- ![Configure Single Sign-On](./media/happyfox-tutorial/savesettings.png)
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to HappyFox.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **HappyFox**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **HappyFox**.
-
- ![The HappyFox link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ ![Configure Single Sign-On](./media/happyfox-tutorial/save-settings.png)
### Create HappyFox test user In this section, a user called Britta Simon is created in HappyFox. HappyFox supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in HappyFox, a new one is created after authentication.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration using the My Apps.
-1. When you click the HappyFox tile in the Access Panel, you should get login page of HappyFox application. You should see the **ΓÇÿSAMLΓÇÖ** button on the sign-in page.
+1. When you click the HappyFox tile in the My Apps, you should get login page of HappyFox application. You should see the **ΓÇÿSAMLΓÇÖ** button on the sign-in page.
- ![Plugin](./media/happyfox-tutorial/saml.png)
+ ![Plugin](./media/happyfox-tutorial/apps.png)
2. Click the **SAML** button to log in to HappyFox using your Azure AD account.
-For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional Resources
--- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure HappyFox you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hopsworks Ai Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hopsworks-ai-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Hopsworks.ai | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Hopsworks.ai.
++++++++ Last updated : 05/24/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Hopsworks.ai
+
+In this tutorial, you'll learn how to integrate Hopsworks.ai with Azure Active Directory (Azure AD). When you integrate Hopsworks.ai with Azure AD, you can:
+
+* Control in Azure AD who has access to Hopsworks.ai.
+* Enable your users to be automatically signed-in to Hopsworks.ai with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Hopsworks.ai single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Hopsworks.ai supports **SP** initiated SSO.
+* Hopsworks.ai supports **Just In Time** user provisioning.
+
+## Add Hopsworks.ai from the gallery
+
+To configure the integration of Hopsworks.ai into Azure AD, you need to add Hopsworks.ai from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Hopsworks.ai** in the search box.
+1. Select **Hopsworks.ai** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Hopsworks.ai
+
+Configure and test Azure AD SSO with Hopsworks.ai using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hopsworks.ai.
+
+To configure and test Azure AD SSO with Hopsworks.ai, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Hopsworks.ai SSO](#configure-hopsworksai-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Hopsworks.ai test user](#create-hopsworksai-test-user)** - to have a counterpart of B.Simon in Hopsworks.ai that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Hopsworks.ai** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://managed.hopsworks.ai/sso-open/<ORGANIZATION>`
+
+ b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `urn:amazon:cognito:sp:us-east-2_<ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Hopsworks.ai Client support team](mailto:support@logicalclocks.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Hopsworks.ai.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Hopsworks.ai**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Hopsworks.ai SSO
+
+To configure single sign-on on **Hopsworks.ai** side, you need to send the **App Federation Metadata Url** to [Hopsworks.ai support team](mailto:support@logicalclocks.com).They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Hopsworks.ai test user
+
+In this section, a user called Britta Simon is created in Hopsworks.ai. Hopsworks.ai supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hopsworks.ai, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Hopsworks.ai Sign-on URL where you can initiate the login flow.
+
+* Go to Hopsworks.ai Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Hopsworks.ai tile in the My Apps, this will redirect to Hopsworks.ai Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Hopsworks.ai you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Logmein Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logmein-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
a. In the **Sign-on URL** text box, type the URL: `https://authentication.logmeininc.com/login?service=https%3A%2F%2Fmyaccount.logmeininc.com`
+1. Your LogMeIn application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **Unique User Identifier** is mapped with **user.userprincipalname**. LogMeIn application expects **Unique User Identifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
+
+ ![image](common/default-attributes.png)
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
active-directory Signalfx Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/signalfx-tutorial.md
Previously updated : 02/24/2020 Last updated : 05/25/2021
In this tutorial, you will learn how to integrate SignalFx with Azure Active Directory (Azure AD). When you integrate SignalFx with Azure AD, you can:
-* Control from Azure AD who has access to SignalFx;
-* Enable your users to be automatically signed-in to SignalFx with their Azure AD accounts; and
+* Control from Azure AD who has access to SignalFx.
+* Enable your users to be automatically signed-in to SignalFx with their Azure AD accounts.
* Manage your accounts in one location (the Azure portal).
-To learn more about SaaS application integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites
-Before you begin, you will need:
+To get started, you need the following items:
-* An Azure AD subscription
- * If you do not have a subscription, you can obtain a [free account here](https://azure.microsoft.com/free/).
-* SignalFx single sign-on (SSO) enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SignalFx single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you will configure and test Azure AD SSO in a test environment.
-* SignalFx supports **IDP** initiated SSO
-* SignalFx supports **Just In Time** user provisioning
-* Once you configure SignalFx you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* SignalFx supports **IDP** initiated SSO.
+* SignalFx supports **Just In Time** user provisioning.
## Step 1: Add the SignalFx application in Azure Use these instructions to add the SignalFx application to your list of managed SaaS apps.
-1. Log into the [Azure portal](https://portal.azure.com).
+1. Log into the Azure portal.
1. On the left-side navigation window, select **Azure Active Directory**. 1. Select **Enterprise applications**, and then select **All applications**. 1. Select **New application**.
Use these instructions to begin the configuration process for the SignalFx SSO.
Use these instructions to enable Azure AD SSO in the Azure portal.
-1. Return to the [Azure portal](https://portal.azure.com/), and on the **SignalFx** application integration page, locate the **Manage** section, and then select **Single sign-on**.
+1. Return to the Azure portal, and on the **SignalFx** application integration page, locate the **Manage** section, and then select **Single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the pen (edit) icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, complete the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In **Identifier**, enter the following URL `https://api.<realm>.signalfx.com/v1/saml/metadata` and replace `<realm>` with your SignalFx realm.
Use these instructions to enable Azure AD SSO in the Azure portal.
## Step 4: Create an Azure AD test user
-Use these instructions to create a test user in the Azure portal called **B.Simon**.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left-side navigation window, select **Azure Active Directory**, then select **Users**, and then select **All users**.
-1. At the top of the page, select **New user**.
-1. In the **User** properties:
- 1. In **User name**, enter `username@companydomain.extension`, such as `b.simon@contoso.com`.
- 1. In **Name**, enter `B.Simon`.
- 1. Mark **Show password**, and then copy the displayed value in **Password**. You will need this information in later step in order to test this integration.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
1. Click **Create**. ## Step 5: Assign the Azure AD test user
-Use these instructions to enable the test user to use Azure single sign-on for SignalFx.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SignalFx.
-1. In the Azure portal, select **Enterprise applications**, and then select **All applications**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **SignalFx**.
-1. In the app's overview page, find the **Manage** section, and then select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, and then in the **Add Assignment** dialog box, select **Users and groups**.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, from the **Users** list, select **B.Simon**, and then at the bottom of the page, click **Select**.
-1. If you are expecting any role value in the SAML assertion, then in the **Select Role** dialog box, select the appropriate role for the user from the list, and then click **Select** at the bottom of the page.
-1. In the **Add Assignment** dialog box, click the **Assign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Step 6: Complete the SignalFx SSO configuration
Review the following information regarding how to test SSO, as well as expectati
* To test the login, you should use a private / incognito window, or you can log out of the Azure portal. If not, cookies for the user who configured the application will interfere and prevent a successful login with the test user.
-* When a new test user logs in for the first time, Azure will force a password change. When this occurs, the SSO login process will not be completed; the test user will be directed to the Azure portal. To troubleshoot, the test user should change their password, and navigate to the SignalFx login page or to the Access Panel and try again.
- * When you click the SignalFx tile in the Access Panel, you should be automatically logged into the SignalFx.
- * For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* When a new test user logs in for the first time, Azure will force a password change. When this occurs, the SSO login process will not be completed; the test user will be directed to the Azure portal. To troubleshoot, the test user should change their password, and navigate to the SignalFx login page or to the MyApps and try again.
+ * When you click the SignalFx tile in the MyApps, you should be automatically logged into the SignalFx.
+ * For more information about the MyApps, see [Introduction to the MyApps](../user-help/my-apps-portal-end-user-access.md).
-* SignalFx application can be accessed from the Access Panel or via a custom login page assigned to the organization. The test user should test the integration starting from either of these location.
+* SignalFx application can be accessed from the MyApps or via a custom login page assigned to the organization. The test user should test the integration starting from either of these location.
* The test user can use the credentials created earlier in this process for **b.simon\@contoso.com**. ### First-time logins
Review the following information regarding how to test SSO, as well as expectati
* SignalFx supports **Just In Time** user creation, which means that if a user does not exist in SignalFx, then the user's account will be created upon first login attempt.
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)--- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [Try SignalFx with Azure AD](https://aad.portal.azure.com/)
+Once you configure SignalFx you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Skyward Qmlativ Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/skyward-qmlativ-tutorial.md
Previously updated : 01/25/2019 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with Skyward Qmlativ
-In this tutorial, you learn how to integrate Skyward Qmlativ with Azure Active Directory (Azure AD).
-Integrating Skyward Qmlativ with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Skyward Qmlativ with Azure Active Directory (Azure AD). When you integrate Skyward Qmlativ with Azure AD, you can:
-* You can control in Azure AD who has access to Skyward Qmlativ.
-* You can enable your users to be automatically signed-in to Skyward Qmlativ (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Skyward Qmlativ.
+* Enable your users to be automatically signed-in to Skyward Qmlativ with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Skyward Qmlativ, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Skyward Qmlativ single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Skyward Qmlativ single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Skyward Qmlativ supports **SP** initiated SSO
+* Skyward Qmlativ supports **SP** initiated SSO.
-## Adding Skyward Qmlativ from the gallery
+## Add Skyward Qmlativ from the gallery
To configure the integration of Skyward Qmlativ into Azure AD, you need to add Skyward Qmlativ from the gallery to your list of managed SaaS apps.
-**To add Skyward Qmlativ from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Skyward Qmlativ**, select **Skyward Qmlativ** from result panel then click **Add** button to add the application.
-
- ![Skyward Qmlativ in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Skyward Qmlativ** in the search box.
+1. Select **Skyward Qmlativ** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Skyward Qmlativ
-In this section, you configure and test Azure AD single sign-on with Skyward Qmlativ based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Skyward Qmlativ needs to be established.
+Configure and test Azure AD SSO with Skyward Qmlativ using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Skyward Qmlativ.
-To configure and test Azure AD single sign-on with Skyward Qmlativ, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Skyward Qmlativ, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Skyward Qmlativ Single Sign-On](#configure-skyward-qmlativ-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Skyward Qmlativ test user](#create-skyward-qmlativ-test-user)** - to have a counterpart of Britta Simon in Skyward Qmlativ that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Skyward Qmlativ SSO](#configure-skyward-qmlativ-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Skyward Qmlativ test user](#create-skyward-qmlativ-test-user)** - to have a counterpart of B.Simon in Skyward Qmlativ that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with Skyward Qmlativ, perform the following steps:
+1. In the Azure portal, on the **Skyward Qmlativ** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **Skyward Qmlativ** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Skyward Qmlativ Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.skyward.com/<CUSTOMERIDENTIFIERSTS>`
To configure Azure AD single sign-on with Skyward Qmlativ, perform the following
![The Certificate download link](common/copy-metadataurl.png)
-### Configure Skyward Qmlativ Single Sign-On
-
-To configure single sign-on on **Skyward Qmlativ** side, you need to send the **App Federation Metadata Url** to [Skyward Qmlativ support team](mailto:steveb@skyward.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Skyward Qmlativ.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Skyward Qmlativ**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skyward Qmlativ.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Skyward Qmlativ**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Skyward Qmlativ**.
+## Configure Skyward Qmlativ SSO
- ![The Skyward Qmlativ link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Skyward Qmlativ** side, you need to send the **App Federation Metadata Url** to [Skyward Qmlativ support team](mailto:steveb@skyward.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Skyward Qmlativ test user In this section, you create a user called Britta Simon in Skyward Qmlativ. Work with [Skyward Qmlativ support team](mailto:steveb@skyward.com) to add the users in the Skyward Qmlativ platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Skyward Qmlativ tile in the Access Panel, you should be automatically signed in to the Skyward Qmlativ for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Skyward Qmlativ Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Skyward Qmlativ Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Skyward Qmlativ tile in the My Apps, this will redirect to Skyward Qmlativ Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Skyward Qmlativ you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Standard For Success Accreditation Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/standard-for-success-accreditation-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Standard for Success Accreditation | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Standard for Success Accreditation.
++++++++ Last updated : 05/21/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Standard for Success Accreditation
+
+In this tutorial, you'll learn how to integrate Standard for Success Accreditation with Azure Active Directory (Azure AD). When you integrate Standard for Success Accreditation with Azure AD, you can:
+
+* Control in Azure AD who has access to Standard for Success Accreditation.
+* Enable your users to be automatically signed-in to Standard for Success Accreditation with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Standard for Success Accreditation single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Standard for Success Accreditation supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Adding Standard for Success Accreditation from the gallery
+
+To configure the integration of Standard for Success Accreditation into Azure AD, you need to add Standard for Success Accreditation from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Standard for Success Accreditation** in the search box.
+1. Select **Standard for Success Accreditation** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Standard for Success Accreditation
+
+Configure and test Azure AD SSO with Standard for Success Accreditation using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Standard for Success Accreditation.
+
+To configure and test Azure AD SSO with Standard for Success Accreditation, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Standard for Success Accreditation SSO](#configure-standard-for-success-accreditation-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Standard for Success Accreditation test user](#create-standard-for-success-accreditation-test-user)** - to have a counterpart of B.Simon in Standard for Success Accreditation that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Standard for Success Accreditation** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTIONID>`
+
+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:
+
+ a. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://edu.sfsed.com/access/saml_int?did=<INSTITUTIONID>`
+
+ b. In the **Relay State** text box, type a URL using the following pattern:
+ `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTIONID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Reply URL, Sign-on URL and Relay State. Contact [Standard for Success Accreditation Client support team](mailto:help_he@standardforsuccess.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
+
+ ![Edit SAML Signing Certificate](common/edit-certificate.png)
+
+1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer.
+
+ ![Copy Thumbprint value](common/copy-thumbprint.png)
+
+1. On the **Set up Standard for Success Accreditation** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Standard for Success Accreditation.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Standard for Success Accreditation**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Standard for Success Accreditation SSO
+
+1. Open a new web browser window and sign into the Standard for Success Accreditation site as an administrator with superuser access.
+
+1. From the menu, click on **Admin Portal**.
+
+1. Scroll down to **Single Sign On Settings** and click the **Microsoft Azure Single Sign On** link and perform the following steps.
+
+ ![Microsoft Azure Single Sign On page.](./media/standard-for-success-accreditation-tutorial/configuration.png)
+
+ a. **Enable Azure Single Sign On** checkbox.
+
+ b. Fill the **Azure Tenant ID** text box with Tenant ID value from the Azure portal.
+
+ c. Fill the application ID in the **Application ID** text box.
+
+ d. In the **Certificate Thumbprint** text box, paste the **Thumbprint Value** which you have copied from Azure portal.
+
+ e. Click **Save**.
+
+### Create Standard for Success Accreditation test user
+
+1. Sign in to Standard for Success Accreditation as an Administrator with superuser privileges.
+
+1. From the menu, click on **Admin Portal -> Create New Evaluatee** and perform the following steps.
+
+ ![creating test user.](./media/standard-for-success-accreditation-tutorial/new-user.png)
+
+ a. In **First Name** text box, enter B.
+
+ b. In **Last Name** text box, enter Simon.
+
+ c. In **University Email** text box, enter your organization email address.
+
+ d. Scroll to the bottom and Click **Create User**.
++
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Standard for Success Accreditation Sign on URL where you can initiate the login flow.
+
+* Go to Standard for Success Accreditation Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Standard for Success Accreditation for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Standard for Success Accreditation tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Standard for Success Accreditation for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
++
+## Next steps
+
+Once you configure Standard for Success Accreditation you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Workplacebyfacebook Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workplacebyfacebook-provisioning-tutorial.md
# Tutorial: Configure Workplace by Facebook for automatic user provisioning
-This tutorial describes the steps you need to perform in both Workplace by Facebook and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Workplace by Facebook](https://work.workplace.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Workplace by Facebook and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Workplace by Facebook](https://work.workplace.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported > [!div class="checklist"]
To test the steps in this tutorial, you should follow these recommendations:
## Step 2. Configure Workplace by Facebook to support provisioning with Azure AD
-Before configuring and enabling the provisioning service, you need to decide what users and/or groups in Azure AD represent the users who need access to your Workplace by Facebook app. Once decided, you can assign these users to your Workplace by Facebook app by following the instructions here:
+Before configuring and enabling the provisioning service, you need to decide what users in Azure AD represent the users who need access to your Workplace by Facebook app. Once decided, you can assign these users to your Workplace by Facebook app by following the instructions here:
-* It is recommended that a single Azure AD user is assigned to Workplace by Facebook to test the provisioning configuration. Additional users and/or groups may be assigned later.
+* It is recommended that a single Azure AD user is assigned to Workplace by Facebook to test the provisioning configuration. Additional users may be assigned later.
* When assigning a user to Workplace by Facebook, you must select a valid user role. The "Default Access" role does not work for provisioning.
Add Workplace by Facebook from the Azure AD application gallery to start managin
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Workplace by Facebook, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
+* When assigning users to Workplace by Facebook, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+## Step 5. Configure automatic user provisioning to Workplace by Facebook
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in Workplace by Facebook App based on user assignments in Azure AD.
1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
The Azure AD provisioning service allows you to scope who will be provisioned ba
![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
-12. Define the users and/or groups that you would like to provision to Workplace by Facebook by choosing the desired values in **Scope** in the **Settings** section.
+12. Define the users that you would like to provision to Workplace by Facebook by choosing the desired values in **Scope** in the **Settings** section.
![Provisioning Scope](common/provisioning-scope.png)
The Azure AD provisioning service allows you to scope who will be provisioned ba
![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
-This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
active-directory Workspotcontrol Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workspotcontrol-tutorial.md
Previously updated : 3/11/2019 Last updated : 05/25/2021 # Tutorial: Azure Active Directory integration with Workspot Control
-In this tutorial, you learn how to integrate Workspot Control with Azure Active Directory (Azure AD). When you integrate Workspot Control with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Workspot Control with Azure Active Directory (Azure AD). When you integrate Workspot Control with Azure AD, you can:
-* Use Azure AD to control who has access to Workspot Control.
-* Enable users to automatically sign in to Workspot Control (single sign-on [SSO]) by using their Azure AD accounts.
-* Manage your accounts in one central location: the Azure portal.
-
-For more information about SaaS app integration with Azure AD, see [Single sign-on to applications in Azure AD](../manage-apps/what-is-single-sign-on.md).
+* Control in Azure AD who has access to Workspot Control.
+* Enable your users to be automatically signed-in to Workspot Control with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
To configure Azure AD integration with Workspot Control, you need the following
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-> [!Note]
-> Workspot Control supports SP-initiated and IDP-initiated SSO.
--
-## Adding Workspot Control from the gallery
-
-To configure integration of Workspot Control into Azure AD, you must add Workspot Control from the gallery to your list of managed SaaS apps.
-
-**To add Workspot Control from the gallery, follow these steps:**
-
-1. In the left pane of the [Azure portal](https://portal.azure.com), select **Azure Active Directory**.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Go to **Enterprise Applications** and select **All Applications**.
-
- ![The Enterprise applications pane](common/enterprise-applications.png)
-
-3. Select **New application** at the top of the window.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, enter **Workspot Control**, select **Workspot Control** from the results panel, and then select **Add**.
-
- !["Add from the gallery" window](common/search-new-app.png)
+* Workspot Control supports SP-initiated and IDP-initiated SSO.
-## Configure and test Azure AD single sign-on
+## Add Workspot Control from the gallery
-In this section, you configure and test Azure AD single sign-on with Workspot Control for a test user, Britta Simon.
-For single sign-on to work, you must establish a link between an Azure AD user and the related user in Workspot Control.
+To configure the integration of Workspot Control into Azure AD, you need to add Workspot Control from the gallery to your list of managed SaaS apps.
-To configure and test Azure AD single sign-on with Workspot Control, you must complete the following tasks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Workspot Control** in the search box.
+1. Select **Workspot Control** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. [Configure Azure AD single sign-on](#configure-azure-ad-single-sign-on) to enable your users to use the feature.
-2. [Configure Workspot Control single sign-on](#configure-workspot-control-single-sign-on) to configure the single sign-on settings on the application side.
-3. [Create an Azure AD test user](#create-an-azure-ad-test-user) to test Azure AD single sign-on for Britta Simon.
-4. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) to enable Britta Simon to use Azure AD single sign-on.
-5. [Create a Workspot Control test user](#create-a-workspot-control-test-user) to establish a counterpart of Britta Simon in Workspot Control that's linked to the Azure AD representation of the user.
-6. [Test single sign-on](#test-single-sign-on) to verify that the configuration works.
+## Configure and test Azure AD SSO for Workspot Control
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Workspot Control using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Workspot Control.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Workspot Control, perform the following steps:
-To configure Azure AD single sign-on with Workspot Control, follow these steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Workspot Control SSO](#configure-workspot-control-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Workspot Control test user](#create-workspot-control-test-user)** - to have a counterpart of B.Simon in Workspot Control that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. On the **Workspot Control** application integration page in the [Azure portal](https://portal.azure.com/), select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. In the **Select a single sign-on method** window, select **SAML** mode to enable single sign-on.
+1. In the Azure portal, on the **Workspot Control** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Select a single sign-on select method window](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, select the **Edit** (pencil) icon to access **Basic SAML Configuration**.
-
- ![Edit icon highlighted in "Basic SAML Configuration"](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. In the **Basic SAML Configuration** section, if you want to configure the application in IDP-initiated mode, follow these steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
+ 1. In the **identifier** text box, type a URL using the following pattern:<br/>
+ `https://<<i></i>INSTANCENAME>-saml.workspot.com/saml/metadata`
- 1. In the **identifier** text box, enter a URL in the following pattern:<br/>
- ***https://<<i></i>INSTANCENAME>-saml.workspot.com/saml/metadata***
-
- 1. In the **reply URL** text box, enter a URL in the following pattern:<br/>
- ***https://<<i></i>INSTANCENAME>-saml.workspot.com/saml/assertion***
+ 1. In the **reply URL** text box, type a URL using the following pattern:<br/>
+ `https://<<i></i>INSTANCENAME>-saml.workspot.com/saml/assertion`
5. If you want to configure the application in SP-initiated mode, select **Set additional URLs**.
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** text box, enter a URL in the following pattern:<br/>
- ***https://<<i></i>INSTANCENAME>-saml.workspot.com/***
+ In the **Sign-on URL** text box, type a URL using the following pattern:<br/>
+ `https://<<i></i>INSTANCENAME>-saml.workspot.com/`
> [!NOTE] > These values are not real. Replace these values with the actual identifier, reply URL, and sign-on URL. Contact the [Workspot Control Client support team](mailto:support@workspot.com) to get these values. Or you can also refer to the patterns in the **Basic SAML Configuration** section of the Azure portal.
To configure Azure AD single sign-on with Workspot Control, follow these steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- - **Login URL**
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- - **Azure AD Identifier**
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- - **Logout URL**
+### Assign the Azure AD test user
-### Configure Workspot Control single sign-on
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Workspot Control.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Workspot Control**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Workspot Control SSO
1. In a different web browser window, sign in to Workspot Control as a Security Administrator. 2. In the toolbar at the top of the page, select **Setup** and then **SAML**.
- ![Setup options](./media/workspotcontrol-tutorial/tutorial_workspotcontrol_setup.png)
+ ![Setup options](./media/workspotcontrol-tutorial/setup.png)
3. In the **Security Assertion Markup Language Configuration** window, follow these steps:
- ![Security Assertion Markup Language Configuration window](./media/workspotcontrol-tutorial/tutorial_workspotcontrol_saml.png)
+ ![Security Assertion Markup Language Configuration window](./media/workspotcontrol-tutorial/security.png)
1. In the **Entity ID** box, paste the **Azure Ad Identifier** that you copied from the Azure portal.
To configure Azure AD single sign-on with Workspot Control, follow these steps:
1. Select **Save**.
-### Create an Azure AD test user
-
-In this section, you create a test user in the Azure portal.
-
-1. In the left pane of the Azure portal, select **Azure Active Directory**, **Users**, and then **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the window.
-
- ![The "New user" button](common/new-user.png)
-
-3. In the properties for the user, follow these steps:
-
- ![The User properties window](common/user-properties.png)
-
- 1. In the **Name** field, enter **BrittaSimon**.
-
- 1. In the **User name** field, enter **brittasimon@*yourcompanydomain.extension***. For example, enter **BrittaSimon@contoso.<i></i>com**.
-
- 1. Select the **Show password** check box. Then write down the value that's displayed in the **Password** box.
-
- 1. Select **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you grant Britta Simon access to Workspot Control to enable her to use Azure single sign-on.
-
-1. In the Azure portal, select **Enterprise Applications**, **All applications**, and then **Workspot Control**.
-
- ![The Enterprise applications pane](common/enterprise-applications.png)
-
-2. From the applications list, select **Workspot Control**.
-
- ![The Workspot Control link in the Applications list](common/all-applications.png)
-
-3. From the menu on the left side, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Select the **Add user** button. Then select **Users and groups** in the **Add assignment** window.
-
- ![The "Add Assignment" window](common/add-assign-user.png)
-
-5. In the **Users and groups** window, select **Britta Simon** from the **Users** list. Then click **Select**.
-
-6. If you expect any role value in the SAML assertion, select the appropriate role for the user from the list in the **Select Role** window. Then click **Select** at the bottom.
-
-7. In the **Add Assignment** window, select **Assign**.
-
-### Create a Workspot Control test user
+### Create Workspot Control test user
To enable Azure AD users to sign in to Workspot Control, they must be provisioned into Workspot Control. Provisioning is a manual task.
To enable Azure AD users to sign in to Workspot Control, they must be provisione
2. In the toolbar at the top of the page, select **Users** and then **Add User**.
- !["Users" options](./media/workspotcontrol-tutorial/tutorial_workspotcontrol_adduser.png)
+ !["Users" options](./media/workspotcontrol-tutorial/user.png)
3. In the **Add a New User** window, follow these steps:
- !["Add a New User" window](./media/workspotcontrol-tutorial/tutorial_workspotcontrol_addnewuser.png)
+ !["Add a New User" window](./media/workspotcontrol-tutorial/new-user.png)
1. In **First Name** box, enter the first name of a user, such as **Britta**.
To enable Azure AD users to sign in to Workspot Control, they must be provisione
1. Select **Add User**.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Workspot Control Sign on URL where you can initiate the login flow.
-In this section, we test our Azure AD single sign-on configuration through *Access Panel*.
+* Go to Workspot Control Sign-on URL directly and initiate the login flow from there.
-When you click the **Workspot Control** tile in Access Panel, you should be automatically signed in to the Workspot Control for which you set up SSO. For more information, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Workspot Control for which you set up the SSO.
-- [Tutorials for integrating SaaS applications with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Workspot Control tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Workspot Control for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Workspot Control you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Configure Azure Active Directory For Fedramp High Impact https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/configure-azure-active-directory-for-fedramp-high-impact.md
Title: Configure Azure Active Directory to meet FedRAMP High impact level
-description: overview of how you can meet a FedRAMP High impact level for your organization by using Azure Active Directory.
+ Title: Configure Azure Active Directory to meet FedRAMP High Impact level
+description: Overview of how you can meet a FedRAMP High Impact level for your organization by using Azure Active Directory.
# Configure Azure Active Directory to meet FedRAMP High Impact level
-The [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) is an assessment and authorization process for cloud service providers (CSPs) creating cloud solution offerings (CSOs) for use with federal agencies. Azure and Azure Government have earned a [Provisional Authority to Operate (P-ATO) at the High Impact Level](https://docs.microsoft.com/compliance/regulatory/offering-fedramp) from the Joint Authorization Board, the highest bar for FedRAMP accreditation.
+The [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) is an assessment and authorization process for cloud service providers (CSPs). Specifically, the process is for CSPs that create cloud solution offerings (CSOs) for use with federal agencies. Azure and Azure Government have earned a [Provisional Authority to Operate (P-ATO) at the High Impact level](https://docs.microsoft.com/compliance/regulatory/offering-fedramp) from the Joint Authorization Board, the highest bar for FedRAMP accreditation.
-Azure provides the capability to fulfill all control requirements to achieve a FedRAMP high rating for your CSO, or as a federal agency. It is your organizationΓÇÖs responsibility to complete additional configurations or processes to be compliant. This responsibility applies to both CSPs seeking a FedRAMP high authorization for their CSO, and federal agencies seeking an Authority to Operate (ATO).
+Azure provides the capability to fulfill all control requirements to achieve a FedRAMP high rating for your CSO, or as a federal agency. It's your organizationΓÇÖs responsibility to complete additional configurations or processes to be compliant. This responsibility applies to both CSPs seeking a FedRAMP high authorization for their CSO, and federal agencies seeking an Authority to Operate (ATO).
## Microsoft and FedRAMP
-Microsoft Azure supports more services at [FedRAMP High Impact](https://docs.microsoft.com/azure/azure-government/compliance/azure-services-in-fedramp-auditscope) levels than any other CSP. And while FedRAMP High in the Azure public cloud will meet the needs of many US government customers, agencies with more stringent requirements may rely on the Azure Government cloud. Azure Government cloud provides additional safeguards such as the heightened screening of personnel.
+Microsoft Azure supports more services at [FedRAMP High Impact](https://docs.microsoft.com/azure/azure-government/compliance/azure-services-in-fedramp-auditscope) levels than any other CSP. And while this level in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements might rely on the Azure Government cloud. Azure Government provides additional safeguards, such as the heightened screening of personnel.
-Microsoft is required to recertify its cloud services each year to maintain its authorizations. To do so, Microsoft continuously monitors and assesses its security controls and demonstrate that the security of its services remains in compliance.
+Microsoft is required to recertify its cloud services each year to maintain its authorizations. To do so, Microsoft continuously monitors and assesses its security controls, and demonstrates that the security of its services remains in compliance. For more information, see [Microsoft cloud services FedRAMP authorizations](https://marketplace.fedramp.gov/), and [Microsoft FedRAMP Audit Reports](https://aka.ms/MicrosoftFedRAMPAuditDocuments). To receive other FedRAMP reports, send email to [Azure Federal Documentation](mailto:AzFedDoc@microsoft.com).
-* [Microsoft cloud services FedRAMP authorizations](https://marketplace.fedramp.gov/)
+There are multiple paths towards FedRAMP authorization. You can reuse the existing authorization package of Azure and the guidance here to significantly reduce the time and effort required to obtain an ATO or a P-ATO.
-* [Microsoft FedRAMP Audit Reports](https://aka.ms/MicrosoftFedRAMPAuditDocuments)
+## Scope of guidance
-To receive other FedRAMP reports, send email to [Azure Federal Documentation](mailto:AzFedDoc@microsoft.com).
+The FedRAMP high baseline is made up of 421 controls and control enhancements from [NIST 800-53 Security Controls Catalog Revision 4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final). Where applicable, we included clarifying information from the [800-53 Revision 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). This article set covers a subset of these controls that are related to identity, and which you must configure.
-There are multiple paths towards FedRAMP authorization. You can reuse Microsoft Azure's existing authorization package and the guidance here to significantly reduce the time and effort required to obtain an ATO or P-ATO. More information on FedRAMP can be found at on the [FedRAMP website.](https://www.fedramp.gov/)
+We provide prescriptive guidance to help you achieve compliance with controls you're responsible for configuring in Azure Active Directory (Azure AD). To fully address some identity control requirements, you might need to use other systems. Other systems might include a security information and event management tool, such as Azure Sentinel. If you're using Azure services outside of Azure Active Directory, there will be other controls you need to consider, and you can use the capabilities Azure already has in place to meet the controls.
- ## Scope of guidance
-
-The FedRAMP High Baseline is made up of 421 controls and control enhancements from [NIST 800-53 Security Controls Catalog Revision 4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final). Where applicable, we included clarifying information from the [800-53 Revision 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). This article set covers a subset of these controls that are related to identity and which you must configure. We provide prescriptive guidance to assist you in achieving compliance with controls you are responsible for configuring in Azure Active Directory (Azure AD). To fully address some identity control requirements, you may need to use other systems. Other systems might include a security information and event management (SIEM) tool, such as Azure Sentinel. If you are using Azure services outside of Azure Active Directory, there will be other controls you need to consider, and you can use the capabilities Azure already has in place to meet the controls.
-
-FedRAMP Resources
+The following is a list of FedRAMP resources:
* [Federal Risk and Authorization Management Program](https://www.fedramp.gov/)
FedRAMP Resources
* [Microsoft 365 compliance center](https://docs.microsoft.com///microsoft-365/compliance/microsoft-365-compliance-center)
-* [Microsoft Compliance Manager ](https://docs.microsoft.com///microsoft-365/compliance/compliance-manager)
-
-
+* [Microsoft Compliance Manager](https://docs.microsoft.com///microsoft-365/compliance/compliance-manager)
-## Next Steps
+## Next steps
[Configure access controls](fedramp-access-controls.md)
-[Configure identification & authentication controls](fedramp-identification-and-authentication-controls.md)
+[Configure identification and authentication controls](fedramp-identification-and-authentication-controls.md)
[Configure other controls](fedramp-other-controls.md)
active-directory Fedramp Access Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/fedramp-access-controls.md
Title: Configure identity access controls to meet FedRAMP High Impact level with Azure Active Directory
-description: Detailed guidance on how to configure Azure Active Directory access controls to meet FedRAMP High Impact levels.
+description: Detailed guidance on how to configure Azure Active Directory access controls to meet FedRAMP High Impact level.
# Configure identity access controls to meet FedRAMP High Impact level
-Access control is a major part of achieving a [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) High Authority to operate.
-
-The following list of controls and control enhancements in the Access Control family may require configuration in your Azure AD tenant.
+Access control is a major part of achieving a [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) High Impact level to operate.
+The following list of controls and control enhancements in the access control (AC) family might require configuration in your Azure Active Directory (Azure AD) tenant.
|Control family|Description| | - | - |
The following list of controls and control enhancements in the Access Control fa
| AC-12| Session termination | | AC-20| Use of external information systems | -
-Each row in the table below provides prescriptive guidance to aid you in developing your organization's response to any shared responsibilities for the control or control enhancement.
+Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.
## Configurations - | Control ID | Customer responsibilities and guidance | | - | - |
-| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six (6) months for non-privileged access**.<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. Logs can be collected and analyzed by a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, you can use Azure Event Hub to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br>[Add or delete users - Azure Active Directory](/azure/active-directory/fundamentals/add-users-azure-active-directory)<p>Monitor accounts<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br>[Tutorial - Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)<p>Review accounts<br>[What is entitlement management? - Azure AD](/azure/active-directory/governance/entitlement-management-overview)<br>[Create an access review of an access package in Azure AD entitlement management ](/azure/active-directory/governance/entitlement-management-access-reviews-create)<br>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access)<p>Resources:<br>[Administrator role permissions in Azure Active Directory](/azure/active-directory/roles/permissions-reference)<br>[Dynamic Groups in Azure AD](/azure/active-directory/enterprise-users/groups-create-rule) |
-| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Ease monitoring of account usage by streaming Identity Protection logs (risky users, risky sign-ins, and risk detections) and audit logs directly into Azure Sentinel or Azure Event Hub.<p>Provision<br>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br>[What is automated SaaS app user provisioning in Azure AD?](/azure/active-directory/app-provisioning/user-provisioning)<br>[SaaS App Integration Tutorials for use with Azure AD](/azure/active-directory/saas-apps/tutorial-list)<p>Monitor & Audit<br>[How To: Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br>[What is Azure Sentinel?](/azure/sentinel/overview)<br>[Azure Sentinel: Connect data from Azure Active Directory (Azure AD)](/azure/sentinel/connect-azure-active-directory)<br>[Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)ΓÇÄ|
-| AC-02(2)<br>AC-02(3)| **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity**.<p>Implement account management automation with Microsoft Graph and Microsoft Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required timeframe. <p>Determine Inactivity<br>[How to manage inactive user accounts in Azure AD](/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts)<br>[How to manage stale devices in Azure AD](/azure/active-directory/devices/manage-stale-devices)<p>Remove or Disable Accounts<br>[Working with users in Microsoft Graph](/graph/api/resources/users)<br>[Get a user](/graph/api/user-get?tabs=http)<br>[Update user](/graph/api/user-update?tabs=http)<br>[Delete a user](/graph/api/user-delete?tabs=http)<p>Working with devices in Microsoft Graph<br>[Get device](/graph/api/device-get?tabs=http)<br>[Update device](/graph/api/device-update?tabs=http)<br>[Delete device](/graph/api/device-delete?tabs=http)<p>Using [Azure AD PowerShell](/powershell/module/azuread/)<br>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
-| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts**.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure audit logs and can be streamed directly into Azure Sentinel or Azure Event Hub to facilitate notification.<p>Audit<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br>[Azure Sentinel: Connect data from Azure Active Directory (Azure AD)](/azure/sentinel/connect-azure-active-directory)<P>Notification<br>[What is Azure Sentinel?](/azure/sentinel/overview)<br>[Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(5)| **Implement device log out after a 15-minute period of inactivity**.<p>Implement device lock using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Microsoft Intune. Microsoft Endpoint Manager (MEM) or group policy objects (GPO) can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional Access<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM Policy<br>Configure devices for maximum minutes of inactivity until screen locks and requires password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)) |
-| AC-02(7)| **Administer and monitor privileged role assignments in accordance with a role-based access (RBAC) scheme for customer-controlled accounts including disabling or revoking privilege access for accounts when no longer appropriate**.<p>Implement Privileged Identity Management (PIM) with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. Audit logs can be streamed directly into Azure Sentinel or Azure Event Hub to facilitate monitoring.<p>Administer<br>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br>[Activation maximum duration](/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new)<p>Monitor<br>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br>[View audit history for Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log?tabs=new)<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br>[What is Azure Sentinel?](/azure/sentinel/overview)<br>[Connect data from Azure Active Directory (Azure AD)](/azure/sentinel/connect-azure-active-directory)<br>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(11)| **Enforce usage of customer-controlled accounts to meet customer defined conditions or circumstances**.<p>Create Conditional Access policies to enforce access control decisions across users and devices.<p>Conditional Access<br>[Create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br>[What is Conditional Access?](/azure/active-directory/conditional-access/overview) |
-| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage**.<p>Facilitate monitoring of atypical usage by streaming Identity Protection logs (for example, risky users, risky sign-ins, and risk detections) and audit logs (to facilitate correlation with privilege assignment) directly into a SIEM solution such as Azure Sentinel. You can also use Azure Event Hub to integrate logs with third-party SIEM solutions.<p>Identity Protection<br>[What is Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<br>[How To: Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br>[Azure Active Directory Identity Protection notifications](/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)<p>Monitor accounts<br>[What is Azure Sentinel?](/azure/sentinel/overview)<br>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br>[Tutorial - Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(13)|**Disable customer-controlled accounts of users posing a significant risk within 1 hour**.<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity Protection<br>[What is Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<p>Conditional Access<br>[What is Conditional Access?](/azure/active-directory/conditional-access/overview)<br>[Create a Conditional Access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br>[Conditional Access: User risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br>[Conditional Access: Sign-in risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br>[Self-remediation with risk policy](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock) |
-| AC-06(7)| **Review and validate all users with privileged access every year and ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements**.<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access Reviews<br>[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)<br>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access) |
-| AC-07| **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period and lock the account for a minimum of three (3) hours or until unlocked by an administrator**.<p>Enable custom Smart Lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart Lockout<br>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<br>[Manage Azure AD smart lockout values](/azure/active-directory/authentication/howto-password-smart-lockout) |
-| AC-08| **Display and require user acknowledgment of privacy and security notices before granting access to information systems**.<p>Azure AD provides administrators with the ability to deliver notification or banner messages for all apps that require and record acknowledgment before granting access. These terms of use policies can be granularly targeted to specific users (Member or Guest) and customized per application via Conditional Access policies.<p>Terms of Use<br>[Azure Active Directory terms of use](/azure/active-directory/conditional-access/terms-of-use)<br>[View report of who has accepted and declined](/azure/active-directory/conditional-access/terms-of-use) |
-| AC-10|**Limit concurrent sessions to three sessions for privileged access and two for non-privileged access**. <p>In today's world where users connect from multiple devices (sometimes simultaneously), limiting concurrent sessions leads to a degraded user experience while providing limited security value. A better approach to address the intent behind this control is to adopt a zero trust security posture where the conditions are explicitly validated before a session is created, and continually throughout the life of a session. <p>Additionally, use the following compensating controls. <p>Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign on restrictions at the OS level with MDM solutions such as Microsoft Intune. Microsoft Endpoint Manager (MEM) or group policy objects (GPO) can also be considered in hybrid deployments.<p> Use Privileged Identity Management (PIM) to further restrict and control privileged accounts. <p> Configure Smart Account lockout for invalid sign in attempts.<p>**Implementation guidance** <p>Zero Trust<br> [Securing identity with Zero Trust](/security/zero-trust/identity)<br>[Continuous access evaluation in Azure AD](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)<p>Conditional Access<br>[What is Conditional Access in Azure AD?](/azure/active-directory/conditional-access/overview)<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>Device Policies<br>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br>[Additional smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<p>See AC-12 for additional session re-evaluation & risk mitigation guidance. |
-| AC-11<br>AC-11(1)| **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user and retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Microsoft Intune. Microsoft Endpoint Manager (MEM) or group policy objects (GPO) can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional Access<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM Policy<br>Configure devices for maximum minutes of inactivity until screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)) |
-| AC-12| **Automatically terminate user sessions when organizational defined conditions or trigger events occur**.<p>Implement automatic user session re-evaluation with Azure AD features such as Risk-Based Conditional Access and Continuous Access Evaluation. Inactivity conditions can be implemented at a device level as described in AC-11.<br>[Sign-in risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)<br>[User risk-based Conditional Access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br>[Continuous Access Evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)
-| AC-12(1)| **Provide a logout capability for all sessions and display an explicit logout message**. <p>All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out. <p>Logout capability<br>When user selects "[Sign-out everywhere](https://aka.ms/mysignins)" all current issued tokens are revoked. <p>Display Message<br>Azure AD automatically displays a message after user-initiated logout.<br>![Image of access control message.](media/fedramp/fedramp-access-controls-image-1.png)<p>Additional Resources<br>[View and search your recent sign-in activity from the My Sign-ins page](/azure/active-directory/user-help/my-account-portal-sign-ins-page)<br>[Single Sign-Out SAML Protocol](/azure/active-directory/develop/single-sign-out-saml-protocol) |
-| AC-20<br>AC-20(1)| **Establish terms and conditions allowing authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks**.<p>Require terms of use acceptance for authorized users accessing resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies may also be integrated with Microsoft Cloud App Security (MCAS) to provide additional controls for both cloud and on-premises applications from external systems. Mobile application management (MAM) in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices interacting with external systems (for example, accessing cloud services). App management can be used on organization-owned devices, and personal devices.<P>Terms and Conditions<br>[Terms of use - Azure Active Directory](/azure/active-directory/conditional-access/terms-of-use)<p>Conditional Access<br>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br>[Conditions in Conditional Access policy - Device State (Preview)](/azure/active-directory/conditional-access/concept-conditional-access-conditions)<br>[Protect with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br>[Location condition in Azure Active Directory Conditional Access](/azure/active-directory/conditional-access/location-condition)<p>Mobile Device management<br>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br>[What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resources<br>[Integrate on-premises apps with Cloud App Security](/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security) |
+| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br><li>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br><li>[Add or delete users using Azure Active Directory](/azure/active-directory/fundamentals/add-users-azure-active-directory)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br><li>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)<p>Review accounts<br><li>[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)<br><li>[Create an access review of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-create)<br><li>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](/azure/active-directory/roles/permissions-reference)<br><li>[Dynamic Groups in Azure AD](/azure/active-directory/enterprise-users/groups-create-rule) |
+| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Azure Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br><li>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br><li>[What is automated SaaS app user provisioning in Azure AD?](/azure/active-directory/app-provisioning/user-provisioning)<br><li>[SaaS app integration tutorials for use with Azure AD](/azure/active-directory/saas-apps/tutorial-list)<p>Monitor and audit<br><li>[Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)ΓÇÄ|
+| AC-02(2)<br>AC-02(3)| **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts)<br><li>[Manage stale devices in Azure AD](/azure/active-directory/devices/manage-stale-devices)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p>Use [Azure AD PowerShell](/powershell/module/azuread/)<br><li>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br><li>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br><li>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br><li>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
+| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Azure Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<P>Notification<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
+| AC-02(5)| **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
+| AC-02(7)| **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Azure Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br><li>[Activation maximum duration](/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
+| AC-02(11)| **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create conditional access policies to enforce access control decisions across users and devices.<p>Conditional access<br><li>[Create a conditional access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[What is conditional access?](/azure/active-directory/conditional-access/overview) |
+| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Azure Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<br><li>[Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br><li>[Azure Active Directory Identity Protection notifications](/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)<p>Monitor accounts<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br><li>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
+| AC-02(13)|**Disable customer-controlled accounts of users that pose a significant risk within one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<p>Conditional access<br><li>[What is conditional access?](/azure/active-directory/conditional-access/overview)<br><li>[Create a conditional access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[Conditional access: User risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Conditional access: Sign-in risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Self-remediation with risk policy](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock) |
+| AC-06(7)| **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br><li>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access) |
+| AC-07| **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<br><li>[Manage Azure AD smart lockout values](/azure/active-directory/authentication/howto-password-smart-lockout) |
+| AC-08| **Display and require user acknowledgment of privacy and security notices before granting access to information systems.**<p>With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via conditional access policies.<p>Terms of use<br><li>[Azure Active Directory terms of use](/azure/active-directory/conditional-access/terms-of-use)<br><li>[View report of who has accepted and declined](/azure/active-directory/conditional-access/terms-of-use) |
+| AC-10|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)<p>Conditional access<br><li>[What is conditional access in Azure AD?](/azure/active-directory/conditional-access/overview)<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>Device policies<br><li>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<p>See AC-12 for more session reevaluation and risk mitigation guidance. |
+| AC-11<br>AC-11(1)| **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
+| AC-12| **Automatically terminate user sessions when organizational defined conditions or trigger events occur.**<p>Implement automatic user session reevaluation with Azure AD features such as risk-based conditional access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.<p>Resources<br><li>[Sign-in risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)<br><li>[User risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Continuous access evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)
+| AC-12(1)| **Provide a logout capability for all sessions and display an explicit logout message.** <p>All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out. <p>Logout capability<br><li>When the user selects [Sign-out everywhere](https://aka.ms/mysignins), all current issued tokens are revoked. <p>Display message<br>Azure AD automatically displays a message after user-initiated logout.<br><p>![Screenshot that shows an access control message.](media/fedramp/fedramp-access-controls-image-1.png)<p>Resources<br><li>[View and search your recent sign-in activity from the My Sign-Ins page](/azure/active-directory/user-help/my-account-portal-sign-ins-page)<br><li>[Single Sign-Out SAML Protocol](/azure/active-directory/develop/single-sign-out-saml-protocol) |
+| AC-20<br>AC-20(1)| **Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.**<p>Require terms of use acceptance for authorized users who access resources from external systems. Implement conditional access policies to restrict access from external systems. Conditional access policies might also be integrated with Cloud App Security to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.<P>Terms and conditions<br><li>[Terms of use: Azure Active Directory](/azure/active-directory/conditional-access/terms-of-use)<p>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[Conditions in conditional access policy: Device state (preview)](/azure/active-directory/conditional-access/concept-conditional-access-conditions)<br><li>[Protect with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br><li>[Location condition in Azure Active Directory conditional access](/azure/active-directory/conditional-access/location-condition)<p>MDM<br><li>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br><li>[What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security)<br><li>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resource<br><li>[Integrate on-premises apps with Cloud App Security](/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security) |
## Next steps
-[FedRAMP compliance overview](configure-azure-active-directory-for-fedramp-high-impact.md)
-
-[Configure Identification & Authentication controls to meet FedRAMP High Impact level](fedramp-identification-and-authentication-controls.md)
-
-[Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md)
+- [FedRAMP compliance overview](configure-azure-active-directory-for-fedramp-high-impact.md)
+- [Configure identification and authentication controls to meet FedRAMP High Impact level](fedramp-identification-and-authentication-controls.md)
+- [Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md)
active-directory Fedramp Identification And Authentication Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/fedramp-identification-and-authentication-controls.md
Title: Configure identification and authentication controls to meet FedRAMP High Impact levels with Azure Active directory
-description: Detailed guidance on how to configure identification and authentications controls to meet FedRAMP High Impact levels.
+ Title: Configure identification and authentication controls to meet FedRAMP High Impact level with Azure Active Directory
+description: Detailed guidance on how to configure identification and authentication controls to meet FedRAMP High Impact level.
# Configure identification and authentication controls to meet FedRAMP High Impact level
-The following list of controls (and control enhancements) in the Identification and authentication family may require configuration in your Azure AD tenant.
+Identification and authentication are key to achieving a [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) High Impact level.
-Each row in the table below provides prescriptive guidance to aid you in developing your organization's response to any shared responsibilities regarding the control and/or control enhancement.
+The following list of controls and control enhancements in the identification and authentication (IA) family might require configuration in your Azure Active Directory (Azure AD) tenant.
-IA-02 Identification and Authentication (Organizational Users)
-
-IA-03 Device Identification and Authentication
-
-IA-04 Identifier Management
-
-IA-05 Authenticator Management
-
-IA-06 Authenticator Feedback
-
-IA-07 Cryptographic Module Authentication
+|Control family|Description|
+| - | - |
+| IA-02| Identification and authentication (organizational users) |
+| IA-03| Device identification and authentication |
+| IA-04| Identifier management |
+| IA-05| Authenticator management |
+| IA-06| Authenticator feedback |
+| IA-07| Cryptographic module authentication |
+| IA-08| Identification and authentication (non-organizational users) |
-IA-08 Identification and Authentication (Non-Organizational Users)
+Each row in the following table provides prescriptive guidance to help you develop your organization's response to any shared responsibilities for the control or control enhancement.
## Configurations | Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| IA-02| **Uniquely identify and authenticate users or processes acting on behalf of users.<p>** Azure AD uniquely identifies user and service principal objects directly and provides multiple authentication methods including methods adhering to NIST Authentication Assurance Level (AAL) 3 that can be configured.<p>Identifiers <br> Users - [Working with users in Microsoft Graph : ID Property](/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true)<br>Service Principals - [ServicePrincipal resource type : ID Property](/graph/api/resources/serviceprincipal?view=graph-rest-1.0&preserve-view=true)<p>Authentication & Multi-Factor Authentication<br> [Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform.](nist-overview.md) |
-| IA-02(1)<br>IA-02(3)| **Multi-factor authentication (MFA) for all access to privileged accounts**. <p>Configure the following elements for a complete solution to ensure all access to privileged accounts requires MFA.<p>Configure Conditional Access policies to require MFA for all users.<br> Implement Privileged Identity Management (PIM) to require MFA for activation of privileged role assignment prior to use.<p>With PIM activation requirement in place, privilege account activation is not possible without network access. Hence, local access is never privileged.<p>MFA & PIM<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> [Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new) |
-| IA-02(2)<br>IA-02(4)| **Implement multi-factor authentication for all access to non-privileged accounts**<p>Configure the following elements as an overall solution to ensure all access to non-privileged accounts requires MFA.<p> Configure Conditional Access policies to require MFA for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to enforce use of specific authentication methods.<br> Configure Conditional Access policies to enforce device compliance.<p>Microsoft recommends using a multi-factor cryptographic hardware authenticator (e.g., FIDO2 security keys, Windows Hello for Business (with hardware TPM), or smart card) to achieve AAL3. If your organization is completely cloud-based, we recommend using FIDO2 security keys or Windows Hello for Business.<p>FIDO2 keys and Windows Hello for Business have not been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting these authenticators as AAL3. For additional details regarding FIDO2 and Windows Hello for Business FIPS 140 validation please refer to [Microsoft NIST AALs](nist-overview.md).<p>Guidance regarding MDM polices differ slightly based on authentication methods, they are broken out below. <p>Smart Card / Windows Hello for Business<br> [Passwordless Strategy - Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid Only<br> [Passwordless Strategy - Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart Card Only<br>[Create a Rule to Send an Authentication Method Claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br>[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 Security Key<br> [Passwordless Strategy - Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p>Authentication Methods<br> [Azure Active Directory passwordless sign-in (preview) | FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> [Passwordless security key sign-in Windows - Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> [ADFS: Certificate Authentication with Azure AD & Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> [How Smart Card Sign-in Works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> [Windows Hello for Business Overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>Additional Resources:<br> [Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-configuration-service-provider)<br> [Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br> [Plan a passwordless authentication deployment with Azure AD](../authentication/howto-authentication-passwordless-deployment.md)<br> |
-| IA-02(5)| **When multiple users have access to a shared or group account password, require each user to first authenticate using an individual authenticator**<p>Use an individual account per user. If a shared account is required, Azure AD permits binding of multiple authenticators to an account such that each user has an individual authenticator. <p> [How it works: Azure multi-factor authentication](../authentication/concept-mfa-howitworks.md)<br> [Manage authentication methods for Azure AD multi-factor authentication](../authentication/howto-mfa-userdevicesettings.md) |
-| IA-02(8)| **Implement replay-resistant authentication mechanisms for network access to privileged accounts**<p>Configure Conditional Access policies to require MFA for all users. All Azure AD authentication methods at Authentication Assurance Level 2 & 3 use either nonce or challenges and are resistant to replay attacks.p>References:<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> [Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform.](nist-overview.md) |
-| IA-02(11)| **Implement Azure multi-factor authentication to access customer-deployed resources remotely such that one of the factors is provided by a device separate from the system gaining access where the device meets FIPS-140-2, NIAP Certification, or NSA approval**<p>See guidance for IA-02(1-4). Azure AD authentication methods to consider at AAL3 meeting the separate device requirements are:<p> FIDO2 Security Keys<br> Windows Hello for Business with Hardware TPM (TPM is recognized as a valid "something you have" factor by NIST 800-63B Section 5.1.7.1)<br> Smart Card<p>References:<br>[Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform.](nist-overview.md)<br> [NIST 800-63B Section 5.1.7.1](https://pages.nist.gov/800-63-3/sp800-63b.html) |
-| IA-02(12)| **Accept and verify Personal Identity Verification (PIV) credentials. This control is not applicable if the customer does not deploy PIV credentials.**<p>Configure federated authentication using Active Directory Federation Services (ADFS) to accept PIV (certificate authentication) as both primary and multi-factor authentication methods and issue the MFA (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with SupportsMFA to direct MFA requests originating at Azure AD to the ADFS. Alternatively, PIV can be used for sign-in on Windows devices and subsequently leverage Integrated Windows Authentication (IWA) along with Seamless Single Sign-On (SSSO). Windows Server & Client verify certificates by default when used for authentication. <p> [What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> [Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> [Secure resources with Azure AD MFA and ADFS](../authentication/howto-mfa-adfs.md)<br>[Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings)<br> [Azure AD Connect: Seamless Single Sign-On](../hybrid/how-to-connect-sso.md) |
-| IA-03| **Implement device identification and authentication prior to establishing a connection.**<p>Configure Azure AD to identify and authenticate Azure AD Registered, Azure AD Joined, and Azure AD Hybrid joined devices.<p> [What is a device identity?](../devices/overview.md)<br> [Plan an Azure AD devices deployment](../devices/plan-device-deployment.md)<br>[How To: Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md) |
-| IA-04<br>IA-04(4)| **Disable account identifiers after 35 days of inactivity and prevent their reuse for 2 years. Manage individual identifiers by uniquely identifying each individual (e.g., contractors, foreign nationals, etc.).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least 2 years after which they can be removed. <p>Determine Inactivity<br> [How to manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> [How to manage stale devices in Azure AD](../devices/manage-stale-devices.md)[How to manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> [See AC-02 guidance](fedramp-access-controls.md) |
-| IA-05| **Configure and manage information system authenticators.**<p>Azure AD supports a wide variety of authentication methods and can be managed using your existing organizational policies. See guidance for authenticator selection in IA-02(1-4). Enable users in combined registration for SSPR and Azure AD MFA and require users to register a minimum of two acceptable multi-factor authentication methods to facilitate self-remediation. Administrators can revoke user configured authenticators at any time with the authentication methods API. <p>Authenticator Strength/Protect Authenticator Content<br> [Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform.](nist-overview.md)<p>Authentication Methods & Combined Registration<br> [What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> [Combined registration for SSPR and Azure AD multi-factor authentication](../authentication/concept-registration-mfa-sspr-combined.md)<p>Authenticator Revoke<br> [Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta&preserve-view=true) |
-| IA-05(1)| **Implement password-based authentication requirements.**<p>Per NIST SP 800-63B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<p>With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<p>Microsoft strongly encourages passwordless strategies. This control is only applicable to password authenticators. Therefore, removing passwords as an available authenticator renders this control not applicable.<p>NIST Reference Documents:<br>[NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control Enhancement (1)<p>Additional Resources:<br>[Eliminate bad passwords using Azure Active Directory Password Protection](../authentication/concept-password-ban-bad.md) |
-| IA-05(2)| **Implement PKI-Based authentication requirements.**<p>Federate Azure AD via ADFS to implement PKI-based authentication. By default, ADFS validates certificates, locally caches revocation data and maps users to the authenticated identity in Active Directory. <p> Additional Resources:<br> [What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> [Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) |
-| IA-05(4)| **Employ automated tools to validate password strength requirements.** <p>Azure AD implements automated mechanisms which enforce password authenticator strength at creation. This automated mechanism can also be extended to enforce password authenticator strength for on-premises Active Directory. Revision 5 of NIST 800-53 has withdrawn IA-04(4) and incorporated the requirement into IA-5(1).<p>Additional Resources:<p> [Eliminate bad passwords using Azure Active Directory Password Protection](../authentication/concept-password-ban-bad.md)<br> [Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md)<br>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control Enhancement (4) |
-| IA-05(6)| **Protect authenticators as defined in FedRAMP High**.<p>For further details on how Azure AD protects authenticators see [Azure Active Directory Data Security Considerations](https://aka.ms/aaddatawhitepaper) |
-| IA-05(7)| **Ensure unencrypted static authenticators (e.g., a password) are not embedded in applications or access scripts or stored on function keys.**<p>Implement managed identities or service principal objects (configured with only certificate).<p>[What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)<br>[Create an Azure AD app & service principal in the portal](../develop/howto-create-service-principal-portal.md) |
-| IA-05(8)| **Implement security safeguards when individuals have accounts on multiple information systems.**<p>Implement single sign-on (SSO) by connecting all applications to Azure AD, as opposed to having individual accounts on multiple information systems.<p>[What is Azure single sign-on (SSO)?](../manage-apps/what-is-single-sign-on.md) |
-| IA-05(11)| **Require hardware token quality requirements as required by FedRAMP High.**<p>Require the use of hardware tokens that meet AAL3.<p>Resources:<br> [Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform](https://azure.microsoft.com/resources/microsoft-nist/) |
-| IA-05(13)| **Enforce the expiration of cached authenticators.**<p>Cached authenticators are used to authenticate to the local machine when the network is not available. To limit the use of cached authenticators, configure Windows devices to disable their use. Where this is not possible or practical, use the following compensating controls:<p>Configure conditional access session controls using application enforced restrictions for Office applications.<br> Configure conditional access using application controls for other applications.<p>Resources:<br> [Interactive logon Number of previous logons to cache](/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available)<br> [Session controls in Conditional Access policy - Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br>[Session controls in Conditional Access policy - Conditional Access application control](../conditional-access/concept-conditional-access-session.md) |
-| IA-06| **Obscure authentication feedback information during the authentication process.**<p>By default, Azure AD obscures all authenticator feedback. <p>
-| IA-07| **Implement mechanisms for authentication to a cryptographic module that meets applicable federal laws.**<p>FedRAMP High requires AAL3 authenticator. All authenticators supported by Azure AD at AAL3 provide mechanisms to authenticate operator access to the module as required. For example, in a Windows Hello for Business deployment with hardware TPM, configure the level of TPM owner authorization.<p> Resources:<br>See IA-02(2 & 4) for additional detail. Resources<br> [Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform.](nist-overview.md) <br> [TPM Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings) |
-| IA-08| **The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).**<p>Azure AD uniquely identifies and authenticates non-organizational users homed in the organizations tenant or in external directories using FICAM approved protocols.<p> [What is B2B collaboration in Azure Active Directory](../external-identities/what-is-b2b.md)<br> [Direct federation with an identity provider for B2B](../external-identities/direct-federation.md)<br> [Properties of a B2B guest user](../external-identities/user-properties.md) |
-| IA-08(1)<br>IA-08(4)| **Accept and verify Personal Identity Verification (PIV) credentials issued by other federal agencies. Conform to the profiles issued by the Federal Identity, Credential, and Access Management (FICAM).**<p>Configure Azure AD to accept PIV credentials via federation (OIDC, SAML) or locally via Windows Integrated Authentication (WIA)<p>Resources:<br> [What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> [Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br>[What is B2B collaboration in Azure Active Directory](../external-identities/what-is-b2b.md)<br> [Direct federation with an identity provider for B2B](../external-identities/direct-federation.md) |
-| IA-08(2)| **Accept only Federal Identity, Credential, and Access Management (FICAM) approved credentials.**<p>Azure AD supports authenticators at NIST Authentication Assurance Levels (AALs) 1, 2 & 3. Restrict the use of authenticators commensurate with the security category of the system being accessed. <p>Azure Active Directory supports a wide variety of authentication methods.<p>Resources<br> [What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> [Azure AD authentication methods policy API overview](/graph/api/resources/authenticationmethodspolicies-overview?view=graph-rest-beta&preserve-view=true)<br> [Achieving National Institute of Standards and Technology Authenticator <br>Assurance Levels with the Microsoft Identity Platform](https://azure.microsoft.com/resources/microsoft-nist/) |
-
-## Next Steps
-[Configure access controls](fedramp-access-controls.md)
+| IA-02| **Uniquely identify and authenticate users or processes acting for users.**<p> Azure AD uniquely identifies user and service principal objects directly. Azure AD provides multiple authentication methods, and you can configure methods that adhere to National Institute of Standards and Technology (NIST) authentication assurance level (AAL) 3.<p>Identifiers <br> <li>Users: [Working with users in Microsoft Graph: ID property](/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true)<br><li>Service principals: [ServicePrincipal resource type : ID property](/graph/api/resources/serviceprincipal?view=graph-rest-1.0&preserve-view=true)<p>Authentication and multifactor authentication<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) |
+| IA-02(1)<br>IA-02(3)| **Multifactor authentication for all access to privileged accounts.** <p>Configure the following elements for a complete solution to ensure all access to privileged accounts requires multifactor authentication.<p>Configure conditional access policies to require multifactor authentication for all users.<br> Implement Azure AD Privileged Identity Management to require multifactor authentication for activation of privileged role assignment prior to use.<p>With Privileged Identity Management activation requirement in place, privilege account activation isn't possible without network access, so local access is never privileged.<p>Multifactor authentication and Privileged Identity Management<br> <li>[Conditional access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Configure Azure AD role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new) |
+| IA-02(2)<br>IA-02(4)| **Implement multifactor authentication for all access to nonprivileged accounts.**<p>Configure the following elements as an overall solution to ensure all access to non-privileged accounts requires multifactor authentication.<p> Configure conditional access policies to require multifactor authentication for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager, or group policy objects to enforce use of specific authentication methods.<br> Configure conditional access policies to enforce device compliance.<p>We recommend using a multifactor cryptographic hardware authenticator to achieve AAL3. For example, use FIDO2 security keys, Windows Hello for Business (with hardware TPM), or a smart card. If your organization is completely cloud based, use FIDO2 security keys or Windows Hello for Business.<p>FIDO2 keys and Windows Hello for Business haven't been validated at the required FIPS 140 security level. For this reason, federal customers would need to conduct risk assessment and evaluation before accepting these authenticators as AAL3. For more information on FIDO2 and Windows Hello for Business FIPS 140 validation, see [Microsoft NIST AALs](nist-overview.md).<p>Guidance on MDM policies differs slightly based on the following authentication methods: <p>Smart card/Windows Hello for Business<br> <li>[Passwordless strategy: Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> <li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> <li>[Conditional access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid only<br> <li>[Passwordless strategy: Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart card only<br><li>[Create a rule to send an authentication method claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br><li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 security key<br> <li>[Passwordless strategy: Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> <li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> <li>[Conditional access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Authentication methods<br> <li>[Azure AD passwordless sign-in (preview): FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> <li>[Passwordless security key sign-in Windows: Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> <li>[AD FS: Certificate authentication with Azure AD and Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> <li>[How smart card sign-in works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> <li>[Windows Hello for Business overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>More resources<br> <li>[Policy CSP: Windows Client management](/windows/client-management/mdm/policy-configuration-service-provider)<br> <li>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br> <li>[Plan a passwordless authentication deployment with Azure AD](../authentication/howto-authentication-passwordless-deployment.md)<br> |
+| IA-02(5)| **When multiple users have access to a shared or group account password, require each user to first authenticate by using an individual authenticator.**<p>Use an individual account per user. If a shared account is required, Azure AD permits binding of multiple authenticators to an account so that each user has an individual authenticator. <p>Resources<br><li>[How it works: Azure AD multifactor authentication](../authentication/concept-mfa-howitworks.md)<br> <li>[Manage authentication methods for Azure AD multifactor authentication](../authentication/howto-mfa-userdevicesettings.md) |
+| IA-02(8)| **Implement replay-resistant authentication mechanisms for network access to privileged accounts.**<p>Configure conditional access policies to require multifactor authentication for all users. All Azure AD authentication methods at authentication assurance level 2 and 3 use either nonce or challenges and are resistant to replay attacks.<p>References<br> <li>[Conditional access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) |
+| IA-02(11)| **Implement Azure AD multifactor authentication to access customer-deployed resources remotely so that one of the factors is provided by a device separate from the system gaining access where the device meets FIPS-140-2, NIAP certification, or NSA approval.**<p>See guidance for IA-02(1-4). Azure AD authentication methods to consider at AAL3 meeting the separate device requirements are:<p> FIDO2 security keys<br> <li>Windows Hello for Business with hardware TPM (TPM is recognized as a valid "something you have" factor by NIST 800-63B Section 5.1.7.1.)<br> <li>Smart card<p>References<br><li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<br> <li>[NIST 800-63B Section 5.1.7.1](https://pages.nist.gov/800-63-3/sp800-63b.html) |
+| IA-02(12)| **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with SupportsMFA to direct multifactor authentication requests originating at Azure AD to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use Integrated Windows Authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Azure AD multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings)<br> <li>[Azure AD Connect: Seamless single sign-on](../hybrid/how-to-connect-sso.md) |
+| IA-03| **Implement device identification and authentication prior to establishing a connection.**<p>Configure Azure AD to identify and authenticate Azure AD Registered, Azure AD Joined, and Azure AD Hybrid joined devices.<p> Resources<br><li>[What is a device identity?](../devices/overview.md)<br> <li>[Plan an Azure AD devices deployment](../devices/plan-device-deployment.md)<br><li>[Require managed devices for cloud app access with conditional access](../conditional-access/require-managed-devices.md) |
+| IA-04<br>IA-04(4)| **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) |
+| IA-05| **Configure and manage information system authenticators.**<p>Azure AD supports various authentication methods. You can use your existing organizational policies for management. See guidance for authenticator selection in IA-02(1-4). Enable users in combined registration for SSPR and Azure AD multifactor authentication and require users to register a minimum of two acceptable multifactor authentication methods to facilitate self-remediation. You can revoke user-configured authenticators at any time with the authentication methods API. <p>Authenticator strength/protecting authenticator content<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<p>Authentication methods and combined registration<br> <li>[What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> <li>[Combined registration for SSPR and Azure AD multifactor authentication](../authentication/concept-registration-mfa-sspr-combined.md)<p>Authenticator revokes<br> <li>[Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta&preserve-view=true) |
+| IA-05(1)| **Implement password-based authentication requirements.**<p>Per NIST SP 800-63B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<p>With Azure AD password protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<p>We strongly encourage passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.<p>NIST reference documents<br><li>[NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br><li>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control enhancement (1)<p>Resource<br><li>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md) |
+| IA-05(2)| **Implement PKI-based authentication requirements.**<p>Federate Azure AD via AD FS to implement PKI-based authentication. By default, AD FS validates certificates, locally caches revocation data, and maps users to the authenticated identity in Active Directory. <p> Resources<br> <li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) |
+| IA-05(4)| **Employ automated tools to validate password strength requirements.** <p>Azure AD implements automated mechanisms that enforce password authenticator strength at creation. This automated mechanism can also be extended to enforce password authenticator strength for on-premises Active Directory. Revision 5 of NIST 800-53 has withdrawn IA-04(4) and incorporated the requirement into IA-5(1).<p>Resources<br> <li>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md)<br> <li>[Azure AD password protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md)<br><li>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control enhancement (4) |
+| IA-05(6)| **Protect authenticators as defined in the FedRAMP High Impact level.**<p>For more information on how Azure AD protects authenticators, see [Azure AD data security considerations](https://aka.ms/aaddatawhitepaper). |
+| IA-05(7)| **Ensure unencrypted static authenticators (for example, a password) aren't embedded in applications or access scripts or stored on function keys.**<p>Implement managed identities or service principal objects (configured with only a certificate).<p>Resources<br><li>[What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)<br><li>[Create an Azure AD app and service principal in the portal](../develop/howto-create-service-principal-portal.md) |
+| IA-05(8)| **Implement security safeguards when individuals have accounts on multiple information systems.**<p>Implement single sign-on by connecting all applications to Azure AD, as opposed to having individual accounts on multiple information systems.<p>[What is Azure single sign-on?](../manage-apps/what-is-single-sign-on.md) |
+| IA-05(11)| **Require hardware token quality requirements as required by the FedRAMP High Impact level.**<p>Require the use of hardware tokens that meet AAL3.<p>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](https://azure.microsoft.com/resources/microsoft-nist/) |
+| IA-05(13)| **Enforce the expiration of cached authenticators.**<p>Cached authenticators are used to authenticate to the local machine when the network isn't available. To limit the use of cached authenticators, configure Windows devices to disable their use. Where this action isn't possible or practical, use the following compensating controls:<p>Configure conditional access session controls by using application-enforced restrictions for Office applications.<br> Configure conditional access by using application controls for other applications.<p>Resources<br> <li>[Interactive logon number of previous logons to cache](/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available)<br> <li>[Session controls in conditional access policy: Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br><li>[Session controls in conditional access policy: Conditional access application control](../conditional-access/concept-conditional-access-session.md) |
+| IA-06| **Obscure authentication feedback information during the authentication process.**<p>By default, Azure AD obscures all authenticator feedback.<p>
+| IA-07| **Implement mechanisms for authentication to a cryptographic module that meets applicable federal laws.**<p>The FedRAMP High Impact level requires the AAL3 authenticator. All authenticators supported by Azure AD at AAL3 provide mechanisms to authenticate operator access to the module as required. For example, in a Windows Hello for Business deployment with hardware TPM, configure the level of TPM owner authorization.<p> Resources<br><li>For more information, see IA-02 (2 and 4).<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) <br> <li>[TPM Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings) |
+| IA-08| **The information system uniquely identifies and authenticates non-organizational users (or processes acting for non-organizational users).**<p>Azure AD uniquely identifies and authenticates non-organizational users homed in the organizations tenant or in external directories by using Federal Identity, Credential, and Access Management (FICAM)-approved protocols.<p>Resources<br><li>[What is B2B collaboration in Azure Active Directory?](../external-identities/what-is-b2b.md)<br> <li>[Direct federation with an identity provider for B2B](../external-identities/direct-federation.md)<br> <li>[Properties of a B2B guest user](../external-identities/user-properties.md) |
+| IA-08(1)<br>IA-08(4)| **Accept and verify PIV credentials issued by other federal agencies. Conform to the profiles issued by the FICAM.**<p>Configure Azure AD to accept PIV credentials via federation (OIDC, SAML) or locally via Integrated Windows Authentication.<p>Resources<br> <li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><li>[What is B2B collaboration in Azure Active Directory?](../external-identities/what-is-b2b.md)<br> <li>[Direct federation with an identity provider for B2B](../external-identities/direct-federation.md) |
+| IA-08(2)| **Accept only FICAM-approved credentials.**<p>Azure AD supports authenticators at NIST AALs 1, 2, and 3. Restrict the use of authenticators commensurate with the security category of the system being accessed. <p>Azure AD supports a wide variety of authentication methods.<p>Resources<br> <li>[What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> <li>[Azure AD authentication methods policy API overview](/graph/api/resources/authenticationmethodspolicies-overview?view=graph-rest-beta&preserve-view=true)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](https://azure.microsoft.com/resources/microsoft-nist/) |
-[Configure identification & authentication controls](fedramp-identification-and-authentication-controls.md)
+## Next steps
-[Configure other controls](fedramp-other-controls.md)
+- [Configure access controls](fedramp-access-controls.md)
+- [Configure identification and authentication controls](fedramp-identification-and-authentication-controls.md)
+- [Configure other controls](fedramp-other-controls.md)
active-directory Fedramp Other Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/fedramp-other-controls.md
# Configure additional controls to achieve FedRAMP High Impact level
-The following list of controls (and control enhancements) in the families below may require configuration in your Azure AD tenant.
+The following list of controls (and control enhancements) might require configuration in your Azure Active Directory (Azure AD) tenant.
-Each row in the following tables provides prescriptive guidance to aid you in developing your organization's response to any shared responsibilities regarding the control and/or control enhancement.
+Each row in the following tables provides prescriptive guidance. This guidance helps you in developing your organization's response to any shared responsibilities regarding the control or control enhancement.
-## Audit & Accountability
+## Audit and accountability
-* AU-02 Audit events
+The guidance in the following table pertains to:
+* AU-02 Audit events
* AU-03 Content of audit
-* AU-06 Audit Review, Analysis, and Reporting
-
+* AU-06 Audit review, analysis, and reporting
| Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| AU-02 <br>AU-03 <br>AU-03(1)<br>AU-03(2)| **Ensure the system is capable of auditing events defined in AU-02 Part a and coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records**.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure AD audit logs. All authentication and authorization events are audited within Azure AD sign-in logs, and any detected risks are audited in the Identity Protection logs. Each of these logs can be streamed directly into a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, use Azure Event Hub to integrate logs with third-party SIEM solutions.<p>Audit Events<li> [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM Integrations<li> [Azure Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
-| AU-06<br>AU-06(1)<br>AU-06(3)<br>AU-06(4)<br>AU-06(5)<br>AU-06(6)<br>AU-06(7)<br>AU-06(10)<br>| **Review and analyze audit records at least once each week to identify inappropriate or unusual activity and report findings to appropriate personnel**. <p>Guidance provided above for AU-02 & AU-03 allows for weekly review of audit records and reporting to appropriate personnel. You cannot meet these requirements using only Azure AD. You must also use a SIEM solution such as Azure Sentinel.<p>[What is Azure Sentinel?](../../sentinel/overview.md) |
+| AU-02 <br>AU-03 <br>AU-03(1)<br>AU-03(2)| Ensure the system is capable of auditing events defined in AU-02 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure AD audit logs. All authentication and authorization events are audited within Azure AD sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Azure Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<p>Audit events<li> [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li> [Azure Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AU-06<br>AU-06(1)<br>AU-06(3)<br>AU-06(4)<br>AU-06(5)<br>AU-06(6)<br>AU-06(7)<br>AU-06(10)<br>| Review and analyze audit records at least once each week to identify inappropriate or unusual activity, and report findings to appropriate personnel. <p>The preceding guidance provided for AU-02 and AU-03 allows for weekly review of audit records and reporting to appropriate personnel. You can't meet these requirements by using only Azure AD. You must also use a SIEM solution such as Azure Sentinel. For more information, see [What is Azure Sentinel?](../../sentinel/overview.md). |
-## Incident Response
+## Incident response
+
+The guidance in the following table pertains to:
* IR-04 Incident handling
Each row in the following tables provides prescriptive guidance to aid you in de
| Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| IR-04<br>IR-04(1)<br>IR-04(2)<br>IR-04(3)<br>IR-04(4)<br>IR-04(6)<br>IR-04(8)<br>IR-05<br>IR-05(1)| **Implement incident handling and monitoring capabilities including Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, Incident Monitoring & Automated Tracking**. <p>All configuration changes are logged in the audit logs. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. Each of these logs can be streamed directly into a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, use Azure Event Hub to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events within the SIEM using MSGraph and/or Azure AD PowerShell.<p>Audit Events<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM Integrations<li>[Azure Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Dynamic Reconfiguration<li>[AzureAD Module](/powershell/module/azuread/)<li>[Overview of Microsoft Graph](/graph/overview?view=graph-rest-1.0&preserve-view=true) |
+| IR-04<br>IR-04(1)<br>IR-04(2)<br>IR-04(3)<br>IR-04(4)<br>IR-04(6)<br>IR-04(8)<br>IR-05<br>IR-05(1)| Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking. <p>The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Azure Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events within the SIEM by using Microsoft Graph or Azure AD PowerShell.<p>Audit events<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li>[Azure Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Dynamic reconfiguration<li>[AzureAD Module](/powershell/module/azuread/)<li>[Overview of Microsoft Graph](/graph/overview?view=graph-rest-1.0&preserve-view=true) |
+
+## Personnel security
-## Personnel Security
+The guidance in the following table pertains to:
* PS-04 Personnel termination | Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| PS-04<br>PS-04(2)| **Automatically notify personnel responsible for disabling access to the system.** <p>Disable accounts and revoke all associated authenticators and credentials within 8 hours. <p>Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions. <p>Account Provisioning<li> See detailed guidance in AC-02. <p>Revoke all Associated Authenticators. <li> [Revoke user access in an emergency in Azure Active Directory](../enterprise-users/users-revoke-access.md) |
+| PS-04<br>PS-04(2)| Automatically notify personnel responsible for disabling access to the system. <p>Disable accounts and revoke all associated authenticators and credentials within 8 hours. <p>Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions. <p>Account provisioning<li> See detailed guidance in AC-02. <p>Revoke all associated authenticators <li> [Revoke user access in an emergency in Azure Active Directory](../enterprise-users/users-revoke-access.md) |
+
+## System and information integrity
-## System & Information Integrity
+The guidance in the following table pertains to:
* SI-04 Information system monitoring Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| SI-04<br>SI-04(1)| **Implement Information System wide monitoring & Intrusion Detection System**<p>Include all Azure AD logs (Audit, Sign-in, Identity Protection) within the information system monitoring solution. <p>Stream Azure AD logs into a SIEM solution (See IA-04). |
+| SI-04<br>SI-04(1)| Implement information system-wide monitoring, and the intrusion detection system. <p>Include all Azure AD logs (Audit, Sign-in, Identity Protection) within the information system monitoring solution. <p>Stream Azure AD logs into a SIEM solution (see IA-04). |
## Next steps [Configure access controls](fedramp-access-controls.md)
-[Configure identification & authentication controls](fedramp-identification-and-authentication-controls.md)
+[Configure identification and authentication controls](fedramp-identification-and-authentication-controls.md)
[Configure other controls](fedramp-other-controls.md)
active-directory Nist About Authenticator Assurance Levels https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-about-authenticator-assurance-levels.md
Title: NIST Authenticator Assurance Levels with Azure Active Directory
+ Title: NIST authenticator assurance levels with Azure Active Directory
description: An overview of authenticator assurance levels as applied to Azure Active Directory
-# About Authenticator Assurance Levels
+# About authenticator assurance levels
-The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies implementing identity solutions. [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) defines the technical guidelines for the implementation of digital authentication. It does so with a framework of Authenticator Assurance Levels (AALs). AALs characterize the strength of the authentication of a digital identity. The guidance also covers the management of the lifecycle of authenticators including revocation.
+The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that are implementing identity solutions. [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) defines the technical guidelines for the implementation of digital authentication. It does so with a framework of authenticator assurance levels (AALs). AALs characterize the strength of the authentication of a digital identity. The guidance also covers the management of the lifecycle of authenticators, including revocation.
-The standard includes AAL requirements for 11 requirement categories:
+The standard includes AAL requirements for these requirement categories:
* Permitted authenticator types
The standard includes AAL requirements for 11 requirement categories:
* Authentication intent
-* Records Retention Policy
+* Records retention policy
-* Privacy Controls
+* Privacy controls
-## Applying NIST AALs in your environment
+## Apply NIST AALs in your environment
> [!TIP]
-> We recommend that you meet at least AAL 2, unless business reasons, industry standards, or compliance requirements dictate that you meet AAL3.
+> We recommend that you meet at least AAL2. Meet AAL3 if necessary for business reasons, industry standards, or compliance requirements.
-In general, AAL1 isn't recommended because it accepts password-only solutions, and passwords are the most easily compromised form of authentication. See [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984).
+In general, AAL1 isn't recommended because it accepts password-only solutions, and passwords are the most easily compromised form of authentication. For more information, see the following blog post: [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984).
-While NIST doesn't require verifier impersonation (also known as credential phishing) resistance until AAL3, we highly advise that you address this threat at all levels. You can select authenticators that provide verifier impersonation resistance, such as requiring Azure AD joined or hybrid Azure AD joined devices. If you're using Office 365 you can address use Office 365 Advanced Threat Protection, and specifically [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies).
+While NIST doesn't require verifier impersonation (also known as credential phishing) resistance until AAL3, we highly advise that you address this threat at all levels. You can select authenticators that provide verifier impersonation resistance, such as requiring that devices be joined to Azure Active Directory (Azure AD) or hybrid Azure AD. If you're using Office 365, you can use Office 365 Advanced Threat Protection, and specifically its [Anti-phishing policies](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies).
-As you evaluate the appropriate NIST AAL for your organization, you can consider whether your entire organization must meet NIST standards, or if there are specific groups of users and resources that can be segregated, and the NIST AAL configurations applied to only a specific group of users and resources.
+As you evaluate the appropriate NIST AAL for your organization, consider whether your entire organization must meet NIST standards. If there are specific groups of users and resources that can be segregated, you might be able to apply the NIST AAL configurations to only a specific group of users and resources.
## Security controls, privacy controls, records retention policy
-Azure and Azure Government have earned a Provisional Authority to Operate (P-ATO) at the [NIST SP 800-53 High Impact Level](https://nvd.nist.gov/800-53/Rev4/impact/high) from the Joint Authorization Board, the highest bar for FedRAMP accreditation, which authorizes the use of Azure and Azure Government to process highly sensitive data.
+Azure and Azure Government have earned a provisional authority to operate (P-ATO) at the [NIST SP 800-53 High Impact level](https://nvd.nist.gov/800-53/Rev4/impact/high) from the Joint Authorization Board. This level represents the highest bar for FedRAMP accreditation, and it authorizes the use of Azure and Azure Government to process highly sensitive data.
-These Azure and Azure Government certifications satisfy the security controls, privacy controls and records retention policy requirements for AAL1, AAL2 and AAL3.
+These Azure and Azure Government certifications satisfy the security controls, privacy controls, and records retention policy requirements for AAL1, AAL2, and AAL3.
-The FedRAMP audit of Azure and Azure Government included the information security management system that encompasses infrastructure, development, operations, management, and support of in-scope services. Once a P-ATO is granted, a Cloud service provider still requires an authorization (an ATO) from any government agency it works with. For Azure, a government agency, or organizations working with them, can use the Azure P-ATO in its own security authorization process and rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
+The FedRAMP audit of Azure and Azure Government included the information security management system that encompasses infrastructure, development, operations, management, and support of in-scope services. When a P-ATO is granted, a cloud service provider still requires an authorization (an ATO) from any government agency it works with. For Azure, a government agency, or organizations working with them, can use the Azure P-ATO in its own security authorization process. The agency or organization can rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
-Azure continues to support more services at FedRAMP High Impact levels than any other cloud provider. And while FedRAMP High in the Azure public cloud will meet the needs of many US government customers, agencies with more stringent requirements will continue to rely on Azure Government, which provides additional safeguards such as the heightened screening of personnel. Microsoft lists all Azure public services currently available in Azure Government to the FedRAMP High boundary, as well as services planned for the current year.
+Azure continues to support more services at FedRAMP High Impact levels than any other cloud provider. And while FedRAMP High in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements rely on Azure Government. Azure Government provides additional safeguards, such as the heightened screening of personnel. Microsoft lists all Azure public services currently available in Azure Government to the FedRAMP High boundary, as well as services planned for the current year.
-In addition, Microsoft is fully committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist our customers. To view a complete list of our compliance offerings visit [Microsoft compliance offering](https://docs.microsoft.com/compliance/regulatory/offering-home).
+In addition, Microsoft is fully committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist you. To view a complete list of our compliance offerings, see [Microsoft compliance offering](https://docs.microsoft.com/compliance/regulatory/offering-home).
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
In addition, Microsoft is fully committed to [protecting and managing customer d
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieve NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
ΓÇÄ
active-directory Nist Authentication Basics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authentication-basics.md
Title: NIST authentication basics and Azure Active Directory
-description: Explanations of the terminology and authentication factors for NIST.
+description: This article defines important terminology and describes trusted platform modules and authentication factors for NIST.
-# NIST Authentication Basics
+# NIST authentication basics
-Understanding the NIST guidelines requires that you have a firm grounding in the terminology, and the concepts of trusted platform modules (TPMs) and authentication factors.
+To understand National Institute of Standards and Technology (NIST) guidelines, you need to know the terminology. You also need to understand Trusted Platform Module (TPM) technology and authentication factors. This article provides that information.
## Terminology
-The following terminology is used throughout these NIST-related articles.
+The following terminology is used throughout these NIST articles.
-|Term| Definition - *Italicized* terms are defined in this table|
+|Term| Definition. *Italicized* terms are defined in this table.|
| - | - |
-| Assertion| A statement from a *verifier* to a *relying party* containing information about the *subscriber*. May contain verified attributes. |
+| Assertion| A statement from a *verifier* to a *relying party* that contains information about the *subscriber*. An assertion might contain verified attributes. |
|Authentication| The process of verifying the identity of a *subject*. |
-| Authentication factor| Something you know, something you have, or something you are: Every *authenticator* has one or more authentication factors. |
-| Authenticator| Something the *claimant* possesses and controls that is used to authenticate the *claimantΓÇÖs* identity. |
-| Claimant| A *subject* whose identity is to be verified using one or more authentication protocols. |
+| Authentication factor| Something you know, something you have, or something you are. Every *authenticator* has one or more authentication factors. |
+| Authenticator| Something the *claimant* possesses and controls that's used to authenticate the *claimantΓÇÖs* identity. |
+| Claimant| A *subject* whose identity is to be verified via one or more *authentication* protocols. |
|Credential| An object or data structure that authoritatively binds an identity to at least one *authenticator* possessed and controlled by a *subscriber*. |
-| Credential Service Provider (CSP)| A trusted entity that issues or registers *subscriber authenticators* and issues electronic *credentials* to *subscribers*. |
-|Relying Party| An entity that relies on a *verifierΓÇÖs assertion*, or a *claimantΓÇÖs authenticators* and *credentials*, usually to grant access to a system. |
+| Credential service provider (CSP)| A trusted entity that issues or registers *subscriber authenticators* and issues electronic *credentials* to *subscribers*. |
+|Relying party| An entity that relies on a *verifierΓÇÖs assertion* or a *claimantΓÇÖs authenticators* and *credentials*, usually to grant access to a system. |
| Subject| A person, organization, device, hardware, network, software, or service. | | Subscriber| A party who has received a *credential* or *authenticator* from a *CSP*. |
-|Trusted Platform Module (TPM) | A TPM is a tamper resistant module that performs cryptographic operations including key generation. |
+|Trusted Platform Module | A TPM is a tamper-resistant module that does cryptographic operations, including key generation. |
| Verifier| An entity that verifies the *claimantΓÇÖs* identity by verifying the claimantΓÇÖs possession and control of *authenticators*. |
-## About Trusted Platform Modules
+## About Trusted Platform Module technology
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip, or hardware TPM, is a secure crypto processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.
+Trusted Platform Module technology is designed to provide hardware-based security-related functions. A TPM chip, or hardware TPM, is a secure cryptographic processor that helps you with actions like generating, storing, and limiting the use of cryptographic keys.
-Microsoft provides significant information on how TPMs work with Microsoft Windows. For more information, see this article on the [Trusted Platform Module](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node).
+Microsoft provides significant information on how TPMs work with Windows. For more information, see [Trusted Platform Module](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node).
-A software TPM is an emulator that mimics this functionality.
+A software TPM is an emulator that mimics hardware TPM functionality.
## Authentication factors and their strengths
-Authentication factors can be grouped into three categories. The following table presents example of the types of factors under each grouping.
+Authentication factors can be grouped into three categories:
-![Pictorial representation of something you know, something you have, and something you are.](media/nist-authentication-basics/nist-authentication-basics-0.png)
+![Graphic that provides examples of authentication factors, grouped by something you know, something you have, and something you are.](media/nist-authentication-basics/nist-authentication-basics-0.png)
-The strength of an authentication factor is determined by how sure we can be that it is something that only the subscriber knows, has, or is.
+The strength of an authentication factor is determined by how sure you can be that it's something that only the subscriber knows, has, or is.
-There is limited guidance in NIST about the relative strength of authentication factors. Here at Microsoft, we assess the strengths as below.
+NIST provides limited guidance about the relative strength of authentication factors. The rest of this section describes how we assess those strengths at Microsoft.
-**Something you know**: Passwords, the most common something you know, represent the greatest attack surface. The following mitigations improve confidence in the affinity to the subscriber and are effective at preventing password attacks such as brute-force attacks, eavesdropping and social engineering:
+**Something you know**. Passwords, the most common *something you know*, represent the largest attack surface. The following mitigations improve confidence in the affinity to the subscriber. They're effective at preventing password attacks like brute-force attacks, eavesdropping, and social engineering:
* [Password complexity requirements](https://www.microsoft.com/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf)
There is limited guidance in NIST about the relative strength of authentication
* [Account lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)
-**Something you have**: The strength of something you have is based on how likely the subscriber is to keep it in possession, and the difficulty in an attacker gaining access to it. For example, a personal mobile device or hardware key will have a higher affinity, and therefore be more secure, than a desktop computer in an office when trying to protect against internal threat.
+**Something you have**. The strength of *something you have* is based on how likely the subscriber is to keep it in possession and the difficulty for an attacker to gain access to it. For example, when you're trying to protect against internal threats, a personal mobile device or hardware key will have a higher affinity. So it will be more secure than a desktop computer in an office.
-**Something you are**: The ease with which an attacker can obtain a copy of something you are, or spoof a biometric, matters. NIST is drafting a framework for biometrics. Today, NIST will not accept biometrics as a separate authentication method. It must be a factor within multi-factor authentication. This is since biometrics are probabilistic in nature. That is, they use algorithms that determine the likelihood that it is the same person. It is not necessarily an exact match, as a password is. See this document on the [Strength of Function for Authenticators ΓÇô Biometrics](https://pages.nist.gov/SOFA/SOFA.html) (SOFA-B). SOFA-B attempts to present a framework to quantity biometricsΓÇÖ strength in terms of false match rate, false, fail rate, presentation attack detection error rate, and effort required to launch an attack.
+**Something you are**. The ease with which an attacker can obtain a copy of *something you are*, or spoof a biometric, matters. NIST is drafting a framework for biometrics. NIST currently won't accept biometrics as a separate authentication method. It must be a factor within multi-factor authentication. This precaution is in place because biometrics are probabilistic in nature. That is, they use algorithms that determine the likelihood of affinity. Biometrics don't necessarily provide an exact match, as passwords do. For more information, see [Strength of Function for Authenticators ΓÇô Biometrics](https://pages.nist.gov/SOFA/SOFA.html) (SOFA-B).
+
+SOFA-B attempts to present a framework to quantify the strength of biometrics for:
+- False match rate.
+- False fail rate.
+- Presentation attack detection error rate.
+- Effort required to perform an attack.
## ΓÇÄSingle-factor authentication
-Single-factor authentication can be achieved by using a single-factor authenticator that constitutes something you know or something you are. While an authentication factor that is ΓÇ£something you areΓÇ¥ is accepted as an authentication factor, it is not accepted as an authenticator by itself.
+You can implement single-factor authentication by using a single-factor authenticator that verifies *something you know* or *something you are*. A *something you are* factor is accepted as an authentication factor, but it's not accepted as an authenticator by itself.
-![Conceptual image of single factor authentication.](media/nist-authentication-basics/nist-authentication-basics-1.png)
+![Graphic that shows how single-factor authentication works.](media/nist-authentication-basics/nist-authentication-basics-1.png)
-## Multi-factor authentication
+## Multifactor authentication
-Multi-factor authentication can be achieved by either a multi-factor authenticator or by a combination of two single-factor authenticators. A multi-factor authenticator requires two authentication factors to execute a single authentication transaction.
+You can implement multifactor authentication either by using a multifactor authenticator or by using two single-factor authenticators. A multifactor authenticator requires two authentication factors to complete a single authentication transaction.
-### Multi-factor authentication using two single-factor authenticators
+### Multifactor authentication by using two single-factor authenticators
-Multi-factor authentication requires two different authentication factors. These can be two independent authenticators, such as
+Multifactor authentication requires two different authentication factors. These authenticators can be independent. For example:
-* Memorized secret [password] and out of band [SMS]
+* Memorized secret (password) and out of band (SMS)
-* Memorized secret [password] and one-time password [hardware or software]
+* Memorized secret (password) and one-time password (hardware or software)
-These methods perform two independent authentication transactions with Azure AD.
+These methods perform two independent authentication transactions with Azure Active Directory (Azure AD).
-![Conceptual image of multi-factor authentication using two separate authenticators.](media/nist-authentication-basics/nist-authentication-basics-2.png)
+![Graphic that describes multifactor authentication via two separate authenticators.](media/nist-authentication-basics/nist-authentication-basics-2.png)
-### Multi-factor authentication using a single multi-factor authenticator
+### Multifactor authentication by using a single multifactor authenticator
-Multi-factor factor authentication requires one authentication factor (something you know or something you are) to unlock a second authentication factor. This is typically a simpler user experience than multiple independent authenticators.
+Multifactor factor authentication requires one authentication factor (*something you know* or *something you are*) to unlock a second authentication factor. The user experience is typically easier than that of multiple independent authenticators.
-![Conceptual image of multi-factor authentication a single multi-factor authenticator.](media/nist-authentication-basics/nist-authentication-basics-3a.png)
+![Graphic that shows multifactor authentication by using a single multifactor authenticator.](media/nist-authentication-basics/nist-authentication-basics-3a.png)
-One example is the Microsoft Authenticator app used in the passwordless mode. With this method the user attempts to access a secured resource (relying party), and receives a notification on their authenticator app. The user responds to a notification by providing either a biometric (something you are) or a PIN (something you know), which then unlocks the cryptographic key on the phone (something you have) which is then validated by the verifier.
+One example is the Microsoft Authenticator app used in passwordless mode. With this method, the user attempts to access a secured resource (relying party), and receives a notification on the Authenticator app. The user responds to the notification by providing either a biometric (*something you are*) or a PIN (*something you know*). This factor unlocks the cryptographic key on the phone (*something you have*), which the verifier then validates.
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
One example is the Microsoft Authenticator app used in the passwordless mode. Wi
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieving NIST AAL1 bu using Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieving NIST AAL2 by using Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieving NIST AAL3 by using Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Assurance Level 1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-assurance-level-1.md
Title: Achieving NIST AAL1 with the Azure Active Directory
-description: Guidance on achieving NIST authenticator assurance level 1 (AAL 1) with Azure Active Directory.
+ Title: Achieve NIST AAL1 with Azure Active Directory
+description: Guidance on achieving NIST authenticator assurance level 1 (AAL1) with Azure Active Directory.
-# Achieving NIST Authenticator assurance level 1 with Azure Active Directory
+# Achieve NIST authenticator assurance level 1 with Azure Active Directory
-The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies implementing identity solutions. Meeting these requirements is also required for organizations working with federal agencies. This article guides you to achieve NIST authentication assurance level 1 (AAL1).
+The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that implement identity solutions. Meeting these requirements is also required for organizations working with federal agencies.
-Resources you may want to see prior to trying to achieve AAL 1:
-* [NIST overview](nist-overview.md) - understand the different AAL levels.
-* [Authentication basics](nist-authentication-basics.md) - Important terminology and authentication types.
-* [NIST authenticator types](nist-authenticator-types.md)- Understand each of the authenticator types.
-* [NIST AALs](nist-about-authenticator-assurance-levels.md) - the components of the AALs, how Microsoft Azure Active Directory authentication methods map to them, and understanding trusted platform modules (TPMs).
+Before you attempt to achieve authenticator assurance level 1 (AAL1), you might want to see the following resources:
+* [NIST overview](nist-overview.md): Understand the different AAL levels.
+* [Authentication basics](nist-authentication-basics.md): Important terminology and authentication types.
+* [NIST authenticator types](nist-authenticator-types.md): Understand each of the authenticator types.
+* [NIST AALs](nist-about-authenticator-assurance-levels.md): Covers the components of the AALs, how Azure Active Directory (Azure AD) authentication methods map to them, and understanding trusted platform modules (TPMs).
## Permitted authenticator types
- Any NIST single- or multi-factor [permitted authenticator](nist-authenticator-types.md) can be used to achieve AAL1. the following table contains those not covered in [AAL2](nist-authenticator-assurance-level-2.md) and [AAL3](nist-authenticator-assurance-level-2.md).
+ To achieve AAL1, you can use any NIST single-factor or multifactor [permitted authenticator](nist-authenticator-types.md). The following table contains those not covered in [AAL2](nist-authenticator-assurance-level-2.md) and [AAL3](nist-authenticator-assurance-level-2.md).
-| Azure AD Authentication Method| NIST Authenticator Type |
+| Azure AD authentication method| NIST authenticator type |
| - | - | | Password |Memorized Secret | | Phone (SMS)| Out-of-Band |
-| FIDO 2 security key <br>Microsoft Authenticator app for iOS (Passwordless)<br>Windows Hello for Business with software TPM <br>Smartcard (ADFS) | Multi-factor Crypto software |
+| FIDO 2 security key <br>Microsoft Authenticator app for iOS (Passwordless)<br>Windows Hello for Business with software TPM <br>Smartcard (Active Directory Federation Services) | Multi-factor Crypto software |
> [!TIP]
-> We recommend that you meet at least AAL 2, unless business reasons, industry standards, or compliance requirements dictate that you meet AAL3.
+> We recommend that you meet at least AAL2. Meet AAL3 if necessary for business reasons, industry standards, or compliance requirements.
## FIPS 140 validation ### Verifier requirements
-Azure AD is using the Windows FIPS 140 Level 1 overall validated cryptographic
-ΓÇÄmodule for all its authentication related cryptographic operations. It is therefore a FIPS 140 compliant verifier as required by government agencies.
+Azure AD uses the Windows FIPS 140 Level 1 overall validated cryptographic ΓÇÄmodule for all its authentication related cryptographic operations. It's therefore a FIPS 140 compliant verifier as required by government agencies.
-## Man-in-the-middle (MitM) resistance
+## Man-in-the-middle resistance
-All communications between the claimant and Azure AD are performed over an authenticated protected channel to provide resistance to MitM attacks. This satisfies the MitM resistance requirements for AAL1, AAL2 and AAL3.
+All communications between the claimant and Azure AD are performed over an authenticated, protected channel, to provide resistance to man-in-the-middle (MitM) attacks. This satisfies the MitM resistance requirements for AAL1, AAL2, and AAL3.
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
All communications between the claimant and Azure AD are performed over an authe
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieve NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Assurance Level 2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-assurance-level-2.md
Title: Achieving NIST AAL2 with the Azure Active Directory
-description: Guidance on achieving NIST authenticator assurance level 2 (AAL 2) with Azure Active Directory.
+ Title: Achieve NIST AAL2 with the Azure Active Directory
+description: Guidance on achieving NIST authenticator assurance level 2 (AAL2) with Azure Active Directory.
-# Achieving NIST authenticator assurance level 2 with Azure Active Directory
+# Achieve NIST authenticator assurance level 2 with Azure Active Directory
-The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies implementing identity solutions. Meeting these requirements is also required for organizations working with federal agencies. This article guides you to achieve NIST authentication assurance level 2 (AAL2).
+The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that implement identity solutions. Meeting these requirements is also required for organizations working with federal agencies.
-Resources you may want to see prior to trying to achieve AAL 2:
-* [NIST overview](nist-overview.md) - understand the different AAL levels.
-* [Authentication basics](nist-authentication-basics.md) - Important terminology and authentication types.
-* [NIST authenticator types](nist-authenticator-types.md)- Understand each of the authenticator types.
-* [NIST AALs](nist-about-authenticator-assurance-levels.md) - the components of the AALs, and how Microsoft Azure Active Directory authentication methods map to them.
+Before you attempt to achieve authenticator assurance level 2 (AAL2), you might want to see the following resources:
+* [NIST overview](nist-overview.md): Understand the different AAL levels.
+* [Authentication basics](nist-authentication-basics.md): Important terminology and authentication types.
+* [NIST authenticator types](nist-authenticator-types.md): Understand each of the authenticator types.
+* [NIST AALs](nist-about-authenticator-assurance-levels.md): Covers the components of the AALs, and how Azure Active Directory (Azure AD) authentication methods map to them.
-## Permitted Authenticator Types
+## Permitted authenticator types
+The following table provides details about the authenticator types permitted for AAL2:
-| Azure AD Authentication method| NIST Authenticator type |
+| Azure AD authentication method| NIST authenticator type |
| - | - | | **Recommended methods** | |
-| Microsoft Authenticator app for iOS (Passwordless)<br>Windows Hello for Business w/ software TPM | Multi-factor crypto software |
-| FIDO 2 security key<br>Microsoft Authenticator app for Android (Passwordless)<br>Windows Hello for Business w/ hardware TPM<br>Smartcard (ADFS) | Multi-factor crypto hardware |
+| Microsoft Authenticator app for iOS (Passwordless)<br>Windows Hello for Business with software trusted platform module (TPM) | Multifactor crypto software |
+| FIDO 2 security key<br>Microsoft Authenticator app for Android (Passwordless)<br>Windows Hello for Business with hardware TPM<br>Smartcard (Active Directory Federation Services) | Multifactor crypto hardware |
| **Additional methods** | | | Password + Phone (SMS) | Memorized Secret + Out-of-Band | | Password + Microsoft Authenticator App (OTP)<br>Password + SF OTP | Memorized Secret + ΓÇÄSingle-factor one-time password | | Password + Azure AD joined with software TPM <br>Password + Compliant mobile device<br>Password + Hybrid Azure AD Joined with software TPM <br>Password + Microsoft Authenticator App (Notification) | Memorized Secret + ΓÇÄSingle-factor crypto SW |
-| Password + Azure AD joined with hardware TPM <br>Password + Hybrid Azure AD Joined with hardware TPM | Memorized Secret + ΓÇÄSingle-factor crypto hardware |
+| Password + Azure AD joined with hardware TPM <br>Password + Hybrid Azure AD joined with hardware TPM | Memorized Secret + ΓÇÄSingle-factor crypto hardware |
### Our recommendations
-We recommend using multi-factor cryptographic hardware or software authenticators to achieve AAL2. Passwordless authentication eliminates the greatest attack surfaceΓÇöthe passwordΓÇöand offers users a streamlined method to authenticate.
+To achieve AAL2, use multifactor cryptographic hardware or software authenticators. Passwordless authentication eliminates the greatest attack surface (the password), and offers users a streamlined method to authenticate.
For detailed guidance on selecting a passwordless authentication method, see [Plan a passwordless authentication deployment in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
For more information on implementing Windows Hello for Business, see the [Window
## FIPS 140 validation
-The following information is a guide to achieving FIPS 140 validation.
+The following sections discuss achieving FIPS 140 validation.
### Verifier requirements
-Azure AD is using the Windows FIPS 140 Level 1 overall validated cryptographic
-ΓÇÄmodule for all its authentication related cryptographic operations. It is therefore a FIPS 140 compliant verifier as required by government agencies.
+Azure AD uses the Windows FIPS 140 Level 1 overall validated cryptographic ΓÇÄmodule for all its authentication related cryptographic operations. It's therefore a FIPS 140 compliant verifier as required by government agencies.
### Authenticator requirements
-*Government agenciesΓÇÖ cryptographic authenticators are required to be FIPS 140 Level 1 overall validated*. This is not a requirement for non-governmental agencies. The following Azure AD authenticators meet the requirement when running on [Windows in a FIPS 140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
+The cryptographic authenticators of government agencies are required to be validated for FIPS 140 Level 1 overall. This isn't a requirement for non-governmental agencies. The following Azure AD authenticators meet the requirement when running on [Windows in a FIPS 140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation):
* Password
-* Azure AD joined w/ software or w/ hardware TPM
+* Azure AD joined with software or with hardware TPM
-* Hybrid Azure AD Joined w/ software or w/ hardware TPM
+* Hybrid Azure AD joined with software or with hardware TPM
-* Windows Hello for Business w/ software or w/ hardware TPM
+* Windows Hello for Business with software or with hardware TPM
-* Smartcard (ADFS)
+* Smartcard (Active Directory Federation Services)
-FIDO2 security keys, and the Microsoft Authenticator app (in all its modes - Notification, OTP and Passwordless) do not meet government agencies requirement for FIPS 140 Level 1 overall validation as of this writing.
-
-* Microsoft Authenticator app is using FIPS 140 approved cryptography; however, it is not FIPS 140 Level 1 overall validated.
-
-* FIDO2 keys are a very recent innovation and as such are still in the process of the undergoing FIPS certification.
+FIDO2 security keys don't meet government agencies' requirement for FIPS 140 Level 1 overall validation as of this writing. The Microsoft Authenticator app doesn't meet this requirement either. This is true no matter which mode of the Microsoft Authenticator app you're using.
## Reauthentication
-At AAL2 NIST requires reauthentication every 12 hours regardless of user activity, and after any period of inactivity lasting 30 minutes or longer. Presentation of something you know or something you are is required, since the session secret is something you have.
+At the AAL2 level, NIST requires reauthentication every 12 hours, regardless of user activity. Reauthentication is also required after any period of inactivity lasting 30 minutes or longer. Presentation of something you know or something you are is required, because the session secret is something you have.
To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) to 12 hours. NIST also allows the use of compensating controls for confirming the subscriberΓÇÖs presence:
-* Session inactivity timeout of 30 minutes can be achieved by locking the device at the OS level by leveraging Microsoft System Center Configuration Manager (SCCM), Group policy objects (GPO), or Intune. You must also require local authentication for the subscriber to unlock it.
+* You can set session inactivity timeout to 30 minutes by locking the device at the operating system level by using Microsoft System Center Configuration Manager, group policy objects (GPOs), or Intune. You must also require local authentication for the subscriber to unlock it.
-* Timeout regardless of activity can be achieved by running a scheduled task (leveraging SCCM, GPO or Intune) that locks the machine after 12 hours regardless of activity.
+* Timeout regardless of activity can be achieved by running a scheduled task (using Configuration Manager, GPO, or Intune) that locks the machine after 12 hours, regardless of activity.
-## Man-in-the-middle (MitM) resistance
+## Man-in-the-middle resistance
-All communications between the claimant and Azure AD are performed over an authenticated protected channel to provide resistance to MitM attacks. This satisfies the MitM resistance requirements for AAL1, AAL2 and AAL3.
+All communications between the claimant and Azure AD are performed over an authenticated, protected channel, to provide resistance to man-in-the-middle (MitM) attacks. This satisfies the MitM resistance requirements for AAL1, AAL2, and AAL3.
## Replay resistance
-All Azure AD authentication methods at AAL2 use either nonce or challenges and are resistant to replay attacks since the verifier will easily detect replayed authentication transactions since they will not contain the appropriate nonce or timeliness data.
+All Azure AD authentication methods at AAL2 use either nonce or challenges. The methods are resistant to replay attacks because the verifier easily detects replayed authentication transactions. Such transactions won't contain the appropriate nonce or timeliness data.
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
All Azure AD authentication methods at AAL2 use either nonce or challenges and a
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieve NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Assurance Level 3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-assurance-level-3.md
Title: Achieving NIST AAL3 with the Azure Active Directory
-description: Guidance on achieving NIST authenticator assurance level 3 (AAL 3) with Azure Active Directory.
+ Title: Achieve NIST AAL3 by using Azure Active Directory
+description: This article provides guidance on achieving NIST authenticator assurance level 3 (AAL3) by using Azure Active Directory.
-# Achieving NIST authenticator assurance level 3 with the Azure Active Directory
+# Achieve NIST authenticator assurance level 3 by using Azure Active Directory
-This article guides you to achieving National Institute of Standards and Technology authenticator assurance level (NIST AAL) 3. Resources you may want to see prior to trying to achieve AAL 3:
-* [NIST overview](nist-overview.md) - understand the different AAL levels.
-* [Authentication basics](nist-authentication-basics.md) - Important terminology and authentication types.
-* [NIST authenticator types](nist-authenticator-types.md)- Understand each of the authenticator types.
-* [NIST AALs](nist-about-authenticator-assurance-levels.md) - the components of the AALs, and how Microsoft Azure Active Directory authentication methods map to them.
+This article helps you achieve National Institute of Standards and Technology authenticator assurance level (NIST AAL) 3. You might want to review these resources before you try to achieve AAL3:
+* [NIST overview](nist-overview.md): Understand the different AAL levels.
+* [Authentication basics](nist-authentication-basics.md): Important terminology and authentication types.
+* [NIST authenticator types](nist-authenticator-types.md): Understand each of the authenticator types.
+* [NIST AALs](nist-about-authenticator-assurance-levels.md): Covers the components of the AALs and how Azure Active Directory (Azure AD) authentication methods map to them.
## Permitted authenticator types
-Microsoft offers authentication methods that enable you to meet required NIST authenticator types. Please see our recommendations.
+Microsoft offers authentication methods that enable you to meet required NIST authenticator types. This section provides Microsoft recommendations.
-| Azure AD Authentication Methods| NIST Authenticator Type |
+| Azure AD authentication methods| NIST authenticator type |
| - | -| | **Recommended methods**| |
-| FIDO2 security key **OR**<br> Smartcard (AD FS) **OR**<br>Windows Hello for Business w/ hardware TPM| Multi-factor cryptographic hardware |
+| FIDO2 security key<br>or<br> Smart card (Active Directory Federation Services [AD FS])<br>or<br>Windows Hello for Business with hardware TPM| Multifactor cryptographic hardware |
| **Additional methods**| |
-| Password **AND**<br>(Hybrid Azure AD Joined w/ hardware TPM **OR** <br> Azure AD joined w/ hardware TPM)| Memorized secret **+** Single-factor crypto hardware |
-| Password **AND**<br>(Single-factor one-time-password hardware (from OTP manufacturers) **OR**<br>Hybrid Azure AD Joined w/ software TPM **OR** <br> Azure AD joined w/ software TPM **OR**<br> Compliant managed device)| Memorized secret **AND**<br>Single-factor one-time password hardware **AND**<br>Single-factor crypto software |
+| Password<br> and<br>(Hybrid Azure AD joined with hardware TPM <br>or <br> Azure AD joined with hardware TPM)| Memorized secret<br>and<br> Single-factor cryptographic hardware |
+| Password <br>and<br>(Single-factor one-time password hardware (from an OTP manufacturer) <br>or<br>Hybrid Azure AD joined with software TPM <br>or <br> Azure AD joined with software TPM <br>or<br> Compliant managed device)| Memorized secret <br>and<br>Single-factor one-time password hardware<br> and<br>Single-factor cryptographic software |
### Our recommendations
-We recommend using a multi-factor cryptographic hardware authenticator to achieve AAL3. Passwordless authentication eliminates the greatest attack surfaceΓÇöthe passwordΓÇöand offers users a streamlined method to authenticate. If your organization is completely cloud-based, we recommend using FIDO2 security keys.
+We recommend using a multifactor cryptographic hardware authenticator to achieve AAL3. Passwordless authentication eliminates the greatest attack surface, the password, and offers users a streamlined authentication method. If your organization is completely cloud based, we recommend that you use FIDO2 security keys.
-Please note that FIDO2 keys and Windows Hello for Business have not been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting these authenticators as AAL3.
+Note that FIDO2 keys and Windows Hello for Business haven't been validated at the required FIPS 140 Security Level. So federal customers need to conduct risk assessment and evaluation before accepting these authenticators as AAL3.
For detailed guidance, see [Plan a passwordless authentication deployment in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
For more information on implementing Windows Hello for Business, see the [Window
### Verifier requirements
-Azure AD is using the Windows FIPS 140 Level 1 overall validated cryptographic
-ΓÇÄmodule for all its authentication related cryptographic operations. It is therefore a FIPS 140 compliant verifier.
+Azure AD uses the Windows FIPS 140 Level 1 Overall validated cryptographic
+ΓÇÄmodule for all of its authentication-related cryptographic operations. So it's a FIPS-140 compliant verifier.
### Authenticator requirements
-Single-factor and multi-factor cryptographic hardware authenticators have different authenticator requirements.
+Single-factor and multifactor cryptographic hardware authenticators have different authenticator requirements.
-Single-factor cryptographic hardware authenticators are required to be
+**Single-factor cryptographic hardware** authenticators are required to be:
-* FIPS 140 Level 1 overall (or higher)
+* FIPS 140 Level 1 Overall (or higher).
-* FIPS 140 Level 3 Physical Security (or higher)
+* FIPS 140 Level 3 Physical Security (or higher).
-Azure AD joined and Hybrid Azure AD joined devices meet this requirement when
+Azure AD joined and Hybrid Azure AD joined devices meet this requirement when:
-* you run [Windows in a FIPS 140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
+* You run [Windows in a FIPS-140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation).
-* on a machine with a TPM that is FIPS 140 Level 1 overall (or higher) with FIPS 140 Level 3 Physical Security.
+* On a machine with a TPM that's FIPS 140 Level 1 Overall (or higher) with FIPS 140 Level 3 Physical Security.
- * Find compliant TPMs by searching ΓÇ£Trusted Platform ModuleΓÇ¥ and ΓÇ£TPMΓÇ¥ under [Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search).
+ * Find compliant TPMs by searching for "Trusted Platform Module" and "TPM" on the [Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search) page.
-Check with your mobile device vendor to learn about their adherence with FIPS 140.
+Check with your mobile device vendor to learn about your vendor's adherence with FIPS 140.
-**Multi-factor cryptographic hardware** authenticators are required to be
+**Multifactor cryptographic hardware** authenticators are required to be:
-* FIPS 140 Level 2 overall (or higher)
+* FIPS 140 Level 2 Overall (or higher).
-* FIPS 140 Level 3 Physical Security (or higher)
+* FIPS 140 Level 3 Physical Security (or higher).
-FIDO2 security keys, Smartcards, and Windows Hello for Business can help you meet these requirements.
+FIDO2 security keys, smart cards, and Windows Hello for Business can help you meet these requirements.
-* FIDO2 keys are a very recent innovation and as such are still in the process of the undergoing FIPS certification.
+* FIDO2 keys are a recent innovation, so they're still in the process of meeting FIPS certification.
-* Smartcards are a proven technology with multiple vendor products meeting FIPS requirements.
+* Smart cards are a proven technology. Multiple vendor products meet FIPS requirements.
- * Find out more on the [Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search).
+ * Learn more on the [Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search) page.
**Windows Hello for Business**
-FIPS 140 requires the entire cryptographic boundary including software, firmware, and hardware, to be in scope for evaluation. Windows operating systems are open computing platforms that can be paired with thousands of combinations of hardware. As such, Microsoft cannot maintain FIPS certifications for each combination. The following individual certifications of the components should be evaluated as part of the risk assessment for using WHfB as an AAL3 authenticator:
+FIPS 140 requires the entire cryptographic boundary, including software, firmware, and hardware, to be in scope for evaluation. Windows operating systems are open computing platforms that can be paired with thousands of combinations of hardware. Microsoft can't maintain FIPS certifications for each combination. You should evaluate the following individual certifications of components as part of your risk assessment for using Windows Hello for Business as an AAL3 authenticator:
-* **Microsoft Windows 10, and Microsoft Windows Server** use the [US Government Approved Protection Profile for General Purpose Operating Systems Version 4.2.1](https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442). from the National Information Assurance Partnership (NIAP). NIAP oversees a national program to evaluate Commercial Off-The-Shelf (COTS) Information Technology (IT) products for conformance to the international Common Criteria.
+* **Windows 10 and Windows Server** use the [US Government Approved Protection Profile for General Purpose Operating Systems Version 4.2.1](https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442) from the National Information Assurance Partnership (NIAP). NIAP oversees a national program to evaluate commercial off-the-shelf (COTS) information technology (IT) products for conformance to the international Common Criteria.
-* **Microsoft Windows Cryptographic Library** [has achieved FIPS Level 1 overall in the NIST Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/3544) (CMVP). The CMVP, a joint effort between the NIST and the Canadian Center for Cyber Security, validates cryptographic module to FIPS standards.
+* **Windows Cryptographic Library** [has achieved FIPS Level 1 Overall in the NIST Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/3544) (CMVP). The CMVP, a joint effort between NIST and the Canadian Center for Cyber Security, validates cryptographic modules against FIPS standards.
-* Choose a **Trusted Platform Module (TPM)** that is FIPS 140 Level 2 overall, and FIPS 140 Level 3 Physical Security. **As an organization, it is your responsibility to ensure that the hardware TPM you are using meets the needs of the AAL level you want to achieve**.
-ΓÇÄTo determine which TPMs meet the current standards, go to the [NIST Computer Security Resource Center Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search). In the Module name field, enter ΓÇ£Trusted platform module.ΓÇ¥ The resultant list contains hardware TPMS that meet the current standards.
+* Choose a **Trusted Platform Module (TPM)** that's FIPS 140 Level 2 Overall and FIPS 140 Level 3 Physical Security. It's your organization's responsibility to ensure that the hardware TPM you're using meets the requirements of the AAL level you want to achieve.
+ΓÇÄTo determine which TPMs meet the current standards, go to the [NIST Computer Security Resource Center Cryptographic Module Validation Program](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search) page. In the **Module Name** box, enter **Trusted Platform Module**. The resulting list contains hardware TPMs that meet the current standards.
## Reauthentication
-At AAL3 NIST requires reauthentication every 12 hours regardless of user activity, and after any period of inactivity lasting 15 minutes or longer. Presentation of both factors is required.
+At the AAL3 level, NIST requires reauthentication every 12 hours, regardless of user activity. Reauthentication is also required after any period of inactivity that lasts 15 minutes or longer. Presentation of both factors is required.
-To meet the requirement for reauthentication regardless of user activity Microsoft recommends configuring [user sign-in frequency](https://aka.ms/NIST/38) to 12 hours.
+To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](https://aka.ms/NIST/38) to 12 hours.
-NIST also allows the use of compensating controls for confirming the subscriberΓÇÖs presence:
+NIST also allows the use of compensating controls for confirming the subscriber's presence:
-* Session inactivity timeout of 15 minutes can be achieved by locking the device at the OS level by leveraging Microsoft System Center Configuration manager (SCCM), Group policy objects (GPO), or Intune. You must also require local authentication for the subscriber to unlock it.
+* You can set a session inactivity timeout of 15 minutes by locking the device at the OS level. You can do so by using Microsoft Endpoint Configuration Manager, Group Policy Object (GPO), or Intune. You must also require local authentication for the subscriber to unlock it.
-* Timeout regardless of activity can be achieved by running a scheduled task (leveraging SCCM, GPO or Intune) that locks the machine after 12 hours regardless of activity.
+* You can achieve timeout regardless of activity by running a scheduled task (by using Configuration Manager, GPO, or Intune) that locks the machine after 12 hours, regardless of activity.
-## Man-in-the-middle (MitM) resistance
+## Man-in-the-middle resistance
-All communications between the claimant and Azure AD are performed over an authenticated protected channel to provide resistance to MitM attacks. This satisfies the MitM resistance requirements for AAL1, AAL2 and AAL3.
+All communications between the claimant and Azure AD are done over an authenticated, protected channel to provide resistance to man-in-the-middle (MitM) attacks. This configuration satisfies the MitM resistance requirements for AAL1, AAL2, and AAL3.
## Verifier impersonation resistance
-All Azure AD authentication methods that meet AAL3 leverage cryptographic authenticators that bind the authenticator output to the specific session being authenticated. They do this by using a private key controlled by the claimant for which the public key is known to the verifier. This satisfies the verifier impersonation resistance requirements for AAL3.
+All Azure AD authentication methods that meet AAL3 use cryptographic authenticators that bind the authenticator output to the specific session being authenticated. They do so by using a private key controlled by the claimant for which the public key is known to the verifier. This configuration satisfies the verifier-impersonation resistance requirements for AAL3.
## Verifier compromise resistance
-All Azure AD authentication methods that meet AAL3 either use a cryptographic authenticator that requires the verifier store a public key corresponding to a private key held by the authenticator or store the expected authenticator output using FIPS 140 validated hash algorithms. You can find more details under [Azure AD Data Security Considerations](https://aka.ms/AADDataWhitepaper).
+All Azure AD authentication methods that meet AAL3 do one of the following:
+- Use a cryptographic authenticator that requires the verifier to store a public key that corresponds to a private key held by the authenticator.
+- Store the expected authenticator output by using FIPS-140 validated hash algorithms.
+
+For more information, see [Azure AD Data Security Considerations](https://aka.ms/AADDataWhitepaper).
## Replay resistance
-All Azure AD authentication methods at AAL3 either use nonce or challenges and are resistant to replay attacks since the verifier will easily detect replayed authentication transactions since they will not contain the appropriate nonce or timeliness data.
+All Azure AD authentication methods that meet AAL3 use either nonce or challenges. These methods are resistant to replay attacks because the verifier will easily detect replayed authentication transactions. Such transactions won't contain the appropriate nonce or timeliness data.
## Authentication intent
-The goal of authentication intent is to make it more difficult for directly connected physical authenticators (e.g., multi-factor cryptographic devices) to be used without the subjectΓÇÖs knowledge, such as by malware on the endpoint.
+The goal of authentication intent is to make it more difficult for directly connected physical authenticators (like multifactor cryptographic devices) to be used without the subject's knowledge. For example, by malware on the endpoint.
-NIST allows the use of compensating controls for mitigating malware risk. Any Intune compliant device running Windows Defender System Guard and Windows Defender ATP meets this mitigation requirement.
+NIST allows the use of compensating controls for mitigating malware risk. Any Intune-compliant device that runs Windows Defender System Guard and Windows Defender ATP meets this mitigation requirement.
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
NIST allows the use of compensating controls for mitigating malware risk. Any In
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieving NIST AAL1 by using Azure AD](nist-authenticator-assurance-level-1.md)
+
+[Achieving NIST AAL2 by using Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-types.md
Title: NIST Authenticator Types and aligned Azure Active Directory methods
+ Title: NIST authenticator types and aligned Azure Active Directory methods
description: Explanations of how Azure Active Directory authentication methods align with NIST authenticator types.
-# NIST Authenticator Types and aligned Azure Active Directory methods
+# NIST authenticator types and aligned Azure Active Directory methods
-The authentication process begins when a claimant asserts its control of one of more authenticators that are associated with a subscriber. The subscriber may be a person or another entity.
+The authentication process begins when a claimant asserts its control of one of more authenticators that are associated with a subscriber. The subscriber can be a person or another entity.
-| NIST Authenticator Type| Azure AD Authentication Methods |
+| The National Institute of Standards and Technology (NIST) authenticator type| Azure Active Directory (Azure AD) authentication methods |
| - | - |
-| Memorized secret <br> (Something you know)| Password (Cloud accounts) <br>Password (Federated)<br> Password (Password Hash Sync)<br>Password (Passthrough Authentication) |
-|Look-up secret <br> (Something you have)| None. A lookup secret is by definition data not held in a system. |
-|Out-of-band <br>(Something you have)| Phone (SMS) - not recommended |
-| Single-factor one-time password <br>ΓÇÄ(Something you have)| Microsoft Authenticator App (One-time password) <br>Single factor one-time password ΓÇÄ(through OTP manufacturers)<sup data-htmlnode="">1</sup> |
-| Multi-factor one-time password<br>(something you have + something you know or something you are)| Multi-factor one-time password ΓÇÄ(through OTP manufacturers) <sup data-htmlnode="">1</sup>|
-|Single-factor crypto software<br>(Something you have)|Compliant mobile device <br> Microsoft Authenticator App (Notification) <br> Hybrid Azure AD Joined<sup data-htmlnode="">2</sup> *with software TPM*<br> Azure AD joined<sup data-htmlnode="">2</sup> *with software TPM* |
-| Single-factor crypto hardware <br>(Something you have) | Azure AD joined<sup data-htmlnode="">2</sup> *with hardware TPM* <br> Hybrid Azure AD Joined<sup data-htmlnode="">2</sup> *with hardware TPM*|
-|Multi-factor crypto software<br>(Something you have + something you know or something you are) | Microsoft Authenticator app for iOS (Passwordless)<br> Windows Hello for Business *with software TPM* |
-|Multi-factor crypto hardware <br>(Something you have + something you know or something you are) |Microsoft Authenticator app for Android (Passwordless)<br> Windows Hello for Business *with hardware TPM*<br> Smartcard (Federated identity provider) <br> FIDO 2 security key |
+| Memorized secret <br> (something you know)| Password (Cloud accounts) <br>Password (Federated)<br> Password (Password Hash Sync)<br>Password (Passthrough Authentication) |
+|Look-up secret <br> (something you have)| None. A lookup secret is by definition data not held in a system. |
+|Out-of-band <br>(something you have)| Phone (SMS) - not recommended |
+| Single-factor one-time password <br>ΓÇÄ(something you have)| Microsoft Authenticator App (One-time password) <br>Single factor one-time password ΓÇÄ(through OTP manufacturers)<sup data-htmlnode="">1</sup> |
+| Multifactor one-time password<br>(something you have + something you know or something you are)| Multifactor one-time password ΓÇÄ(through OTP manufacturers) <sup data-htmlnode="">1</sup>|
+|Single-factor crypto software<br>(something you have)|Compliant mobile device <br> Microsoft Authenticator App (Notification) <br> Hybrid Azure AD joined<sup data-htmlnode="">2</sup> with software TPM<br> Azure AD joined<sup data-htmlnode="">2</sup> with software TPM |
+| Single-factor crypto hardware <br>(something you have) | Azure AD joined<sup data-htmlnode="">2</sup> with hardware TPM <br> Hybrid Azure AD joined<sup data-htmlnode="">2</sup> with hardware TPM|
+|Multifactor crypto software<br>(something you have + something you know or something you are) | Microsoft Authenticator app for iOS (Passwordless)<br> Windows Hello for Business with software TPM |
+|Multifactor crypto hardware <br>(something you have + something you know or something you are) |Microsoft Authenticator app for Android (Passwordless)<br> Windows Hello for Business with hardware TPM<br> Smartcard (Federated identity provider) <br> FIDO 2 security key |
<sup data-htmlnode="">1</sup> OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety.
The authentication process begins when a claimant asserts its control of one of
## Why SMS isn't recommended
-SMS text messages meet the NIST standard, but NIST doesn't recommend them. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are taken maliciously, they can result in an insecure experience. While they aren't recommended, they're better than using a password alone, as they require more effort for hackers.
+SMS text messages meet the NIST standard, but NIST doesn't recommend them. The risks of device swap, SIM changes, number porting, and other behaviors can cause problems. If these actions are taken maliciously, they can result in an insecure experience. Although SMS text messages aren't recommended, they're better than using a password alone, because they require more effort for hackers.
-## Next Steps
+## Next steps
[NIST overview](nist-overview.md)
SMS text messages meet the NIST standard, but NIST doesn't recommend them. The r
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieve NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-overview.md
Title: Achieving NIST Authenticator Assurance Levels with Azure Active Directory
+ Title: Achieve NIST authenticator assurance levels with Azure Active Directory
description: An overview of
-# Configure Azure Active Directory to meet NIST Authenticator Assurance Levels
+# Configure Azure Active Directory to meet NIST authenticator assurance levels
-Providing services for federal agencies is complicated by the number and complexity of standards that you must meet. As a cloud service provider (CSP) or federal agency, it is your responsibility to ensure compliance with all relevant standards. Azure and Azure Active Directory make this easier by enabling you to leverage our certifications, and then configure your specific requirements.
-Azure is certified for 90+ compliance offerings. See [Trust your cloud](https://azure.microsoft.com/overview/trusted-cloud/) for details on Azure compliance and certifications.
+Providing services for federal agencies is complicated by the number and complexity of standards that you must meet. As a cloud service provider (CSP) or federal agency, it's your responsibility to ensure compliance with all relevant standards. Azure and Azure Active Directory (Azure AD) make this easier by enabling you to use our certifications, and then configure your specific requirements.
+
+Azure is certified for more than 90 compliance offerings at the time of this writing. For more details, see [Trust your cloud](https://azure.microsoft.com/overview/trusted-cloud/).
## Why meet NIST standards?
-The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies implementing identity solutions. Organizations working with federal agencies must also meet these requirements. The NIST Identity requirements are found in the document [Special Publication 800-63 Revision 3](https://pages.nist.gov/800-63-3/sp800-63-3.html) (NIST SP 800-63-3).
+The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that implement identity solutions. Organizations working with federal agencies must also meet these requirements. For more information about the NIST identity requirements, see [Special Publication 800-63 Revision 3](https://pages.nist.gov/800-63-3/sp800-63-3.html) (NIST SP 800-63-3).
-NIST SP 800-63 is also referenced by
-* the Electronic Prescription of Controlled Substances [ECPS](https://deadiversion.usdoj.gov/ecomm/e_rx/) program
+NIST SP 800-63 is also referenced by:
+* The Electronic Prescription of Controlled Substances [EPCS](https://deadiversion.usdoj.gov/ecomm/e_rx/) program.
* [Financial Industry Regulatory Authority (FINRA) requirements](https://www.finra.org/rules-guidance).
-* Healthcare, defense, and other industry associations often use the NIST SP 800-63-3 as a baseline for identity and access management (IAM) requirements.
+* Healthcare, defense, and other industry associations often use the NIST SP 800-63-3 as a baseline for identity and access management requirements.
NIST guidelines are referenced in other standards, most notably the Federal Risk and Authorization Management Program (FedRAMP) for CSPs. Azure is FedRAMP High Impact certified.
-The NIST digital identity guidelines cover proofing and authentication of users such as employees, partners, suppliers, and customers or citizens.
+The NIST digital identity guidelines cover proofing and authentication of users, such as employees, partners, suppliers, and customers or citizens.
NIST SP 800-63-3 digital identity guidelines encompass three areas:
-* [SP 800-63A](https://pages.nist.gov/800-63-3/sp800-63a.html) covers Enrollment & Identity Proofing
+* [SP 800-63A](https://pages.nist.gov/800-63-3/sp800-63a.html) covers enrollment and identity proofing.
-* [SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) covers Authentication & Lifecycle management
+* [SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) covers authentication and lifecycle management.
-* [SP 800-63C](https://pages.nist.gov/800-63-3/sp800-63c.html) covers Federation & Assertions
+* [SP 800-63C](https://pages.nist.gov/800-63-3/sp800-63c.html) covers federation and assertions.
-Each area has mapped out assurance levels. This article set provides guidance for attaining the Authenticator Assurance Levels (AALs) in NIST SP 800-63B by using the Azure Active Directory and other Microsoft solutions.
+Each area has mapped out assurance levels. This article set provides guidance for attaining the authenticator assurance levels (AALs) in NIST SP 800-63B by using Azure AD and other Microsoft solutions.
-## Next Steps
+## Next steps
[Learn about AALs](nist-about-authenticator-assurance-levels.md)
Each area has mapped out assurance levels. This article set provides guidance fo
[NIST authenticator types](nist-authenticator-types.md)
-[Achieving NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
+[Achieve NIST AAL1 with Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
+[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Standards Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/standards-overview.md
In today's world of interconnected infrastructures, compliance with governmental and industry frameworks and standards is often mandatory.
-Compliance frameworks can be extremely complex. Microsoft engages with governments, regulators, and standards bodies to understand and meet compliance needs in its Azure platform. You can take advantage of more than [90 Azure compliance certifications](https://docs.microsoft.com/azure/compliance). Our compliance offerings include many specific to global regions and countries. Azure also offers 35 compliance offerings specific to key industries, including health, government, finance, education, manufacturing, and media.
+Compliance frameworks can be extremely complex. Microsoft engages with governments, regulators, and standards bodies to understand and meet compliance needs in its Azure platform. You can take advantage of more than [90 Azure compliance certifications](https://docs.microsoft.com/azure/compliance). These compliance offerings include many that are specific to global regions and countries. Azure also offers 35 compliance offerings specific to key industries, including health, government, finance, education, manufacturing, and media.
## Azure compliance provides a head start
-Compliance is a shared responsibility among Microsoft, Cloud service providers (CSPs), and organizations. You can rely on Azure's compliance certifications as a basis for your compliance, and then configure Azure Active Directory to meet identity standards.
+Compliance is a shared responsibility among Microsoft, cloud service providers (CSPs), and organizations. You can rely on Azure compliance certifications as a basis for your compliance, and then configure Azure Active Directory to meet identity standards.
-Cloud service providers (CSPs), governmental agencies, and those who work with them must often meet stringent standards for one or more governments such as
+CSPs, governmental agencies, and those who work with them must often meet stringent standards for one or more governments. These standards can include the following:
* [US Federal Risk and Authorization Management Program (FedRAMP)](https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp) * [National Institute of Standards and Technologies (NIST)](https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-53).
-CSPs and organizations in industries such as healthcare and finance must also meet industry standards such as
+CSPs and organizations in industries such as healthcare and finance must also meet industry standards, such as:
* [HIPPA](https://docs.microsoft.com/azure/compliance/offerings/offering-hipaa-us)
-* [Sorbanes-Oxley (Sox)](https://docs.microsoft.com/azure/compliance/offerings/offering-sox-us).
+* [Sorbanes-Oxley (SOX)](https://docs.microsoft.com/azure/compliance/offerings/offering-sox-us)
To learn more about supported compliance frameworks, see [Azure compliance offerings](https://docs.microsoft.com/azure/compliance/offerings/).
active-directory User Help Auth App Add Work School Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-auth-app-add-work-school-account.md
Previously updated : 11/15/2020 Last updated : 05/11/2021
You can add your work or school account to the Microsoft Authenticator app by do
### Sign in with your credentials >[!Note]
->This feature is usable only by users whose admins have enabled phone sign-in using the Authenticator app for them.
+>You can now sign in to the Microsoft Authenticator app to add your work or school account.
To add an account by signing into your work or school account using your credentials:
To add an account by signing into your work or school account using your credent
1. Enter your work or school account credentials. If you have a Temporary Access Pass (TAP) you can use that to sign in. At this point, you could potentially be blocked from proceeding by one of the following conditions:
- - If you donΓÇÖt have enough authentication methods on your account to get a strong authentication token, you will not be able to proceed to add an account.
+ - If you donΓÇÖt have enough authentication methods on your account to get a strong authentication token, you can't proceed to add an account.
- - If you receive the message `You might be signing in from a location that is restricted by your admin`, you are blocked and need an administrator to unblock you in [Security info](https://mysignins.microsoft.com/security-info).
+ - If you receive the message `You might be signing in from a location that is restricted by your admin`, your admin hasn't enabled this feature for you. You can try to set up your account by scanning a QR Code from the **Additional security verification** page or inΓÇ»[Security info](https://mysignins.microsoft.com/security-info).
- - If you're not blocked for phone sign-in using the Authenticator app by your admin, you'll be able to go through device registration to get set up for passwordless phone sign-in and Azure Multi-Factor Authentication (MFA).
+1. If you are allowed by your admin to use phone sign-in using the Authenticator app, you'll be able to go through device registration to get set up for passwordless phone sign-in and Azure Multi-Factor Authentication (MFA). However, you'll still be able to set up MFA whether or not you are enabled for phone sign-in.
1. At this point, you could be asked to scan a QR Code provided by your organization to set up an on-premises multi-factor authentication account in the app. You're required to do this only if your organization uses on-premises MFA Server.
-1. On your device, tap the account and verify in the full-screen view that your account is correct and that there's an associated six-digit verification code. For additional security, the verification code changes every 30 seconds preventing someone from using a code multiple times.
+1. On your device, tap the account and verify in the full-screen view that your account is correct. For additional security, the verification code changes every 30 seconds preventing someone from using a code multiple times.
## Sign in with a QR code
To add an account by scanning a QR Code, do the following:
If you aren't prompted to use your camera to scan a QR Code, in your phone's settings, ensure that the Authenticator app has access to the phone camera.
-## Next steps
+## Sign in on a remote computer
+
+Many apps allow you to authenticate by entering a code on another device such as a PC. If you want to sign in on a remote computer to install the Microsoft Authenticator app:
+
+1. Open the Microsoft Authenticator app, select the **+** button &gt; **Add work or school account** &gt; **Sign in**.
+1. Select **Sign in from another device**.
+1. On the remote screen, open the [**Sign in to your account** page](https://microsoft.com/devicelogin) and enter the code that you see in your Authenticator app.
+1. On your remote screen, sign in using your work or school account credentials. If you have a Temporary Access Pass (TAP) you can use that to sign in.
+1. After you complete your authentication on the remote screen, return to the Authenticator app to complete setup.
+
+ ## Next steps
- After you add your accounts to the app, you can sign in using the Authenticator app on your device. For more information, see [Sign in using the app](user-help-auth-app-sign-in.md).
aks Developer Best Practices Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/developer-best-practices-resource-management.md
This article focuses on running your cluster and workloads from an application d
> [!div class="checklist"] > * Pod resource requests and limits. > * Ways to develop and deploy applications with Bridge to Kubernetes and Visual Studio Code.
-> * How to use the `kube-advisor` tool to check for issues with deployments.
## Define pod resource requests and limits
The [Visual Studio Code extension for Kubernetes][vscode-kubernetes] helps you d
![VS Code extension for Kubernetes warning about missing memory limits](media/developer-best-practices-resource-management/vs-code-kubernetes-extension.png)
-## Regularly check for application issues with kube-advisor
-
-> **Best practice guidance**
->
-> Regularly run the latest version of `kube-advisor` open-source tool to detect issues in your cluster. Run `kube-advisor` before applying resource quotas on an existing AKS cluster to find pods that don't have resource requests and limits defined.
-
-The [kube-advisor][kube-advisor] tool is an associated AKS open-source project that scans a Kubernetes cluster and reports on identified issues. One useful check is to identify pods without resource requests and limits in place.
-
-While the `kube-advisor` tool can report on resource requests and limits missing in PodSpecs for Windows and Linux applications, `kube-advisor` itself must be scheduled on a Linux pod. Use a [node selector][k8s-node-selector] in the pod's configuration to schedule a pod to run on a node pool with a specific OS.
-
-In an AKS cluster that hosts many development teams and applications, you'll find it easier to track pods using resource requests and limits. As a best practice, regularly run `kube-advisor` on your AKS clusters.
- ## Next steps This article focused on how to run your cluster and workloads from a cluster operator perspective. For information about administrative best practices, see [Cluster operator best practices for isolation and resource management in Azure Kubernetes Service (AKS)][operator-best-practices-isolation].
This article focused on how to run your cluster and workloads from a cluster ope
To implement some of these best practices, see the following articles: * [Develop with Bridge to Kubernetes][btk]
-* [Check for issues with kube-advisor][aks-kubeadvisor]
<!-- EXTERNAL LINKS --> [k8s-resource-limits]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [vscode-kubernetes]: https://github.com/Azure/vscode-kubernetes-tools
-[kube-advisor]: https://github.com/Azure/kube-advisor
[minikube]: https://kubernetes.io/docs/setup/minikube/ <!-- INTERNAL LINKS -->
-[aks-kubeadvisor]: kube-advisor-tool.md
[btk]: /visualstudio/containers/overview-bridge-to-kubernetes [operator-best-practices-isolation]: operator-best-practices-cluster-isolation.md [resource-quotas]: operator-best-practices-scheduler.md#enforce-resource-quotas
aks Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/faq.md
Title: Frequently asked questions for Azure Kubernetes Service (AKS) description: Find answers to some of the common questions about Azure Kubernetes Service (AKS). Previously updated : 08/06/2020 Last updated : 05/23/2021
While AKS has resilience mechanisms to withstand such a config and recover from
## Can I use custom VM extensions?
-The Log Analytics agent is supported because it's an extension managed by Microsoft. Otherwise no, AKS is a managed service, and manipulation of the IaaS resources isn't supported. To install custom components, use the Kubernetes APIs and mechanisms. For example, use DaemonSets to install required components.
+No, AKS is a managed service, and manipulation of the IaaS resources isn't supported. To install custom components, use the Kubernetes APIs and mechanisms. For example, use DaemonSets to install required components.
## Does AKS store any customer data outside of the cluster's region?
aks Kube Advisor Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kube-advisor-tool.md
- Title: Check deployments for best practices-
-description: Learn how to check for implementation of best practices in your deployments on Azure Kubernetes Service using kube-advisor
--- Previously updated : 11/05/2018---
-# Checking for Kubernetes best practices in your cluster
-
-There are several best practices that you should follow on your Kubernetes deployments to ensure the best performance and resilience for your applications. You can use the kube-advisor tool to look for deployments that aren't following those suggestions.
-
-## About kube-advisor
-
-The [kube-advisor tool][kube-advisor-github] is a single container designed to be run on your cluster. It queries the Kubernetes API server for information about your deployments and returns a set of suggested improvements.
-
-The kube-advisor tool can report on resource request and limits missing in PodSpecs for Windows applications as well as Linux applications, but the kube-advisor tool itself must be scheduled on a Linux pod. You can schedule a pod to run on a node pool with a specific OS using a [node selector][k8s-node-selector] in the pod's configuration.
-
-> [!NOTE]
-> The kube-advisor tool is supported by Microsoft on a best-effort basis. Issues and suggestions should be filed on GitHub.
-
-## Running kube-advisor
-
-To run the tool on a cluster that is configured for [Kubernetes role-based access control (Kubernetes RBAC)](./azure-ad-integration-cli.md), using the following commands. The first command creates a Kubernetes service account. The second command runs the tool in a pod using that service account and configures the pod for deletion after it exits.
-
-```bash
-kubectl apply -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml
-
-kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"serviceAccountName\": \"kube-advisor\" } }" --namespace default
-```
-
-If you aren't using Kubernetes RBAC, you can run the command as follows:
-
-```bash
-kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never
-```
-
-Within a few seconds, you should see a table describing potential improvements to your deployments.
-
-![Kube-advisor output](media/kube-advisor-tool/kube-advisor-output.png)
-
-## Checks performed
-
-The tool validates several Kubernetes best practices, each with their own suggested remediation.
-
-### Resource requests and limits
-
-Kubernetes supports defining [resource requests and limits on pod specifications][kube-cpumem]. The request defines the minimum CPU and memory required to run the container. The limit defines the maximum CPU and memory that should be allowed.
-
-By default, no requests or limits are set on pod specifications. This can lead to nodes being overscheduled and containers being starved. The kube-advisor tool highlights pods without requests and limits set.
-
-## Cleaning up
-
-If your cluster has Kubernetes RBAC enabled, you can clean up the `ClusterRoleBinding` after you've run the tool using the following command:
-
-```bash
-kubectl delete -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml
-```
-
-If you are running the tool against a cluster that is not Kubernetes RBAC-enabled, no cleanup is required.
-
-## Next steps
--- [Troubleshoot issues with Azure Kubernetes Service](troubleshooting.md)-
-<!-- RESOURCES -->
-
-[kube-cpumem]: https://github.com/Azure/azure-quickstart-templates
-[kube-advisor-github]: https://github.com/azure/kube-advisor
-[k8s-node-selector]: concepts-clusters-workloads.md#node-selectors
aks Operator Best Practices Cluster Isolation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-cluster-isolation.md
Logical separation of clusters usually provides a higher pod density than physic
Currently, Kubernetes environments aren't completely safe for hostile multi-tenant usage. In a multi-tenant environment, multiple tenants are working on a common, shared infrastructure. If all tenants cannot be trusted, you will need extra planning to prevent tenants from impacting the security and service of others.
-Additional security features, like *Pod Security Policies* or Kubernetes RBAC for nodes, efficiently block exploits. For true security when running hostile multi-tenant workloads, you should only trust a hypervisor. The security domain for Kubernetes becomes the entire cluster, not an individual node.
+Additional security features, like Kubernetes RBAC for nodes, efficiently block exploits. For true security when running hostile multi-tenant workloads, you should only trust a hypervisor. The security domain for Kubernetes becomes the entire cluster, not an individual node.
For these types of hostile multi-tenant workloads, you should use physically isolated clusters.
aks Operator Best Practices Scheduler https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-scheduler.md
This best practices article focuses on basic Kubernetes scheduling features for
> [!div class="checklist"] > * Use resource quotas to provide a fixed amount of resources to teams or workloads > * Limit the impact of scheduled maintenance using pod disruption budgets
-> * Check for missing pod resource requests and limits using the `kube-advisor` tool
## Enforce resource quotas
Work with your application developers and owners to understand their needs and a
For more information about using pod disruption budgets, see [Specify a disruption budget for your application][k8s-pdbs].
-## Regularly check for cluster issues with kube-advisor
-
-> **Best practice guidance**
->
-> Regularly run the latest version of `kube-advisor` open source tool to detect issues in your cluster. If you apply resource quotas on an existing AKS cluster, run `kube-advisor` first to find pods that don't have resource requests and limits defined.
-
-The [kube-advisor][kube-advisor] tool is an associated AKS open source project that scans a Kubernetes cluster and reports identified issues. `kube-advisor` proves useful in identifying pods without resource requests and limits in place.
-
-While the `kube-advisor` tool can report on resource request and limits missing in PodSpecs for Windows and Linux applications, the tool itself must be scheduled on a Linux pod. Schedule a pod to run on a node pool with a specific OS using a [node selector][k8s-node-selector] in the pod's configuration.
-
-Tracking pods without set resource requests and limits in an AKS cluster hosting multiple development teams and applications can be difficult. As a best practice, regularly run `kube-advisor` on your AKS clusters, especially if you don't assign resource quotas to namespaces.
- ## Next steps This article focused on basic Kubernetes scheduler features. For more information about cluster operations in AKS, see the following best practices:
This article focused on basic Kubernetes scheduler features. For more informatio
<!-- EXTERNAL LINKS --> [k8s-resource-quotas]: https://kubernetes.io/docs/concepts/policy/resource-quotas/ [configure-default-quotas]: https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/
-[kube-advisor]: https://github.com/Azure/kube-advisor
[k8s-pdbs]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ <!-- INTERNAL LINKS -->
aks Servicemesh Osm About https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/servicemesh-osm-about.md
OSM can assist your AKS deployments with the following scenarios:
- Collection and viewing of KPIs from application traffic
+## Prerequisites
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+ ## OSM Service Quotas and Limits (Preview) OSM preview limitations for service quotas and limits can be found on the AKS [Quotas and regional limits page](./quotas-skus-regions.md).
aks Ssh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ssh.md
Title: SSH into Azure Kubernetes Service (AKS) cluster nodes
description: Learn how to create an SSH connection with Azure Kubernetes Service (AKS) cluster nodes for troubleshooting and maintenance tasks. Previously updated : 07/31/2019 Last updated : 05/17/2021 + #Customer intent: As a cluster operator, I want to learn how to use SSH to connect to virtual machines in an AKS cluster to perform maintenance or troubleshoot a problem. # Connect with SSH to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting
-Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access AKS nodes using SSH, including Windows Server nodes. You can also [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp]. For security purposes, the AKS nodes aren't exposed to the internet. To SSH to the AKS nodes, you use the private IP address.
+Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access AKS nodes using SSH, including Windows Server nodes. You can also [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp]. For security purposes, the AKS nodes aren't exposed to the internet. To SSH to the AKS nodes, you use `kubectl debug` or the private IP address.
-This article shows you how to create an SSH connection with an AKS node using their private IP addresses.
+This article shows you how to create an SSH connection with an AKS node.
## Before you begin This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].
-By default, SSH keys are obtained, or generated, then added to nodes when you create an AKS cluster. This article shows you how to specify different SSH keys than the SSH keys used when you created your AKS cluster. The article also shows you how to determine the private IP address of your node and connect to it using SSH. If you don't need to specify a different SSH key, then you may skip the step for adding the SSH public key to the node.
- This article also assumes you have an SSH key. You can create an SSH key using [macOS or Linux][ssh-nix] or [Windows][ssh-windows]. If you use PuTTY Gen to create the key pair, save the key pair in an OpenSSH format rather than the default PuTTy private key format (.ppk file). You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
-## Configure virtual machine scale set-based AKS clusters for SSH access
+## Create the SSH connection to a Linux node
-To configure your virtual machine scale set-based for SSH access, find the name of your cluster's virtual machine scale set and add your SSH public key to that scale set.
+To create an SSH connection to an AKS node, use `kubectl debug` to run a privileged container on your node. To list your nodes, use `kubectl get nodes`:
-Use the [az aks show][az-aks-show] command to get the resource group name of your AKS cluster, then the [az vmss list][az-vmss-list] command to get the name of your scale set.
+```output
+$ kubectl get nodes -o wide
-```azurecli-interactive
-CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
-SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query '[0].name' -o tsv)
+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
+aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1
```
-The above example assigns the name of the cluster resource group for the *myAKSCluster* in *myResourceGroup* to *CLUSTER_RESOURCE_GROUP*. The example then uses *CLUSTER_RESOURCE_GROUP* to list the scale set name and assign it to *SCALE_SET_NAME*.
-
-> [!IMPORTANT]
-> At this time, you should only update your SSH keys for your virtual machine scale set-based AKS clusters using the Azure CLI.
->
-> For Linux nodes, SSH keys can currently only be added using the Azure CLI. If you want to connect to a Windows Server node using SSH, use the SSH keys provided when you created the AKS cluster and skip the next set of commands for adding your SSH public key. You will still need the IP address of the node you wish to troubleshoot, which is shown in the final command of this section. Alternatively, you can [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp] instead of using SSH.
-
-To add your SSH keys to the nodes in a virtual machine scale set, use the [az vmss extension set][az-vmss-extension-set] and [az vmss update-instances][az-vmss-update-instances] commands.
+Use `kubectl debug` to run a container image on the node to connect to it.
```azurecli-interactive
-az vmss extension set \
- --resource-group $CLUSTER_RESOURCE_GROUP \
- --vmss-name $SCALE_SET_NAME \
- --name VMAccessForLinux \
- --publisher Microsoft.OSTCExtensions \
- --version 1.4 \
- --protected-settings "{\"username\":\"azureuser\", \"ssh_key\":\"$(cat ~/.ssh/id_rsa.pub)\"}"
-
-az vmss update-instances --instance-ids '*' \
- --resource-group $CLUSTER_RESOURCE_GROUP \
- --name $SCALE_SET_NAME
+kubectl debug node/aks-nodepool1-12345678-vmss000000 -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
```
-The above example uses the *CLUSTER_RESOURCE_GROUP* and *SCALE_SET_NAME* variables from the previous commands. The above example also uses *~/.ssh/id_rsa.pub* as the location for your SSH public key.
+This command starts a privileged container on your node and connects to it over SSH.
-> [!NOTE]
-> By default, the username for the AKS nodes is *azureuser*.
-
-After you add your SSH public key to the scale set, you can SSH into a node virtual machine in that scale set using its IP address. View the private IP addresses of the AKS cluster nodes using the [kubectl get command][kubectl-get].
-
-```console
-kubectl get nodes -o wide
+```output
+$ kubectl debug node/aks-nodepool1-12345678-vmss000000 -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+Creating debugging pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx with container debugger on node aks-nodepool1-12345678-vmss000000.
+If you don't see a command prompt, try pressing enter.
+root@aks-nodepool1-12345678-vmss000000:/#
```
-The follow example output shows the internal IP addresses of all the nodes in the cluster, including a Windows Server node.
-
-```console
-$ kubectl get nodes -o wide
+This privileged container gives access to the node.
-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
-aks-nodepool1-42485177-vmss000000 Ready agent 18h v1.12.7 10.240.0.4 <none> Ubuntu 16.04.6 LTS 4.15.0-1040-azure docker://3.0.4
-aksnpwin000000 Ready agent 13h v1.12.7 10.240.0.67 <none> Windows Server Datacenter 10.0.17763.437
-```
+## Create the SSH connection to a Windows node
-Record the internal IP address of the node you wish to troubleshoot.
+At this time, you can't connect to a Windows Server node using SSH directly by using `kubectl debug`. Instead, you need to first connect to another node in the cluster, then connect to the Windows Server node from that node using SSH. Alternatively, you can [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp] instead of using SSH.
-To access your node using SSH, follow the steps in [Create the SSH connection](#create-the-ssh-connection).
+To connect to another node in the cluster, use `kubectl debug`. For more information, see [Create the SSH connection to a Linux node][ssh-linux-kubectl-debug].
-## Configure virtual machine availability set-based AKS clusters for SSH access
+To create the SSH connection to the Windows Server node from another node, use the SSH keys provided when you created the AKS cluster and the internal IP address of the Windows Server node.
-To configure your virtual machine availability set-based AKS cluster for SSH access, find the name of your cluster's Linux node, and add your SSH public key to that node.
+Open a new terminal window and use `kubectl get pods` to get the name of the pod started by `kubectl debug`.
-Use the [az aks show][az-aks-show] command to get the resource group name of your AKS cluster, then the [az vm list][az-vm-list] command to list the virtual machine name of your cluster's Linux node.
+```output
+$ kubectl get pods
-```azurecli-interactive
-CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
-az vm list --resource-group $CLUSTER_RESOURCE_GROUP -o table
+NAME READY STATUS RESTARTS AGE
+node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx 1/1 Running 0 21s
```
-The above example assigns the name of the cluster resource group for the *myAKSCluster* in *myResourceGroup* to *CLUSTER_RESOURCE_GROUP*. The example then uses *CLUSTER_RESOURCE_GROUP* to list the virtual machine name. The example output shows the name of the virtual machine:
-
-```
-Name ResourceGroup Location
- -
-aks-nodepool1-79590246-0 MC_myResourceGroupAKS_myAKSClusterRBAC_eastus eastus
-```
+In the above example, *node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx* is the name of the pod started by `kubectl debug`.
-To add your SSH keys to the node, use the [az vm user update][az-vm-user-update] command.
+Copy your private SSH key into the pod created by `kubectl debug`. This private key is used to create the SSH to the Windows Server AKS node. If needed, change `~/.ssh/id_rsa` to location of your private SSH key:
```azurecli-interactive
-az vm user update \
- --resource-group $CLUSTER_RESOURCE_GROUP \
- --name aks-nodepool1-79590246-0 \
- --username azureuser \
- --ssh-key-value ~/.ssh/id_rsa.pub
+kubectl cp ~/.ssh/id_rsa node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx:/id_rsa
```
-The above example uses the *CLUSTER_RESOURCE_GROUP* variable and the node virtual machine name from previous commands. The above example also uses *~/.ssh/id_rsa.pub* as the location for your SSH public key. You could also use the contents of your SSH public key instead of specifying a path.
+Use `kubectl get nodes` to show the internal IP address of the Windows Server node:
-> [!NOTE]
-> By default, the username for the AKS nodes is *azureuser*.
-
-After you add your SSH public key to the node virtual machine, you can SSH into that virtual machine using its IP address. View the private IP address of an AKS cluster node using the [az vm list-ip-addresses][az-vm-list-ip-addresses] command.
-
-```azurecli-interactive
-az vm list-ip-addresses --resource-group $CLUSTER_RESOURCE_GROUP -o table
-```
-
-The above example uses the *CLUSTER_RESOURCE_GROUP* variable set in the previous commands. The following example output shows the private IP addresses of the AKS nodes:
+```output
+$ kubectl get nodes -o wide
+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
+aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1
```
-VirtualMachine PrivateIPAddresses
- --
-aks-nodepool1-79590246-0 10.240.0.4
-```
-
-## Create the SSH connection
-
-To create an SSH connection to an AKS node, you run a helper pod in your AKS cluster. This helper pod provides you with SSH access into the cluster and then additional SSH node access. To create and use this helper pod, complete the following steps:
-
-1. Run a `debian` container image and attach a terminal session to it. This container can be used to create an SSH session with any node in the AKS cluster:
-
- ```console
- kubectl run -it --rm aks-ssh --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
- ```
-
- > [!TIP]
- > If you use Windows Server nodes, add a node selector to the command to schedule the Debian container on a Linux node:
- >
- > ```console
- > kubectl run -it --rm aks-ssh --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --overrides='{"apiVersion":"v1","spec":{"nodeSelector":{"beta.kubernetes.io/os":"linux"}}}'
- > ```
-
-1. Once the terminal session is connected to the container, install an SSH client using `apt-get`:
- ```console
- apt-get update && apt-get install openssh-client -y
- ```
+In the above example, *10.240.0.67* is the internal IP address of the Windows Server node.
-1. Open a new terminal window, not connected to your container, copy your private SSH key into the helper pod. This private key is used to create the SSH into the AKS node.
+Return to the terminal started by `kubectl debug` and update the permission of the private SSH key you copied to the pod.
- If needed, change *~/.ssh/id_rsa* to location of your private SSH key:
-
- ```console
- kubectl cp ~/.ssh/id_rsa $(kubectl get pod -l run=aks-ssh -o jsonpath='{.items[0].metadata.name}'):/id_rsa
- ```
-
-1. Return to the terminal session to your container, update the permissions on the copied `id_rsa` private SSH key so that it is user read-only:
-
- ```console
- chmod 0400 id_rsa
- ```
-
-1. Create an SSH connection to your AKS node. Again, the default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection as the SSH key is first trusted. You are then provided with the bash prompt of your AKS node:
-
- ```console
- $ ssh -i id_rsa azureuser@10.240.0.4
+```azurecli-interactive
+chmod 0400 id_rsa
+```
- ECDSA key fingerprint is SHA256:A6rnRkfpG21TaZ8XmQCCgdi9G/MYIMc+gFAuY9RUY70.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '10.240.0.4' (ECDSA) to the list of known hosts.
+Create an SSH connection to the Windows Server node using the internal IP address. The default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection. You are then provided with the bash prompt of your Windows Server node:
- Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1018-azure x86_64)
+```output
+$ ssh -i id_rsa azureuser@10.240.0.67
- * Documentation: https://help.ubuntu.com
- * Management: https://landscape.canonical.com
- * Support: https://ubuntu.com/advantage
+The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.
+ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.
+Are you sure you want to continue connecting (yes/no)? yes
- Get cloud support with Ubuntu Advantage Cloud Guest:
- https://www.ubuntu.com/business/services/cloud
+[...]
- [...]
+Microsoft Windows [Version 10.0.17763.1935]
+(c) 2018 Microsoft Corporation. All rights reserved.
- azureuser@aks-nodepool1-79590246-0:~$
- ```
+azureuser@aksnpwin000000 C:\Users\azureuser>
+```
## Remove SSH access
When done, `exit` the SSH session and then `exit` the interactive container sess
## Next steps
-If you need additional troubleshooting data, you can [view the kubelet logs][view-kubelet-logs] or [view the Kubernetes master node logs][view-master-logs].
+If you need more troubleshooting data, you can [view the kubelet logs][view-kubelet-logs] or [view the Kubernetes master node logs][view-master-logs].
-<!-- EXTERNAL LINKS -->
-[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
<!-- INTERNAL LINKS -->
-[az-aks-show]: /cli/azure/aks#az_aks_show
-[az-vm-list]: /cli/azure/vm#az_vm_list
-[az-vm-user-update]: /cli/azure/vm/user#az_vm_user_update
-[az-vm-list-ip-addresses]: /cli/azure/vm#az_vm_list_ip_addresses
[view-kubelet-logs]: kubelet-logs.md [view-master-logs]: ./view-control-plane-logs.md [aks-quickstart-cli]: kubernetes-walkthrough.md
If you need additional troubleshooting data, you can [view the kubelet logs][vie
[aks-windows-rdp]: rdp.md [ssh-nix]: ../virtual-machines/linux/mac-create-ssh-keys.md [ssh-windows]: ../virtual-machines/linux/ssh-from-windows.md
-[az-vmss-list]: /cli/azure/vmss#az_vmss_list
-[az-vmss-extension-set]: /cli/azure/vmss/extension#az_vmss_extension_set
-[az-vmss-update-instances]: /cli/azure/vmss#az_vmss_update_instances
+[ssh-linux-kubectl-debug]: #create-the-ssh-connection-to-a-linux-node
aks Start Stop Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/start-stop-cluster.md
You can verify when your cluster has started by using the [az aks show][az-aks-s
If the `provisioningState` shows `Starting` that means your cluster hasn't fully started yet.
+> [!NOTE]
+> If you are using cluster autoscaler, when you start your cluster back up your current node count may not be between the min and max range values you set. This behavior is expected. The cluster starts with the number of nodes it needs to run its workloads, which isn't impacted by your autoscaler settings. When your cluster performs scaling operations, the min and max values will impact your current node count and your cluster will eventually enter and remain in that desired range until you stop your cluster.
+ ## Next steps - To learn how to scale `User` pools to 0, see [Scale `User` pools to 0](scale-cluster.md#scale-user-node-pools-to-0).
aks Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/troubleshooting.md
If your cluster's provisioning status remains as *Failed* or the applications on
If you're using Azure Firewall like on this [example](limit-egress-traffic.md#restrict-egress-traffic-using-azure-firewall), you may encounter this issue as the long lived TCP connections via firewall using Application Rules currently have a bug (to be resolved in Q1CY21) that causes the Go `keepalives` to be terminated on the firewall. Until this issue is resolved, you can mitigate by adding a Network rule (instead of application rule) to the AKS API server IP.
+## When resuming my cluster after a stop operation, why is my node count not in the autoscaler min and max range?
+
+If you are using cluster autoscaler, when you start your cluster back up your current node count may not be between the min and max range values you set. This behavior is expected. The cluster starts with the number of nodes it needs to run its workloads, which isn't impacted by your autoscaler settings. When your cluster performs scaling operations, the min and max values will impact your current node count and your cluster will eventually enter and remain in that desired range until you stop your cluster.
+ ## Azure Storage and AKS Troubleshooting ### Failure when setting uid and `GID` in mountOptions for Azure Disk
aks Use Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-azure-ad-pod-identity.md
Last updated 3/12/2021
Azure Active Directory pod-managed identities uses Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Azure Active Directory (AAD) with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on AAD as an identity provider. > [!NOTE]
+>The feature described in this document, pod-managed identities (preview), will be replaced with pod-managed identities V2 (preview).
> If you have an existing installation of AADPODIDENTITY, you must remove the existing installation. Enabling this feature means that the MIC component isn't needed. [!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --netwo
## Mitigation
-To mitigate the vulnerability at the cluster level, you can use OpenPolicyAgent admission controller together with Gatekeeper validating webhook. Provided you have Gatekeeper already installed in your cluster, add the ConstraintTemplate of type K8sPSPCapabilities:
+To mitigate the vulnerability at the cluster level, you can use the Azure built-in policy "Kubernetes cluster containers should only use allowed capabilities" to limit the CAP_NET_RAW attack.
+
+Add NET_RAW to "Required drop capabilities"
+
+![image](https://user-images.githubusercontent.com/50749048/118558790-206b8880-b735-11eb-9e48-236b81116812.png)
+
+If you are not using Azure Policy, you can use OpenPolicyAgent admission controller together with Gatekeeper validating webhook. Provided you have Gatekeeper already installed in your cluster, add the ConstraintTemplate of type K8sPSPCapabilities:
``` kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/template.yaml
az aks create -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --enabl
## Update an existing AKS cluster with Kubenet network plugin
-Update an existing AKS cluster with Kubnet network plugin to include pod-managed identity.
+Update an existing AKS cluster with Kubenet network plugin to include pod-managed identity.
```azurecli-interactive az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --enable-pod-identity-with-kubenet
az aks pod-identity add --resource-group myResourceGroup --cluster-name myAKSClu
## Run a sample application
-For a pod to use AAD pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. To run a sample application using AAD pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription id.
+For a pod to use AAD pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. To run a sample application using AAD pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID.
> [!NOTE] > In the previous steps, you created the *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* variables. You can use a command such as `echo` to display the value you set for variables, for example `echo $IDENTITY_NAME`.
successfully acquired a token, userAssignedID MSI, msiEndpoint(http://169.254.16
successfully made GET on instance metadata ... ```
+## Run an application with multiple identities
+
+## Create multiple identities
+
+Create identities using [az identity create][az-identity-create] and set the *IDENTITY_CLIENT_ID* and *IDENTITY_RESOURCE_ID* variables.
+
+```azurecli-interactive
+az group create --name myIdentityResourceGroup --location eastus
+export IDENTITY_RESOURCE_GROUP="myIdentityResourceGroup"
+export IDENTITY_NAME_1="application-identity_1"
+az identity create --resource-group ${IDENTITY_RESOURCE_GROUP} --name ${IDENTITY_NAME_1}
+export IDENTITY_NAME_2="application-identity_2"
+az identity create --resource-group ${IDENTITY_RESOURCE_GROUP} --name ${IDENTITY_NAME_2}
+export IDENTITY_CLIENT_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME_1} --query clientId -otsv)"
+export IDENTITY_RESOURCE_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME_1} --query id -otsv)"
+export IDENTITY_CLIENT_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME_2} --query clientId -otsv)"
+export IDENTITY_RESOURCE_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME_2} --query id -otsv)"
+```
+
+## Assign permissions for the managed identities
+
+The *IDENTITY_CLIENT_ID* managed identity must have Reader permissions in the resource group that contains the virtual machine scale set of your AKS cluster.
+
+```azurecli-interactive
+NODE_GROUP=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
+NODES_RESOURCE_ID=$(az group show -n $NODE_GROUP -o tsv --query "id")
+az role assignment create --role "Reader" --assignee "$IDENTITY_CLIENT_ID_1" --scope $NODES_RESOURCE_ID
+az role assignment create --role "Reader" --assignee "$IDENTITY_CLIENT_ID_2" --scope $NODES_RESOURCE_ID
+```
+
+## Create pod identities
+
+Create pod identities for the cluster using `az aks pod-identity add`.
+
+> [!IMPORTANT]
+> You must have the appropriate permissions, such as `Owner`, on your subscription to create the identity and role binding.
+
+```azurecli-interactive
+export POD_IDENTITY_NAME="my-pod-identity"
+export POD_IDENTITY_NAMESPACE="my-app"
+az aks pod-identity add --resource-group myResourceGroup --cluster-name myAKSCluster --namespace ${POD_IDENTITY_NAMESPACE} --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID_1} --binding-selector foo
+az aks pod-identity add --resource-group myResourceGroup --cluster-name myAKSCluster --namespace ${POD_IDENTITY_NAMESPACE} --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID_2} --binding-selector foo
+```
+
+> [!NOTE]
+> When you enable pod-managed identity on your AKS cluster, an AzurePodIdentityException named *aks-addon-exception* is added to the *kube-system* namespace. An AzurePodIdentityException allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. The *aks-addon-exception* allows AKS first-party addons, such as AAD pod-managed identity, to operate without having to manually configure an AzurePodIdentityException. Optionally, you can add, remove, and update an AzurePodIdentityException using `az aks pod-identity exception add`, `az aks pod-identity exception delete`, `az aks pod-identity exception update`, or `kubectl`.
+
+## Run a sample application with multiple identities
+
+For a pod to use AAD pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. To run a sample application using AAD pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID.
+
+> [!NOTE]
+> In the previous steps, you created the *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* variables. You can use a command such as `echo` to display the value you set for variables, for example `echo $IDENTITY_NAME`.
+
+```yml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: demo
+ labels:
+ aadpodidbinding: foo
+spec:
+ containers:
+ - name: demo
+ image: mcr.microsoft.com/oss/azure/aad-pod-identity/demo:v1.6.3
+ args:
+ - --subscriptionid=SUBSCRIPTION_ID
+ - --clientid=IDENTITY_CLIENT_ID
+ - --resourcegroup=IDENTITY_RESOURCE_GROUP
+ env:
+ - name: MY_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: MY_POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ nodeSelector:
+ kubernetes.io/os: linux
+```
+
+Notice the pod definition has an *aadpodidbinding* label with a value that matches the name of the pod identity you ran `az aks pod-identity add` in the previous step.
+
+Deploy `demo.yaml` to the same namespace as your pod identity using `kubectl apply`:
+
+```azurecli-interactive
+kubectl apply -f demo.yaml --namespace $POD_IDENTITY_NAMESPACE
+```
+
+Verify the sample application successfully runs using `kubectl logs`.
+
+```azurecli-interactive
+kubectl logs demo --follow --namespace $POD_IDENTITY_NAMESPACE
+```
+
+Verify the logs show the a token is successfully acquired and the *GET* operation is successful.
+
+```output
+...
+successfully doARMOperations vm count 0
+successfully acquired a token using the MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token)
+successfully acquired a token, userAssignedID MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token) clientID(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+successfully made GET on instance metadata
+...
+```
+export IDENTITY_CLIENT_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query clientId -otsv)"
+export IDENTITY_RESOURCE_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query id -otsv)"
+```
## Clean up
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-managed-identity.md
A Kubelet identity enables access to be granted to the existing identity prior t
### Limitations - Only works with a User-Assigned Managed cluster.-- Azure Government isn't currently supported. - Azure China 21Vianet isn't currently supported. First, register the feature flag for Kubelet identity:
aks Windows Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-faq.md
Yes, you can use the [Kubernetes Web Dashboard][kubernetes-dashboard] to access
To change the time zone of a running Windows Server container, connect to the running container with a PowerShell session. For example: ```azurecli-interactive
-kubectl exec -it CONTAINER-NAME ΓÇô- powershell
+kubectl exec -it CONTAINER-NAME -- powershell
``` In the running container, use [Set-TimeZone](/powershell/module/microsoft.powershell.management/set-timezone) to set the time zone of the running container. For example:
analysis-services Analysis Services Connect Pbi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-connect-pbi.md
description: Learn how to connect to an Azure Analysis Services server by using
Previously updated : 4/20/2021 Last updated : 5/25/2021
To safeguard the performance of the system, a memory limit is enforced for all q
| | Request Memory limit | |--|-|
-| **Live connect from Power BI** | 10 GB |
-| **DirectQuery from Power BI report in Shared workspace** | 1 GB |
-| **DirectQuery from Power BI report in Premium workspace** | 10 GB |
-| **[Power BI Q&A](/power-bi/create-reports/power-bi-tutorial-q-and-a)** | 100 MB |
+| Live connect from Power BI | 10 GB |
+| DirectQuery from Power BI report in Shared workspace | 1 GB |
+| DirectQuery from Power BI report in Premium workspace | 10 GB |
+| Power BI Q&A | 100 MB |
## See also [Connect to Azure Analysis Services](analysis-services-connect.md)
api-management Api Management Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-features.md
Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
| Direct management API | No | Yes | Yes | Yes | Yes | | Azure Monitor logs and metrics | No | Yes | Yes | Yes | Yes | | Static IP | No | Yes | Yes | Yes | Yes |
+| [WebSocket APIs (preview)](websocket-api.md) | No | Yes | Yes | Yes | Yes |
<sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/> <sup>2</sup> Including related functionality e.g. users, groups, issues, applications and email templates and notifications.<br/>
api-management Developer Portal Alternative Processes Self Host https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-alternative-processes-self-host.md
npm run build-function
Then, sign in to the Azure CLI and deploy it:
-```sh
+```azurecli
az login cd ./dist/function func azure functionapp publish <function app name>
You can also front the files with a Content Delivery Network (CDN) to reduce pag
Learn more about the developer portal: -- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
api-management Websocket Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/websocket-api.md
+
+ Title: Import a WebSocket API using the Azure portal | Microsoft Docs
+
+description: Learn how API Management supports WebSocket, add a WebSocket API, and WebSocket limitations.
++++ Last updated : 05/25/2021+++
+# Import a WebSocket API (preview)
+
+With API ManagementΓÇÖs WebSocket API solution, you can now manage, protect, observe, and expose both WebSocket and REST APIs with API Management and provide a central hub for discovering and consuming all APIs. API publishers can quickly add a WebSocket API in API Management via:
+* A simple gesture in the Azure portal, and
+* The Management API and Azure Resource Manager.
+
+You can secure WebSocket APIs by applying existing access control policies, like [JWT validation](./api-management-access-restriction-policies.md#ValidateJWT). You can also test WebSocket APIs using the API test consoles in both Azure portal and developer portal. Building on existing observability capabilities, API Management provides metrics and logs for monitoring and troubleshooting WebSocket APIs.
++
+In this article, you will:
+> [!div class="checklist"]
+> * Understand Websocket passthrough flow.
+> * Add a WebSocket API to your API Management instance.
+> * Learn the limitations of WebSocket API.
+
+## Prerequisites
+
+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).
+- A [WebSocket API](https://www.websocket.org/echo.html).
+
+## WebSocket passthrough
+
+API Management supports WebSocket passthrough.
++
+During the WebSocket passthrough the client application establishes a WebSocket connection with the API Management Gateway, which then establishes a connection with the corresponding backend services. API Management then proxies WebSocket client-server messages.
+
+1. The client application sends a WebSocket handshake request to APIM gateway, invoking onHandshake operation.
+1. APIM gateway sends WebSocket handshake request to the corresponding backend service.
+1. The backend service upgrades a connection to WebSocket.
+1. APIM gateway upgrades the corresponding connection to WebSocket.
+1. Once the connection pair is established, APIM will broker messages back and forth between the client application and backend service.
+1. The client application sends message to APIM gateway.
+1. APIM gateway forwards the message to the backend service.
+1. The backend service sends a message to APIM gateway.
+1. APIM gateway forwards the message to the client application.
+1. When either side disconnects, APIM terminates the corresponding connection.
+
+> [!NOTE]
+> The client-side and backend-side connections consist of one-to-one mapping.
+
+## onHandshake operation
+
+Per the [WebSocket protocol](https://tools.ietf.org/html/rfc6455), when a client application tries to establish a WebSocket connection with a backend service, it will first send an [opening handshake request](https://tools.ietf.org/html/rfc6455#page-6). Each WebSocket API in API Management has an onHandshake operation. onHandshake is an immutable, unremovable, automatically created system operation. The onHandshake operation enables API publishers to intercept these handshake requests and apply API Management policies to them.
++
+## Add a WebSocket API
+
+1. Navigate to your API Management instance.
+1. From the side navigation menu, under the **APIs** section, select **APIs**.
+1. Under **Define a new API**, select the **WebSocket** icon.
+1. In the dialog box, select **Full** and complete the required form fields.
+
+ | Field | Description |
+ |-|-|
+ | Display name | The name by which your WebSocket API will be displayed. |
+ | Name | Raw name of the WebSocket API. Automatically populates as you type the display name. |
+ | WebSocket URL | The base URL with your websocket name. For example: ws://example.com/your-socket-name |
+ | Products | Associate your WebSocket API with a product to publish it. |
+ | Gateways | Associate your WebSocket API with existing gateways. |
+
+1. Click **Create**.
+
+## Limitations
+
+WebSocket APIs are available and supported in public preview through Azure portal, Management API, and Azure Resource Manager. Below are the current restrictions of WebSocket support in API Management:
+
+* WebSocket APIs are not supported in the Consumption tier.
+* WebSocket APIs are not supported in the [self-hosted gateway](./how-to-deploy-self-hosted-gateway-azure-arc.md).
+* Azure CLI, PowerShell, and SDK do not support management operations of WebSocket APIs.
+
+### Unsupported policies
+
+The following policies are not supported by and cannot be applied to the onHandshake operation:
+* Mock response
+* Get from cache
+* Store to cache
+* Allow cross-domain calls
+* CORS
+* JSONP
+* Set request method
+* Set body
+* Convert XML to JSON
+* Convert JSON to XML
+* Transform XML using XSLT
+* Validate content
+* Validate parameters
+* Validate headers
+* Validate status code
+
+> [!NOTE]
+> If you applied the policies at higher scopes (i.e., global or product) and they were inherited by a WebSocket API through the policy, they will be skipped at run time.
++
+## Next steps
+> [!div class="nextstepaction"]
+> [Transform and protect a published API](transform-api.md)
app-service App Service Web Tutorial Connect Msi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-connect-msi.md
Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now co
### Modify ASP.NET Core
+> [!NOTE]
+> **Microsoft.Azure.Services.AppAuthentication** is no longer recommended to use with new Azure SDK.
+> It is replaced with new **Azure Identity client library** available for .NET, Java, TypeScript and Python and should be used for all new development.
+> Information about how to migrate to `Azure Identity`can be found here: [AppAuthentication to Azure.Identity Migration Guidance](/dotnet/api/overview/azure/app-auth-migration).
+ In Visual Studio, open the Package Manager Console and add the NuGet package [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication): ```powershell
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-java.md
During the 30 second interval, you can validate the recording is taking place by
#### Continuous Recording
-You can use Zulu Flight Recorder to continuously profile your Java application with minimal impact on runtime performance ([source](https://assets.azul.com/files/Zulu-Mission-Control-data-sheet-31-Mar-19.pdf)). To do so, run the following Azure CLI command to create an App Setting named JAVA_OPTS with the necessary configuration. The contents of the JAVA_OPTS App Setting are passed to the `java` command when your app is started.
+You can use Zulu Flight Recorder to continuously profile your Java application with minimal impact on runtime performance. To do so, run the following Azure CLI command to create an App Setting named JAVA_OPTS with the necessary configuration. The contents of the JAVA_OPTS App Setting are passed to the `java` command when your app is started.
```azurecli az webapp config appsettings set -g <your_resource_group> -n <your_app_name> --settings JAVA_OPTS=-XX:StartFlightRecording=disk=true,name=continuous_recording,dumponexit=true,maxsize=1024m,maxage=1d
app-service Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-certificate.md
Once the certificate is added to your App Service app or [function app](../azure-functions/index.yml), you can [secure a custom DNS name with it](configure-ssl-bindings.md) or [use it in your application code](configure-ssl-certificate-in-code.md). > [!NOTE]
-> A certificate uploaded into an app is stored in a deployment unit that is bound to the app's resource group and region combination (internally called a *webspace*). This makes the certificate accessible to other apps in the same resource group and region combination.
+> A certificate uploaded into an app is stored in a deployment unit that is bound to the app service plan's resource group and region combination (internally called a *webspace*). This makes the certificate accessible to other apps in the same resource group and region combination.
The following table lists the options you have for adding certificates in App Service:
app-service Deploy Continuous Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-continuous-deployment.md
[Azure App Service](overview.md) enables continuous deployment from [GitHub](https://help.github.com/articles/create-a-repo), [BitBucket](https://confluence.atlassian.com/get-started-with-bitbucket/create-a-repository-861178559.html), and [Azure Repos](/azure/devops/repos/git/creatingrepo) repositories by pulling in the latest updates. > [!NOTE]
-> The **Development Center (Classic)** page in the Azure portal, which is the old deployment experience, will be deprecated in March, 2021. This change will not affect any existing deployment settings in your app, and you can continue to manage app deployment in the **Deployment Center** page.
+> The **Development Center (Classic)** page in the Azure portal, an earlier version of the deployment experience, was deprecated in March 2021. This change doesn't affect existing deployment settings in your app, and you can continue to manage app deployment in the **Deployment Center** page in the portal.
[!INCLUDE [Prepare repository](../../includes/app-service-deploy-prepare-repo.md)]
app-service Manage Create Arc Environment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-create-arc-environment.md
Title: 'Set up Azure Arc for App Service, Functions, and Logic Apps' description: For your Azure Arc enabled Kubernetes clusters, learn how to enable App Service apps, function apps, and logic apps. Previously updated : 05/03/2021 Last updated : 05/26/2021 # Set up an Azure Arc enabled Kubernetes cluster to run App Service, Functions, and Logic Apps (Preview)
az extension add --upgrade --yes --name connectedk8s
az extension add --upgrade --yes --name k8s-extension az extension add --upgrade --yes --name customlocation az provider register --namespace Microsoft.ExtendedLocation --wait
+az provider register --namespace Microsoft.Web --wait
az extension remove --name appservice-kube az extension add --yes --source "https://aka.ms/appsvc/appservice_kube-latest-py2.py3-none-any.whl" ```
az extension add --yes --source "https://aka.ms/appsvc/appservice_kube-latest-py
## Create a connected cluster > [!NOTE]
-> As more Kubernetes distributions are validated for App Service Kubernetes environments, see [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) for general instructions on creating an Azure Arc enabled Kubernetes cluster.
-
-<!-- https://github.com/MicrosoftDocs/azure-docs-pr/pull/156618 -->
-
-Because App Service on Arc is currently validated only on [Azure Kubernetes Service](/azure/aks/), create an Azure Arc enabled cluster on Azure Kubernetes Service.
+> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps below will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) for general instructions on creating an Azure Arc enabled Kubernetes cluster.
1. Create a cluster in Azure Kubernetes Service with a public IP address. Replace `<group-name>` with the resource group name you want.
While a [Log Analytic workspace](../azure-monitor/logs/quick-create-workspace.md
--release-train stable \ --auto-upgrade-minor-version true \ --scope cluster \
- --release-namespace '${namespace}' \
+ --release-namespace "${namespace}" \
--configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" \ --configuration-settings "appsNamespace=${namespace}" \ --configuration-settings "clusterName=${kubeEnvironmentName}" \
Before you can start creating apps on the custom location, you need an [App Serv
- [Quickstart: Create a web app on Azure Arc](quickstart-arc.md) - [Create your first function on Azure Arc](../azure-functions/create-first-function-arc-cli.md)-- [Create your first logic app on Azure Arc](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md)
+- [Create your first logic app on Azure Arc](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md)
app-service Overview Arc Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-arc-integration.md
In most cases, app developers need to know nothing more than how to deploy to th
## Public preview limitations
-The following public preview limitations apply to App Service Kubernetes environments. They will be updated when additional distributions are validated and more regions are supported.
-
-| Limitation | Details |
-||-|
-| Supported Azure regions | East US, West Europe |
-| Validated Kubernetes distributions | Azure Kubernetes Service |
-| Feature: Networking | [Not available (rely on cluster networking)](#are-networking-features-supported) |
-| Feature: Managed identities | [Not available](#are-managed-identities-supported) |
-| Feature: Key vault references | Not available (depends on managed identities) |
-| Feature: Pull images from ACR with managed identity | Not available (depends on managed identities) |
-| Feature: In-portal editing for Functions and Logic Apps | Not available |
-| Feature: FTP publishing | Not available |
-| Logs | Log Analytics must be configured with cluster extension; not per-site |
+The following public preview limitations apply to App Service Kubernetes environments. They will be updated as changes are made available.
+
+| Limitation | Details |
+|||
+| Supported Azure regions | East US, West Europe |
+| Cluster networking requirement | Must support `LoadBalancer` service type and provide a publicly addressable static IP |
+| Feature: Networking | [Not available (rely on cluster networking)](#are-networking-features-supported) |
+| Feature: Managed identities | [Not available](#are-managed-identities-supported) |
+| Feature: Key vault references | Not available (depends on managed identities) |
+| Feature: Pull images from ACR with managed identity | Not available (depends on managed identities) |
+| Feature: In-portal editing for Functions and Logic Apps | Not available |
+| Feature: FTP publishing | Not available |
+| Logs | Log Analytics must be configured with cluster extension; not per-site |
## Pods created by the App Service extension
Only one Kubernetes environment resource may created in a custom location. In mo
- [Are networking features supported?](#are-networking-features-supported) - [Are managed identities supported?](#are-managed-identities-supported) - [What logs are collected?](#what-logs-are-collected)
+- [What do I do if I see a provider registration error?](#what-do-i-do-if-i-see-a-provider-registration-error)
### How much does it cost?
Logs for both system components and your applications are written to standard ou
By default, logs from system components are sent to the Azure team. Application logs are not sent. You can prevent these logs from being transferred by setting `logProcessor.enabled=false` as an extension configuration setting. This will also disable forwarding of application to your Log Analytics workspace. Disabling the log processor may impact time needed for any support cases, and you will be asked to collect logs from standard output through some other means.
+### What do I do if I see a provider registration error?
+
+When creating a Kubernetes environment resource, some subscriptions may see a "No registered resource provider found" error. The error details may include a set of locations and api versions that are considered valid. If this happens, it may be that the subscription needs to be re-registered with the Microsoft.Web provider, an operation which has no impact on existing applications or APIs. To re-register, use the Azure CLI to run `az provider register --namespace Microsoft.Web --wait`. Then re-attempt the Kubernetes environment command.
+ ## Next steps [Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md)
app-service Quickstart Php https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-php.md
Title: 'Quickstart: Create a PHP web app'
description: Deploy your first PHP Hello World to Azure App Service in minutes. You deploy using Git, which is one of many ways to deploy to App Service. ms.assetid: 6feac128-c728-4491-8b79-962da9a40788 Previously updated : 08/01/2020 Last updated : 05/02/2021 zone_pivot_groups: app-service-platform-windows-linux
In your terminal window, press **Ctrl+C** to exit the web server.
[!INCLUDE [Create resource group](../../includes/app-service-web-create-resource-group-linux.md)] ::: zone-end ## Create a web app
application-gateway Application Gateway Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-diagnostics.md
The access log is generated only if you've enabled it on each Application Gatewa
|sslProtocol| SSL/TLS protocol being used (if TLS is enabled).| |serverRouted| The backend server that application gateway routes the request to.| |serverStatus| HTTP status code of the backend server.|
-|serverResponseLatency| Latency of the response from the backend server.|
+|serverResponseLatency| Latency of the response (in **seconds**) from the backend server.|
|host| Address listed in the host header of the request. If rewritten using header rewrite, this field contains the updated host name| |originalRequestUriWithArgs| This field contains the original request URL | |requestUri| This field contains the URL after the rewrite operation on Application Gateway |
The access log is generated only if you've enabled it on each Application Gatewa
"httpVersion": "HTTP/1.0", "receivedBytes": 65, "sentBytes": 553,
- "timeTaken": 205,
+ "timeTaken": "0.012",
"sslEnabled": "off", "sslCipher": "", "sslProtocol": "", "serverRouted": "104.41.114.59:80", "serverStatus": "200",
- "serverResponseLatency": "0.023",
+ "serverResponseLatency": "0.012",
"host": "www.contoso.com", } }
application-gateway Configuration Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/configuration-infrastructure.md
Previously updated : 09/09/2020 Last updated : 05/26/2021
applied-ai-services What Are Applied Ai Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/what-are-applied-ai-services.md
Title: What are Azure Applied AI Services? description: Applied AI Services description.
-keywords: applied ai services, artifical intelligence, applied ai, ai services, cognitive search, applied ai features
+keywords: applied ai services, artificial intelligence, applied ai, ai services, cognitive search, applied ai features
Azure Applied AI Services are high-level services focused on empowering develope
## Azure Form Recognizer
-Enabling organizations in all industries to consume information hidden within documents to increase productivity, automate business process and generate knowledge and insights. Azure Form Recognizer is a service that lets you build automated data processing software using machine learning technology. Identify and extract text, key/value pairs, selection marks, tables, and structure from your documents. The service outputs structured data that includes the relationships in the original file, bounding boxes, confidence and more. You quickly get accurate results that are tailored to your specific content without heavy manual intervention or extensive data science expertise. Use Form Recognizer to automate data entry in your applications and enrich your documents' search capabilities. Azure Form Recognizer is built using OCR, Text Analytics and Custom Text from Azure Cognitive Services.
+Enabling organizations in all industries to consume information hidden within documents to increase productivity, automate business processes and generate knowledge and insights. Azure Form Recognizer is a service that lets you build automated data processing software using machine learning technology. Identify and extract text, key/value pairs, selection marks, tables, and structure from your documents. The service outputs structured data that includes the relationships in the original file, bounding boxes, confidence and more. You quickly get accurate results that are tailored to your specific content without heavy manual intervention or extensive data science expertise. Use Form Recognizer to automate data entry in your applications and enrich your documents' search capabilities. Azure Form Recognizer is built using OCR, Text Analytics and Custom Text from Azure Cognitive Services.
Form Recognizer is composed of custom document processing models, prebuilt models for invoices, receipts, IDs and business cards, and the layout model.
Form Recognizer is composed of custom document processing models, prebuilt model
## Azure Metrics Advisor
-Protecting organizationΓÇÖs growth by enabling them to make the right decision based on intelligence from metrics of businesses, services and physical assets. Azure Metrics Advisor uses AI to perform data monitoring and anomaly detection in time series data. The service automates the process of applying models to your data, and provides a set of APIs and a web-based workspace for data ingestion, anomaly detection, and diagnostics - without needing to know machine learning. Developers can build AIOps, predicative maintenance, and business monitoring applications on top of the service. Azure Metrics Advisor is built using Anomaly Detector from Azure Cognitive Services.ΓÇï
+Protecting organizationΓÇÖs growth by enabling them to make the right decision based on intelligence from metrics of businesses, services and physical assets. Azure Metrics Advisor uses AI to perform data monitoring and anomaly detection in time series data. The service automates the process of applying models to your data, and provides a set of APIs and a web-based workspace for data ingestion, anomaly detection, and diagnostics - without needing to know machine learning. Developers can build AIOps, predictive maintenance, and business monitoring applications on top of the service. Azure Metrics Advisor is built using Anomaly Detector from Azure Cognitive Services.ΓÇï
[Learn more about Azure Metrics Advisor](../cognitive-services/metrics-advisor/index.yml)
automation Automation Solution Vm Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-solution-vm-management.md
Title: Azure Automation Start/Stop VMs during off-hours overview
description: This article describes the Start/Stop VMs during off-hours feature, which starts or stops VMs on a schedule and proactively monitor them from Azure Monitor Logs. Previously updated : 05/18/2021 Last updated : 05/25/2021
The Start/Stop VMs during off-hours feature start or stops enabled Azure VMs. It starts or stops machines on user-defined schedules, provides insights through Azure Monitor logs, and sends optional emails by using [action groups](../azure-monitor/alerts/action-groups.md). The feature can be enabled on both Azure Resource Manager and classic VMs for most scenarios. > [!NOTE]
-> Before you install this version, we would like you to know about the [next version](https://github.com/microsoft/startstopv2-deployments), which is in preview right now. This new version (V2) offers all the same functionality as this one, but is designed to take advantage of newer technology in Azure. It adds some of the commonly requested features from customers, such as multi-subscription support from a single Start/Stop instance.
+> Before you install this version (v1), we would like you to know about the [next version](../azure-functions/start-stop-vms/overview.md), which is in preview right now. This new version (v2) offers all the same functionality as this one, but is designed to take advantage of newer technology in Azure. It adds some of the commonly requested features from customers, such as multi-subscription support from a single Start/Stop instance.
+>
+> Start/Stop VMs during off-hours (v1) will deprecate on 5/21/2022.
This feature uses [Start-AzVm](/powershell/module/az.compute/start-azvm) cmdlet to start VMs. It uses [Stop-AzVM](/powershell/module/az.compute/stop-azvm) for stopping VMs. > [!NOTE]
-> While the runbooks have been updated to use the new Azure Az module cmdlets, they use the AzureRM prefix alias.
-
-> [!NOTE]
-> Start/Stop VMs during off-hours has been updated to support the newest versions of the Azure modules that are available. The updated version of this feature, available in the Marketplace, doesnΓÇÖt support AzureRM modules because we have migrated from AzureRM to Az modules.
+> Start/Stop VMs during off-hours has been updated to support the newest versions of the Azure modules that are available. The updated version of this feature, available in the Marketplace, doesnΓÇÖt support AzureRM modules because we have migrated from AzureRM to Az modules. While the runbooks have been updated to use the new Azure Az module cmdlets, they use the AzureRM prefix alias.
The feature provides a decentralized low-cost automation option for users who want to optimize their VM costs. You can use the feature to:
automation Automation Windows Hrw Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-windows-hrw-install.md
The runbook uses the following parameters.
| Parameter | Status | Description | | - | -- | -- |
-| `Location` | Mandatory | The location for the Log Analytics workspace. |
+| `Location` | Mandatory | The Location of the automation account in which the script is executed. |
| `ResourceGroupName` | Mandatory | The resource group for your Automation account. | | `AccountName` | Mandatory | The Automation account name in which the Hybrid Run Worker will be registered. | | `CreateLA` | Mandatory | If true, uses the value of `WorkspaceName` to create a Log Analytics workspace. If false, the value of `WorkspaceName` must refer to an existing workspace. |
automation Remove Vms From Change Tracking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/remove-vms-from-change-tracking.md
description: This article tells how to remove VMs from Change Tracking and Inven
Previously updated : 10/14/2020 Last updated : 05/26/2021 # Remove VMs from Change Tracking and Inventory
Sign in to the [Azure portal](https://portal.azure.com).
3. In the Azure portal, navigate to **Log Analytics workspaces**. Select your workspace from the list.
-4. In your Log Analytics workspace, select **Logs** and then and choose **Query explorer** from the top actions menu.
+4. In your Log Analytics workspace, select **Computer Groups** from the left-hand menu.
-5. From **Query explorer** in the right-hand pane, expand **Saved Queries\Updates** and select the saved search query `MicrosoftDefaultComputerGroup` to edit it.
+5. From **Computer Groups** in the right-hand pane, the **Saved groups** tab is shown by default..
-6. In the query editor, review the query and find the UUID for the VM. Remove the UUID for the VM and repeat the steps for any other VMs you want to remove.
+6. From the table, click the icon **Run query** to the right of the item **MicrosoftDefaultComputerGroup** with the **Legacy category** value **ChangeTracking**.
-7. Save the saved search when you're finished editing it by selecting **Save** from the top bar.
+7. In the query editor, review the query and find the UUID for the VM. Remove the UUID for the VM and repeat the steps for any other VMs you want to remove.
+
+8. Save the saved search when you're finished editing it by selecting **Save > Save as function** from the top bar. When prompted, specify the following:
+
+ * **Name**: ChangeTracking__MicrosoftDefaultComputerGroup
+ * **Save as computer Group** is selected
+ * **Legacy category**: ChangeTracking
>[!NOTE] >Machines are still shown after you have unenrolled them because we report on all machines assessed in the last 24 hours. After removing the machine, you need to wait 24 hours before they are no longer listed.
automation Remove Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/remove-vms.md
Title: Remove VMs from Azure Automation Update Management
description: This article tells how to remove machines managed with Update Management. Previously updated : 01/05/2021 Last updated : 05/26/2021 # Remove VMs from Update Management
Sign in to the [Azure portal](https://portal.azure.com).
3. In the Azure portal, navigate to **Log Analytics workspaces**. Select your workspace from the list.
-4. In your Log Analytics workspace, select **Advanced settings** and then and choose **Computer Groups** from the left-hand menu.
+4. In your Log Analytics workspace, select **Computer Groups** from the left-hand menu.
-5. From **Computer Groups** in the right-hand pane, select **Saved groups**.
+5. From **Computer Groups** in the right-hand pane, the **Saved groups** tab is shown by default..
-6. From the table, for the saved search query **Updates:MicrosoftDefaultComputerGroup**, click the **View Members** icon to run and view its members.
+6. From the table, click the icon **Run query** to the right of the item **MicrosoftDefaultComputerGroup** with the **Legacy category** value **Updates**.
7. In the query editor, review the query and find the UUID for the VM. Remove the UUID for the VM and repeat the steps for any other VMs you want to remove.
-8. Save the saved search when you're finished editing it by selecting **Save** from the top bar. When prompted, specify the following:
+8. Save the saved search when you're finished editing it by selecting **Save > Save as function** from the top bar. When prompted, specify the following:
- * **Name**: MicrosoftDefaultComputerGroup
- * **Save as**: Function
- * **Alias**: Updates__MicrosoftDefaultComputerGroup
- * **Category**: Updates
+ * **Name**: Updates__MicrosoftDefaultComputerGroup
+ * **Save as computer Group** is selected
+ * **Legacy category**: Updates
>[!NOTE] >Machines are still shown after you have unenrolled them because we report on all machines assessed in the last 24 hours. After removing the machine, you need to wait 24 hours before they are no longer listed.
automation Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/whats-new.md
Azure Automation receives improvements on an ongoing basis. To stay up to date w
This page is updated monthly, so revisit it regularly.
+## May 2021
+
+### Start/Stop VMs during off-hours (v1)
+
+**Type:** Plan for change
+
+Start/Stop VMs during off-hours (v1) will deprecate on 5/21/2022. Customers should evaluate and plan for migration to the Start/Stop VMs v2 (preview), and for further guidance please refer to [Start/Stop v2 overview](../azure-functions/start-stop-vms/overview.md) (preview).
+ ## March 2021 ### New Azure Automation built-in policies
azure-app-configuration Quickstart Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-resource-manager.md
description: Learn how to create an Azure App Configuration store by using Azure Resource Manager template (ARM template). Previously updated : 10/16/2020 Last updated : 05/26/2021
Write-Host "Press [ENTER] to continue..."
To learn about adding feature flag and Key Vault reference to an App Configuration store, check below ARM template examples. -- [101-app-configuration-store-ff](https://azure.microsoft.com/resources/templates/101-app-configuration-store-ff/)-- [101-app-configuration-store-keyvaultref](https://azure.microsoft.com/resources/templates/101-app-configuration-store-keyvaultref/)
+- [app-configuration-store-ff](https://azure.microsoft.com/resources/templates/app-configuration-store-ff/)
+- [app-configuration-store-keyvaultref](https://azure.microsoft.com/resources/templates/app-configuration-store-keyvaultref/)
azure-arc Configure Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/configure-managed-instance.md
description: Configure Azure Arc enabled SQL managed instance
--++ Last updated 09/22/2020
azure-arc Connect Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/connect-managed-instance.md
description: Connect to Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Create Sql Managed Instance Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance-azure-data-studio.md
description: Create Azure SQL Managed Instance using Azure Data Studio
--++ Last updated 09/22/2020
azure-arc Create Sql Managed Instance Using Kubernetes Native Tools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance-using-kubernetes-native-tools.md
description: Create a SQL managed instance using Kubernetes tools
--++ Last updated 02/11/2021
azure-arc Create Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-sql-managed-instance.md
description: Create an Azure SQL managed instance on Azure Arc
--++ Last updated 09/22/2020
azure-arc Delete Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/delete-managed-instance.md
description: Delete Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Managed Instance Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-features.md
description: Features and Capabilities of Azure Arc enabled SQL Managed Instance
--++ Last updated 09/22/2020
azure-arc Managed Instance High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-high-availability.md
Title: Azure Arc enabled Managed Instance high availability description: Learn how to deploy Azure Arc enabled Managed Instance with high availability.--++ Last updated 03/02/2021
azure-arc Managed Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/managed-instance-overview.md
description: Azure Arc enabled SQL Managed Instance Overview
--++ Last updated 03/02/2021
azure-arc Migrate To Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/migrate-to-managed-instance.md
description: Migrate database from SQL Server to Azure Arc enabled SQL Managed I
--++ Last updated 09/22/2020
azure-arc Privacy Data Collection And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/privacy-data-collection-and-reporting.md
Title: Data collection and reporting | Azure Arc enabled data services description: Explains the type of data that is transmitted by Arc enabled Data services to Microsoft. --++
The following table describes the type of data, how it is sent, and requirement.
|Operational Data|Metrics and logs|Automatic, when configured to do so|No Billing & inventory data|Inventory such as number of instances, and usage such as number of vCores consumed|Automatic |Yes Diagnostics|Diagnostic information for troubleshooting purposes|Manually exported and provided to Microsoft Support|Only for the scope of troubleshooting and follows the standard [privacy policies](https://privacy.microsoft.com/privacystatement)
-Customer Experience Improvement Program (CEIP)|[CEIP summary](/sql-server/usage-and-diagnostic-data-configuration-for-sql-server)|Automatic, if allowed|No
+Customer Experience Improvement Program (CEIP)|[CEIP summary](/sql/sql-server/usage-and-diagnostic-data-configuration-for-sql-server)|Automatic, if allowed|No
## Indirectly connected
The following table describes the type of data, how it is sent, and requirement.
|Operational Data|Metrics and logs|Manual|No Billing & inventory data|Inventory such as number of instances, and usage such as number of vCores consumed|Manual |Yes Diagnostics|Diagnostic information for troubleshooting purposes|Manually exported and provided to Microsoft Support|Only for the scope of troubleshooting and follows the standard [privacy policies](https://privacy.microsoft.com/privacystatement)
-Customer Experience Improvement Program (CEIP)|[CEIP summary](/sql-server/usage-and-diagnostic-data-configuration-for-sql-server)|Automatic, if allowed|No
+Customer Experience Improvement Program (CEIP)|[CEIP summary](/sql/sql-server/usage-and-diagnostic-data-configuration-for-sql-server)|Automatic, if allowed|No
## Detailed description of data
azure-arc Update Service Principal Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/update-service-principal-credentials.md
-+ Last updated 12/09/2020
azure-arc Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/azure-rbac.md
Last updated 04/05/2021
-description: "Use Azure RBAC for authorization checks on Azure Arc enabled Kubernetes clusters"
+description: "Use Azure RBAC for authorization checks on Azure Arc enabled Kubernetes clusters."
# Integrate Azure Active Directory with Azure Arc enabled Kubernetes clusters
-Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. Using this feature, you can use Azure Active Directory and role assignments in Azure to control authorization checks on the cluster. This implies you can now use Azure role assignments to granularly control who can read, write, delete your Kubernetes objects such as Deployment, Pod and Service
+Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. By using this feature, you can use Azure Active Directory (Azure AD) and role assignments in Azure to control authorization checks on the cluster. This implies that you can now use Azure role assignments to granularly control who can read, write, and delete Kubernetes objects like deployment, pod, and service.
-A conceptual overview of this feature is available in [Azure RBAC - Azure Arc enabled Kubernetes](conceptual-azure-rbac.md) article.
+A conceptual overview of this feature is available in the [Azure RBAC on Azure Arc enabled Kubernetes](conceptual-azure-rbac.md) article.
[!INCLUDE [preview features note](./includes/preview/preview-callout.md)] ## Prerequisites -- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
+- [Install or upgrade the Azure CLI](/cli/azure/install-azure-cli) to version 2.16.0 or later.
-- Install the `connectedk8s` Azure CLI extension of version >= 1.1.0:
+- Install the `connectedk8s` Azure CLI extension, version 1.1.0 or later:
```azurecli az extension add --name connectedk8s ```
- If the `connectedk8s` extension is already installed, you can update it to the latest version using the following command:
+ If the `connectedk8s` extension is already installed, you can update it to the latest version by using the following command:
```azurecli az extension update --name connectedk8s ``` -- An existing Azure Arc enabled Kubernetes connected cluster.
+- Connect an existing Azure Arc enabled Kubernetes cluster:
- If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).
- - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.1.0.
+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version 1.1.0 or later.
> [!NOTE]
-> This feature can't be set up for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to `apiserver` of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc.
+> You can't set up this feature for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to the API server of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc.
## Set up Azure AD applications
-### Create server application
+### Create a server application
-1. Create a new Azure AD application and get its `appId` value, which is used in later steps as `serverApplicationId`:
+1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`.
```azurecli az ad app create --display-name "<clusterName>Server" --identifier-uris "https://<clusterName>Server" --query appId -o tsv ```
-1. Update the application group membership claims:
+1. Update the application's group membership claims:
```azurecli az ad app update --id <serverApplicationId> --set groupMembershipClaims=All ```
-1. Create a service principal and get its `password` field value, which is required later as `serverApplicationSecret` when enabling this feature on the cluster:
+1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster.
```azurecli az ad sp create --id <serverApplicationId> az ad sp credential reset --name <serverApplicationId> --credential-description "ArcSecret" --query password -o tsv ```
-1. Grant the application API permissions:
+1. Grant API permissions to the application:
```azurecli az ad app permission add --id <serverApplicationId> --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
A conceptual overview of this feature is available in [Azure RBAC - Azure Arc en
``` > [!NOTE]
- > * This step has to be executed by an Azure tenant administrator.
- > * For usage of this feature in production, it is recommended to create a different server application for every cluster.
+ > An Azure tenant administrator has to run this step.
+ >
+ > For usage of this feature in production, we recommend that you create a different server application for every cluster.
-### Create client application
+### Create a client application
-1. Create a new Azure AD application and get its 'appId' value, which is used in later steps as `clientApplicationId`:
+1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `clientApplicationId`.
```azurecli az ad app create --display-name "<clusterName>Client" --native-app --reply-urls "https://<clusterName>Client" --query appId -o tsv
A conceptual overview of this feature is available in [Azure RBAC - Azure Arc en
az ad sp create --id <clientApplicationId> ```
-3. Get the `oAuthPermissionId` for the server application:
+3. Get the `oAuthPermissionId` value for the server application:
```azurecli az ad app show --id <serverApplicationId> --query "oauth2Permissions[0].id" -o tsv
A conceptual overview of this feature is available in [Azure RBAC - Azure Arc en
The server application needs the `Microsoft.Authorization/*/read` permissions to check if the user making the request is authorized on the Kubernetes objects that are a part of the request.
-1. Create a file named accessCheck.json with the following contents:
+1. Create a file named *accessCheck.json* with the following contents:
```json {
The server application needs the `Microsoft.Authorization/*/read` permissions to
} ```
- Replace the `<subscription-id>` with the actual subscription ID.
+ Replace `<subscription-id>` with the actual subscription ID.
-2. Execute the following command to create the new custom role:
+2. Run the following command to create the new custom role:
```azurecli az role definition create --role-definition ./accessCheck.json ```
-3. From the output of above command, store the value of `id` field, which is used in later steps as `roleId`.
+3. From the output of the preceding command, store the value of the `id` field. This field is used in later steps as `roleId`.
-4. Create a role assignment on the server application as assignee using the role created above:
+4. Create a role assignment on the server application as `assignee` by using the role that you created:
```azurecli az role assignment create --role <roleId> --assignee <serverApplicationId> --scope /subscriptions/<subscription-id> ```
-## Enable Azure RBAC on cluster
+## Enable Azure RBAC on the cluster
-1. Enable Azure RBAC on your Arc enabled Kubernetes cluster by running the following command:
+Enable Azure role-based access control (RBAC) on your Arc enabled Kubernetes cluster by running the following command:
- ```console
- az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id <serverApplicationId> --app-secret <serverApplicationSecret>
- ```
+```console
+az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id <serverApplicationId> --app-secret <serverApplicationSecret>
+```
- > [!NOTE]
- > 1. Before running the above command, ensure that the `kubeconfig` file on the machine is pointing to the cluster on which to enable the Azure RBAC feature.
- > 2. Use `--skip-azure-rbac-list` with the above command for a comma-separated list of usernames/email/oid undergoing authorization checks using Kubernetes native ClusterRoleBinding and RoleBinding objects instead of Azure RBAC.
+> [!NOTE]
+> Before you run the preceding command, ensure that the `kubeconfig` file on the machine is pointing to the cluster on which you'll enable the Azure RBAC feature.
+>
+> Use `--skip-azure-rbac-list` with the preceding command for a comma-separated list of usernames, emails, and OpenID connections undergoing authorization checks by using Kubernetes native `ClusterRoleBinding` and `RoleBinding` objects instead of Azure RBAC.
-### For a generic cluster where there is no reconciler running on apiserver specification:
+### Generic cluster where no reconciler is running on the apiserver specification
-1. SSH into every master node of the cluster and execute the following steps:
+1. SSH into every master node of the cluster and take the following steps:
- 1. Open `apiserver` manifest in edit mode:
+ 1. Open the `apiserver` manifest in edit mode:
```console sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
The server application needs the `Microsoft.Authorization/*/read` permissions to
- --authorization-mode=Node,Webhook,RBAC ```
- If the Kubernetes cluster is of version >= 1.19.0, then the following `apiserver argument` needs to be set as well:
+ If the Kubernetes cluster is version 1.19.0 or later, you also need to set the following `apiserver` argument:
```yml - --authentication-token-webhook-version=v1 ```
- 1. Save and exit the editor to update the `apiserver` pod.
+ 1. Save and close the editor to update the `apiserver` pod.
-### For a cluster created using Cluster API
+### Cluster created by using Cluster API
-1. Copy the guard secret containing authentication and authorization webhook config files `from the workload cluster` on to your machine:
+1. Copy the guard secret that contains authentication and authorization webhook configuration files from the workload cluster onto your machine:
```console kubectl get secret azure-arc-guard-manifests -n kube-system -o yaml > azure-arc-guard-manifests.yaml ```
-1. Change the `namespace` field in the `azure-arc-guard-manifests.yaml` file to the namespace within the management cluster where you are applying the custom resources for creation of workload clusters.
+1. Change the `namespace` field in the *azure-arc-guard-manifests.yaml* file to the namespace within the management cluster where you're applying the custom resources for creation of workload clusters.
1. Apply this manifest:
The server application needs the `Microsoft.Authorization/*/read` permissions to
kubectl apply -f azure-arc-guard-manifests.yaml ```
-1. Edit the `KubeadmControlPlane` object by executing `kubectl edit kcp <clustername>-control-plane`:
+1. Edit the `KubeadmControlPlane` object by running `kubectl edit kcp <clustername>-control-plane`:
- 1. Add the following snippet under `files:`:
+ 1. Add the following snippet under `files`:
```console - contentFrom:
The server application needs the `Microsoft.Authorization/*/read` permissions to
permissions: "0644" ```
- 1. Add the following snippet under `apiServer:` -> `extraVolumes:`:
+ 1. Add the following snippet under `apiServer` > `extraVolumes`:
```console - hostPath: /etc/kubernetes/guard-authn-webhook.yaml
The server application needs the `Microsoft.Authorization/*/read` permissions to
readOnly: true ```
- 1. Add the following snippet under `apiServer:` -> `extraArgs:`:
+ 1. Add the following snippet under `apiServer` > `extraArgs`:
```console authentication-token-webhook-cache-ttl: 5m0s
The server application needs the `Microsoft.Authorization/*/read` permissions to
authorization-webhook-version: v1 ```
- 1. Save and exit to update the `KubeadmControlPlane` object. Wait for the these changes to be realized on the workload cluster.
+ 1. Save and close to update the `KubeadmControlPlane` object. Wait for these changes to appear on the workload cluster.
## Create role assignments for users to access the cluster
-Owners of the Azure Arc enabled Kubernetes resource can either use built-in roles or custom roles to grant other users access to the Kubernetes cluster.
+Owners of the Azure Arc enabled Kubernetes resource can use either built-in roles or custom roles to grant other users access to the Kubernetes cluster.
### Built-in roles | Role | Description | |||
-| [Azure Arc Kubernetes Viewer](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-viewer) | Allows read-only access to see most objects in a namespace. This role doesn't allow viewing secrets. This is because `read` permission on secrets would enable access to `ServiceAccount` credentials in the namespace, which would in turn allow API access using that `ServiceAccount` (a form of privilege escalation). |
-| [Azure Arc Kubernetes Writer](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-writer) | Allows read/write access to most objects in a namespace. This role doesn't allow viewing or modifying roles or role bindings. However, this role allows accessing secrets and running pods as any `ServiceAccount` in the namespace, so it can be used to gain the API access levels of any `ServiceAccount` in the namespace. |
-| [Azure Arc Kubernetes Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-admin) | Allows admin access. Intended to be granted within a namespace using a RoleBinding. If used in a RoleBinding, allows read/write access to most resources in a namespace, including the ability to create roles and role bindings within the namespace. This role doesn't allow write access to resource quota or to the namespace itself. |
-| [Azure Arc Kubernetes Cluster Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-cluster-admin) | Allows super-user access to execute any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself.|
+| [Azure Arc Kubernetes Viewer](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-viewer) | Allows read-only access to see most objects in a namespace. This role doesn't allow viewing secrets. This is because `read` permission on secrets would enable access to `ServiceAccount` credentials in the namespace. These credentials would in turn allow API access through that `ServiceAccount` value (a form of privilege escalation). |
+| [Azure Arc Kubernetes Writer](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-writer) | Allows read/write access to most objects in a namespace. This role doesn't allow viewing or modifying roles or role bindings. However, this role allows accessing secrets and running pods as any `ServiceAccount` value in the namespace. So it can be used to gain the API access levels of any `ServiceAccount` value in the namespace. |
+| [Azure Arc Kubernetes Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-admin) | Allows admin access. It's intended to be granted within a namespace through `RoleBinding`. If you use it in `RoleBinding`, it allows read/write access to most resources in a namespace, including the ability to create roles and role bindings within the namespace. This role doesn't allow write access to resource quota or to the namespace itself. |
+| [Azure Arc Kubernetes Cluster Admin](../../role-based-access-control/built-in-roles.md#azure-arc-kubernetes-cluster-admin) | Allows superuser access to execute any action on any resource. When you use it in `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When you use it in `RoleBinding`, it gives full control over every resource in the role binding's namespace, including the namespace itself.|
-You can create role assignments scoped to the Arc enabled Kubernetes cluster on the `Access Control (IAM)` blade of the cluster resource on Azure portal. You can also use Azure CLI commands, as shown below:
+You can create role assignments scoped to the Arc enabled Kubernetes cluster in the Azure portal, on the **Access Control (IAM)** pane of the cluster resource. You can also use the following Azure CLI commands:
```azurecli az role assignment create --role "Azure Arc Kubernetes Cluster Admin" --assignee <AZURE-AD-ENTITY-ID> --scope $ARM_ID ```
-where `AZURE-AD-ENTITY-ID` could be a username (for example, testuser@mytenant.onmicrosoft.com) or even the `appId` of a service principal.
+In those commands, `AZURE-AD-ENTITY-ID` can be a username (for example, `testuser@mytenant.onmicrosoft.com`) or even the `appId` value of a service principal.
-Here's another example of creating a role assignment scoped to a specific namespace within the cluster -
+Here's another example of creating a role assignment scoped to a specific namespace within the cluster:
```azurecli az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee <AZURE-AD-ENTITY-ID> --scope $ARM_ID/namespaces/<namespace-name> ``` > [!NOTE]
-> While role assignments scoped to the cluster can be created using either the Azure portal or CLI, role assignments scoped to namespaces can only be created using the CLI.
+> You can create role assignments scoped to the cluster by using either the Azure portal or the Azure CLI, but you can create role assignments scoped to namespaces only by using the CLI.
### Custom roles
-You may choose to create your own role definition for usage in role assignments.
+You can choose to create your own role definition for use in role assignments.
-Walk through the below example of a role definition that allows a user to only read deployments. For more information, see [the full list of data actions you can use to construct a role definition](../../role-based-access-control/resource-provider-operations.md#microsoftkubernetes).
+Walk through the following example of a role definition that allows a user to only read deployments. For more information, see [the full list of data actions that you can use to construct a role definition](../../role-based-access-control/resource-provider-operations.md#microsoftkubernetes).
-Copy the below JSON object into a file called custom-role.json. Replace the `<subscription-id>` placeholder with the actual subscription ID. The below custom role uses one of the data actions and lets you view all deployments in the scope (cluster/namespace) where the role assignment is created.
+Copy the following JSON object into a file called *custom-role.json*. Replace the `<subscription-id>` placeholder with the actual subscription ID. The custom role uses one of the data actions and lets you view all deployments in the scope (cluster or namespace) where the role assignment is created.
```json {
Copy the below JSON object into a file called custom-role.json. Replace the `<su
} ```
-1. Create the role definition by running the below command from the folder where you saved `custom-role.json`:
+1. Create the role definition by running the following command from the folder where you saved *custom-role.json*:
```bash az role definition create --role-definition @custom-role.json ```
-1. Create a role assignment using this custom role definition:
+1. Create a role assignment by using this custom role definition:
```bash az role assignment create --role "Arc Deployment Viewer" --assignee <AZURE-AD-ENTITY-ID> --scope $ARM_ID/namespaces/<namespace-name>
Copy the below JSON object into a file called custom-role.json. Replace the `<su
## Configure kubectl with user credentials
-There are two ways to obtain `kubeconfig` file needed to access the cluster:
-1. Use [Cluster Connect](cluster-connect.md) feature (`az connectedk8s proxy`) of the Azure Arc enabled Kubernetes cluster.
-1. Cluster admin shares `kubeconfig` file with every other user.
+There are two ways to get the *kubeconfig* file that you need to access the cluster:
-### If you are accessing cluster using Cluster Connect feature
+- You use the [Cluster Connect](cluster-connect.md) feature (`az connectedk8s proxy`) of the Azure Arc enabled Kubernetes cluster.
+- The cluster admin shares the *kubeconfig* file with every other user.
-Execute the following command to start the proxy process:
+### If you're accessing the cluster by using the Cluster Connect feature
+
+Run the following command to start the proxy process:
```console az connectedk8s proxy -n <clusterName> -g <resourceGroupName> ```
-After the proxy process is running, you can open another tab in your console to [start sending your requests to cluster](#sending-requests-to-cluster).
+After the proxy process is running, you can open another tab in your console to [start sending your requests to the cluster](#send-requests-to-the-cluster).
-### If cluster admin shared the `kubeconfig` file with you
+### If the cluster admin shared the kubeconfig file with you
-1. Execute the following command to set credentials for user:
+1. Run the following command to set the credentials for the user:
```console kubectl config set-credentials <testuser>@<mytenant.onmicrosoft.com> \
After the proxy process is running, you can open another tab in your console to
--auth-provider-arg=apiserver-id=<serverApplicationId> ```
-1. Open the `kubeconfig` file you created earlier. Under `contexts`, verify the context associated with cluster points to the user credentials created in previous step.
+1. Open the *kubeconfig* file that you created earlier. Under `contexts`, verify that the context associated with the cluster points to the user credentials that you created in the previous step.
-1. Add **config-mode** setting under user config:
+1. Add the **config-mode** setting under `user` > `config`:
```console name: testuser@mytenant.onmicrosoft.com
After the proxy process is running, you can open another tab in your console to
name: azure ```
-## Sending requests to cluster
+## Send requests to the cluster
1. Run any `kubectl` command. For example:
- * `kubectl get nodes`
- * `kubectl get pods`
+ * `kubectl get nodes`
+ * `kubectl get pods`
-1. Once prompted for a browser-based authentication, copy the device login URL `https://microsoft.com/devicelogin` and open on your web browser.
+1. After you're prompted for a browser-based authentication, copy the device login URL (`https://microsoft.com/devicelogin`) and open on your web browser.
-1. Enter the code printed on your console, copy and paste the code on your terminal into the device authentication input prompt.
+1. Enter the code printed on your console. Copy and paste the code on your terminal into the prompt for device authentication input.
-1. Enter the username (testuser@mytenant.onmicrosoft.com) and associated password.
+1. Enter the username (`testuser@mytenant.onmicrosoft.com`) and the associated password.
-1. If you see an error message like this, it means you are unauthorized to access the requested resource:
+1. If you see an error message like this, it means you're unauthorized to access the requested resource:
```console Error from server (Forbidden): nodes is forbidden: User "testuser@mytenant.onmicrosoft.com" cannot list resource "nodes" in API group "" at the cluster scope: User doesn't have access to the resource in Azure. Update role assignment to allow access. ```
- An administrator needs to create a new role assignment authorizing this user to have access on the resource.
+ An administrator needs to create a new role assignment that authorizes this user to have access on the resource.
## Use Conditional Access with Azure AD
-When integrating Azure AD with your Arc enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster.
+When you're integrating Azure AD with your Arc enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster.
> [!NOTE] > Azure AD Conditional Access is an Azure AD Premium capability. To create an example Conditional Access policy to use with the cluster, complete the following steps:
-1. At the top of the Azure portal, search for and select Azure Active Directory.
-1. In the menu for Azure Active Directory on the left-hand side, select *Enterprise applications*.
-1. In the menu for Enterprise applications on the left-hand side, select *Conditional Access*.
-1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
-1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
+1. At the top of the Azure portal, search for and select **Azure Active Directory**.
+1. On the menu for Azure Active Directory on the left side, select **Enterprise applications**.
+1. On the menu for enterprise applications on the left side, select **Conditional Access**.
+1. On the menu for Conditional Access on the left side, select **Policies** > **New policy**.
- [ ![Adding conditional access policy](./media/azure-rbac/conditional-access-new-policy.png) ](./media/azure-rbac/conditional-access-new-policy.png#lightbox)
+ [ ![Screenshot that shows the button for adding a conditional access policy.](./media/azure-rbac/conditional-access-new-policy.png) ](./media/azure-rbac/conditional-access-new-policy.png#lightbox)
-1. Enter a name for the policy such as *arc-k8s-policy*.
-1. Select *Users and groups*, then under *Include* select *Select users and groups*. Choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administration access to your cluster.
+1. Enter a name for the policy, such as **arc-k8s-policy**.
+1. Select **Users and groups**. Under **Include**, choose **Select users and groups**. Then choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administrative access to your cluster.
- [ ![Selecting users or groups to apply the Conditional Access policy](./media/azure-rbac/conditional-access-users-groups.png) ](./media/azure-rbac/conditional-access-users-groups.png#lightbox)
+ [ ![Screenshot that shows selecting users or groups to apply the Conditional Access policy.](./media/azure-rbac/conditional-access-users-groups.png) ](./media/azure-rbac/conditional-access-users-groups.png#lightbox)
-1. Select *Cloud apps or actions*, then under *Include* select *Select apps*. Search and select the server application you created earlier.
+1. Select **Cloud apps or actions**. Under **Include**, choose **Select apps**. Then search for and select the server application that you created earlier.
- [ ![Select server application for applying the Conditional Access policy](./media/azure-rbac/conditional-access-apps.png) ](./media/azure-rbac/conditional-access-apps.png#lightbox)
+ [ ![Screenshot that shows selecting a server application for applying the Conditional Access policy.](./media/azure-rbac/conditional-access-apps.png) ](./media/azure-rbac/conditional-access-apps.png#lightbox)
-1. Under *Access controls*, select *Grant*. Select *Grant access* then *Require device to be marked as compliant*.
+1. Under **Access controls**, select **Grant**. Select **Grant access** > **Require device to be marked as compliant**.
- [ ![Selecting to only allow compliant devices for the Conditional Access policy](./media/azure-rbac/conditional-access-grant-compliant.png) ](./media/azure-rbac/conditional-access-grant-compliant.png#lightbox)
+ [ ![Screenshot that shows selecting to only allow compliant devices for the Conditional Access policy.](./media/azure-rbac/conditional-access-grant-compliant.png) ](./media/azure-rbac/conditional-access-grant-compliant.png#lightbox)
-1. Under *Enable policy*, select *On* then *Create*.
+1. Under **Enable policy**, select **On** > **Create**.
- [ ![Enabling the Conditional Access policy](./media/azure-rbac/conditional-access-enable-policies.png) ](./media/azure-rbac/conditional-access-enable-policies.png#lightbox)
+ [ ![Screenshot that shows enabling the Conditional Access policy.](./media/azure-rbac/conditional-access-enable-policies.png) ](./media/azure-rbac/conditional-access-enable-policies.png#lightbox)
-Access the cluster again. For example by running `kubectl get nodes` command to view nodes in the cluster:
+Access the cluster again. For example, run the `kubectl get nodes` command to view nodes in the cluster:
```console kubectl get nodes ```
-Follow the instructions to sign in again. Notice there is an error message stating you are successfully logged in, but your admin requires the device requesting access to be managed by your Azure AD to access the resource.
+Follow the instructions to sign in again. An error message states that you're successfully logged in, but your admin requires the device that's requesting access to be managed by Azure AD to access the resource. Follow these steps:
-In the Azure portal, navigate to Azure Active Directory, select *Enterprise applications* then under *Activity* select *Sign-ins*. Notice an entry at the top with a *Status* of *Failed* and a *Conditional Access* of *Success*. Select the entry then select *Conditional Access* in *Details*. Notice your Conditional Access policy is listed.
+1. In the Azure portal, go to **Azure Active Directory**.
+1. Select **Enterprise applications**. Then under **Activity**, select **Sign-ins**.
+1. An entry at the top shows **Failed** for **Status** and **Success** for **Conditional Access**. Select the entry, and then select **Conditional Access** in **Details**. Notice that your Conditional Access policy is listed.
-[ ![Failed sign-in entry due to Conditional Access policy](./media/azure-rbac/conditional-access-sign-in-activity.png) ](./media/azure-rbac/conditional-access-sign-in-activity.png#lightbox)
+ [ ![Screenshot that shows a failed sign-in entry due to the Conditional Access policy.](./media/azure-rbac/conditional-access-sign-in-activity.png) ](./media/azure-rbac/conditional-access-sign-in-activity.png#lightbox)
## Configure just-in-time cluster access with Azure AD Another option for cluster access control is to use Privileged Identity Management (PIM) for just-in-time requests. >[!NOTE]
-> PIM is an Azure AD Premium capability requiring a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide](https://azure.microsoft.com/pricing/details/active-directory/).
+> PIM is an Azure AD Premium capability that requires a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide](https://azure.microsoft.com/pricing/details/active-directory/).
To configure just-in-time access requests for your cluster, complete the following steps:
-1. At the top of the Azure portal, search for and select Azure Active Directory.
-1. Take note of the Tenant ID, referred to for the rest of these instructions as `<tenant-id>
-
- [ ![AAD tenant details](./media/azure-rbac/jit-get-tenant-id.png) ](./media/azure-rbac/jit-get-tenant-id.png#lightbox)
+1. At the top of the Azure portal, search for and select **Azure Active Directory**.
+1. Take note of the tenant ID. For the rest of these instructions, we'll refer to that ID as `<tenant-id>`.
-1. In the menu for Azure Active Directory on the left-hand side, under *Manage* select *Groups* then *New Group*.
+ [ ![Screenshot that shows Azure Active Directory tenant details.](./media/azure-rbac/jit-get-tenant-id.png) ](./media/azure-rbac/jit-get-tenant-id.png#lightbox)
- [ ![Select new group](./media/azure-rbac/jit-create-new-group.png) ](./media/azure-rbac/jit-create-new-group.png#lightbox)
+1. On the menu for Azure Active Directory on the left side, under **Manage**, select **Groups** > **New group**.
-1. Make sure a Group Type of *Security* is selected and enter a group name, such as *myJITGroup*. Under *Azure AD Roles can be assigned to this group (Preview)*, select *Yes*. Finally, select *Create*.
+ [ ![Screenshot that shows selections for creating a new group.](./media/azure-rbac/jit-create-new-group.png) ](./media/azure-rbac/jit-create-new-group.png#lightbox)
- [ ![New group creation](./media/azure-rbac/jit-new-group-created.png) ](./media/azure-rbac/jit-new-group-created.png#lightbox)
+1. Make sure that **Security** is selected for **Group type**. Enter a group name, such as **myJITGroup**. Under **Azure AD Roles can be assigned to this group (Preview)**, select **Yes**. Finally, select **Create**.
-1. You will be brought back to the *Groups* page. Select your newly created group and take note of the Object ID, referred to for the rest of these instructions as `<object-id>`.
+ [ ![Screenshot that shows details for the new group.](./media/azure-rbac/jit-new-group-created.png) ](./media/azure-rbac/jit-new-group-created.png#lightbox)
- [ ![Created group](./media/azure-rbac/jit-get-object-id.png) ](./media/azure-rbac/jit-get-object-id.png#lightbox)
+1. You're brought back to the **Groups** page. Select your newly created group and take note of the object ID. For the rest of these instructions, we'll refer to this ID as `<object-id>`.
-1. Back in the Azure portal, in the menu for *Activity* on the left-hand side, select *Privileged Access (Preview)* and select *Enable Privileged Access*.
+ [ ![Screenshot that shows the object identifier for the created group.](./media/azure-rbac/jit-get-object-id.png) ](./media/azure-rbac/jit-get-object-id.png#lightbox)
- [ ![Enable privileged access](./media/azure-rbac/jit-enabling-priv-access.png) ](./media/azure-rbac/jit-enabling-priv-access.png#lightbox)
+1. Back in the Azure portal, on the menu for **Activity** on the left side, select **Privileged Access (Preview)**. Then select **Enable Privileged Access**.
-1. Select *Add Assignments* to begin granting access.
+ [ ![Screenshot that shows selections for enabling privileged access.](./media/azure-rbac/jit-enabling-priv-access.png) ](./media/azure-rbac/jit-enabling-priv-access.png#lightbox)
- [ ![Add active assignment](./media/azure-rbac/jit-add-active-assignment.png) ](./media/azure-rbac/jit-add-active-assignment.png#lightbox)
+1. Select **Add assignments** to begin granting access.
-1. Select a role of *member*, and select the users and groups to whom you wish to grant cluster access. These assignments can be modified at any time by a group admin. When you're ready to move on, select *Next*.
+ [ ![Screenshot that shows the button for adding active assignments.](./media/azure-rbac/jit-add-active-assignment.png) ](./media/azure-rbac/jit-add-active-assignment.png#lightbox)
- [ ![Adding assignment](./media/azure-rbac/jit-adding-assignment.png) ](./media/azure-rbac/jit-adding-assignment.png#lightbox)
+1. Select a role of **Member**, and select the users and groups to whom you want to grant cluster access. A group admin can modify these assignments at any time. When you're ready to move on, select **Next**.
-1. Choose an assignment type of *Active*, the desired duration, and provide a justification. When you're ready to proceed, select *Assign*. For more on assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management](../../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group).
+ [ ![Screenshot that shows adding assignments.](./media/azure-rbac/jit-adding-assignment.png) ](./media/azure-rbac/jit-adding-assignment.png#lightbox)
- [ ![Choosing properties for assignment](./media/azure-rbac/jit-set-active-assignment.png) ](./media/azure-rbac/jit-set-active-assignment.png#lightbox)
+1. Choose an assignment type of **Active**, choose the desired duration, and provide a justification. When you're ready to proceed, select **Assign**. For more on assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management](../../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group).
-Once the assignments have been made, verify just-in-time access is working by accessing the cluster. For example:
+ [ ![Screenshot that shows choosing properties for an assignment.](./media/azure-rbac/jit-set-active-assignment.png) ](./media/azure-rbac/jit-set-active-assignment.png#lightbox)
-Use the `kubectl get nodes` command to view nodes in the cluster:
+After you've made the assignments, verify that just-in-time access is working by accessing the cluster. For example, use the `kubectl get nodes` command to view nodes in the cluster:
```console kubectl get nodes ```
-Note the authentication requirement and follow the steps to authenticate. If successful, you should see output similar to the following:
+Note the authentication requirement and follow the steps to authenticate. If authentication is successful, you should see output similar to the following:
```output To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AAAAAAAAA to authenticate.
node-3 Ready agent 6m33s v1.18.14
## Next steps > [!div class="nextstepaction"]
-> Securely connect to the cluster using [Cluster Connect](cluster-connect.md)
+> Securely connect to the cluster by using [Cluster Connect](cluster-connect.md).
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Helm release deployment succeeded
Run the following command: ```azurecli-interactive
-az connectedk8s list -resource-group AzureArcTest -output table
+az connectedk8s list --resource-group AzureArcTest --output table
``` Output:
azure-cache-for-redis Cache High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-high-availability.md
Azure Cache for Redis implements high availability by using multiple VMs, called
| Option | Description | Availability | Standard | Premium | Enterprise | | - | - | - | :: | :: | :: |
-| [Standard replication](#standard-replication)| Dual-node replicated configuration in a single datacenter with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |Γ£ö|Γ£ö|-|
-| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Γ£ö|Γ£ö|
-| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Up to 99.999% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Γ£ö|Preview|
+| [Standard replication](#standard-replication)| Dual-node replicated configuration in a single datacenter with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |Γ£ö|Γ£ö|-|
+| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Γ£ö|
+| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Up to 99.999% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Preview|
## Standard replication
azure-cache-for-redis Cache How To Active Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-active-geo-replication.md
In this article, you'll learn how to configure an active geo-replicated Azure Ca
Active geo-replication groups two or more Enterprise Azure Cache for Redis instances into a single cache that spans across Azure regions. All instance act as the local primaries. An application decides which instance(s) to use for read and write requests.
+> [!NOTE]
+> Data transfer between Azure regions will be charged at standard [bandwidth rates](https://azure.microsoft.com/pricing/details/bandwidth/).
+ ## Create or join an active geo-replication group > [!IMPORTANT]
azure-cache-for-redis Cache How To Multi Replicas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-multi-replicas.md
To create a cache, follow these steps:
1. Leave other options in their default settings.
- > [!NOTE]
- > Multi-replica support only works with non-clustered caches currently.
- >
- 1. Click **Create**. It takes a while for the cache to create. You can monitor progress on the Azure Cache for Redis **Overview** page. When **Status** shows as **Running**, the cache is ready to use.
azure-cache-for-redis Cache How To Version https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-version.md
Last updated 09/30/2020
# Set Redis version for Azure Cache for Redis (Preview) In this article, you'll learn how to configure the Redis software version to be used with your cache instance. Azure Cache for Redis offers the latest major version of Redis and at least one previous version. It will update these versions regularly as newer Redis software is released. You can choose between the two available versions. Keep in mind that your cache will be upgraded to the next version automatically if the version it's using currently is no longer supported.
+> [!NOTE]
+> Redis 6 is currently in preview. At this time, Redis 6 does not support clustering, zone redundancy, ACL, PowerShell, Azure CLI, Terraform, and geo-replication between a Redis 4.0 and 6.0 cache. The Redis version also cannot be changed once a cache is created.
+>
+
+> [!IMPORTANT]
+> Once Redis 6.0 is generally available (GA), Redis 6.0 will be the default Redis version for new caches. You will still have the option to create Redis 4.0 caches and you will be able to upgrade your Redis 4.0 caches to Redis 6.0 caches at GA.
+>
+ ## Prerequisites * Azure subscription - [create one for free](https://azure.microsoft.com/free/)
azure-cache-for-redis Cache How To Zone Redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-zone-redundancy.md
In this article, you'll learn how to configure a zone-redundant Azure Cache inst
Azure Cache for Redis Standard, Premium, and Enterprise tiers provide built-in redundancy by hosting each cache on two dedicated virtual machines (VMs). Even though these VMs are located in separate [Azure fault and update domains](../virtual-machines/availability.md) and highly available, they're susceptible to datacenter level failures. Azure Cache for Redis also supports zone redundancy in its Premium and Enterprise tiers. A zone-redundant cache runs on VMs spread across multiple [availability zones](../availability-zones/az-overview.md). It provides higher resilience and availability.
+> [!NOTE]
+> Data transfer between Azure Availability Zones will be charged at standard [bandwidth rates](https://azure.microsoft.com/pricing/details/bandwidth/).
+ ## Prerequisites * Azure subscription - [create one for free](https://azure.microsoft.com/free/)
To create a cache, follow these steps:
1. Leave other options in their default settings. > [!NOTE]
- > Zone redundancy support only works with non-clustered and non-geo-replicated caches currently. In addition, it doesn't support private link, scaling, data persistence, or import/export.
+ > Zone redundancy doesn't support AOF persistence or work with geo-replication currently.
> 1. Click **Create**.
azure-cache-for-redis Cache Network Isolation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-network-isolation.md
Last updated 10/15/2020
# Azure Cache for Redis network isolation options In this article, youΓÇÖll learn how to determine the best network isolation solution for your needs. WeΓÇÖll go through the basics of Azure Private Link, Azure Virtual Network (VNet) injection, and Azure Firewall Rules with their advantages and limitations.
-## Azure Private Link (public preview)
+## Azure Private Link
Azure Private Link provides private connectivity from a virtual network to Azure PaaS services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet. ### Advantages * Supported on Basic, Standard, and Premium Azure Cache for Redis instances. * By using [Azure Private Link](../private-link/private-link-overview.md), you can connect to an Azure Cache instance from your virtual network via a private endpoint, which is assigned a private IP address in a subnet within the virtual network. With this, cache instances are available from both within the VNet and publicly.
-* Once a private endpoint is created, access to the public network can be restricted through the `publicNetworkAccess` flag. This flag is set to `Disabled` by default, which will only allow private link access. You can set the value to `Enabled` or `Disabled` with a PATCH request. For more information, see [Azure Cache for Redis with Azure Private Link (Preview)](cache-private-link.md).
+* Once a private endpoint is created, access to the public network can be restricted through the `publicNetworkAccess` flag. This flag is set to `Disabled` by default, which will only allow private link access. You can set the value to `Enabled` or `Disabled` with a PATCH request. For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md).
* All external cache dependencies won't affect the VNet's NSG rules. ### Limitations
azure-functions Create First Function Arc Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-arc-custom-container.md
In Azure Functions, a function project is the context for one or more individual
```
- The `--docker` option generates a `Dockerfile` for the project, which defines a suitable custom container for use with Azure Functions and the selected runtime.
+ The `--docker` option generates a `Dockerfile` for the project, which defines a suitable custom container for use with Azure Functions and the selected runtime.
+
+> [!NOTE]
+> The generated `Dockerfile` references the 3.0 tag for the base image. Deploying a custom Functions image in Arc requires the base image to have a set of changes not yet assigned the 3.0 tag. For now, it is recommended that the base image reference the **3.0.15885** tag. For example, in a JavaScript application, the Docker file should be modified have `FROM mcr.microsoft.com/azure-functions/node:3.0.15885`.
1. Navigate into the project folder:
azure-functions Durable Functions Storage Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/durable/durable-functions-storage-providers.md
The source code for the DTFx components of the Azure Storage storage provider ca
> [!NOTE] > Standard general purpose Azure Storage accounts are required when using the Azure Storage provider. All other storage account types are not supported. We highly recommend using legacy v1 general purpose storage accounts because the newer v2 storage accounts can be significantly more expensive for Durable Functions workloads. For more information on Azure Storage account types, see the [Storage account overview](../../storage/common/storage-account-overview.md) documentation.
-## <a name="netherite">Netherite (preview)</a>
+## <a name="netherite"></a>Netherite (preview)
The Netherite storage backend was designed and developed by [Microsoft Research](https://www.microsoft.com/research). It uses [Azure Event Hubs](../../event-hubs/event-hubs-about.md) and the [FASTER](https://www.microsoft.com/research/project/faster/) database technology on top of [Azure Page Blobs](../../storage/blobs/storage-blob-pageblob-overview.md). The design of Netherite enables significantly higher-throughput processing of orchestrations and entities compared to other providers. In some benchmark scenarios, throughput was shown to increase by more than an order of magnitude when compared to the default Azure Storage provider.
You can learn more about the technical details of the Netherite storage provider
> [!NOTE] > The _Netherite_ name originates from the world of [Minecraft](https://minecraft.fandom.com/wiki/Netherite).
-## <a name="mssql">Microsoft SQL Server (MSSQL) (preview)</a>
+## <a name="mssql"></a>Microsoft SQL Server (MSSQL) (preview)
The Microsoft SQL Server (MSSQL) storage provider persists all state into a Microsoft SQL Server database. It's compatible with both on-premise and cloud-hosted deployments of SQL Server, including [Azure SQL Database](../../azure-sql/database/sql-database-paas-overview.md).
azure-functions Functions Bindings Cosmosdb V2 Input https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-cosmosdb-v2-input.md
Here's the *function.json* file:
"collectionName": "Items", "connectionStringSetting": "CosmosDBConnection", "direction": "in",
- "Id": "{id}",
- "PartitionKey": "{partitionKeyValue}"
+ "id": "{id}",
+ "partitionKey": "{partitionKeyValue}"
} ], "disabled": false
azure-functions Functions Bindings Event Grid Output https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-event-grid-output.md
For information on setup and configuration details, see the [overview](./functio
# [C#](#tab/csharp)
+### C# (2.x and higher)
+ The following example shows a [C# function](functions-dotnet-class-library.md) that writes a message to an Event Grid custom topic, using the method return value as the output: ```csharp
public static async Task Run(
} ```
+### Version 3.x (preview)
+
+The following example shows a Functions 3.x [C# function](functions-dotnet-class-library.md) that binds to a `CloudEvent`:
+
+```cs
+using System.Threading.Tasks;
+using Azure.Messaging;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.WebJobs;
+using Microsoft.Azure.WebJobs.Extensions.EventGrid;
+using Microsoft.Azure.WebJobs.Extensions.Http;
+
+namespace Azure.Extensions.WebJobs.Sample
+{
+ public static class CloudEventBindingFunction
+ {
+ [FunctionName("CloudEventBindingFunction")]
+ public static async Task<IActionResult> RunAsync(
+ [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
+ [EventGrid(TopicEndpointUri = "EventGridEndpoint", TopicKeySetting = "EventGridKey")] IAsyncCollector<CloudEvent> eventCollector)
+ {
+ CloudEvent e = new CloudEvent("IncomingRequest", "IncomingRequest", await req.ReadAsStringAsync());
+ await eventCollector.AddAsync(e);
+ return new OkResult();
+ }
+ }
+}
+```
+
+The following example shows a Functions 3.x [C# function](functions-dotnet-class-library.md) that binds to an `EventGridEvent`:
+
+```cs
+using System.Threading.Tasks;
+using Azure.Messaging.EventGrid;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Azure.WebJobs;
+using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.Azure.WebJobs.Extensions.EventGrid;
+
+namespace Azure.Extensions.WebJobs.Sample
+{
+ public static class EventGridEventBindingFunction
+ {
+ [FunctionName("EventGridEventBindingFunction")]
+ public static async Task<IActionResult> RunAsync(
+ [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
+ [EventGrid(TopicEndpointUri = "EventGridEndpoint", TopicKeySetting = "EventGridKey")] IAsyncCollector<EventGridEvent> eventCollector)
+ {
+ EventGridEvent e = new EventGridEvent(await req.ReadAsStringAsync(), "IncomingRequest", "IncomingRequest", "1.0.0");
+ await eventCollector.AddAsync(e);
+ return new OkResult();
+ }
+ }
+}
+```
+ # [C# Script](#tab/csharp-script) The following example shows the Event Grid output binding data in the *function.json* file.
The following table explains the binding configuration properties that you set i
Send messages by using a method parameter such as `out EventGridEvent paramName`. To write multiple messages, you can use `ICollector<EventGridEvent>` or `IAsyncCollector<EventGridEvent>` in place of `out EventGridEvent`.
+### Additional types
+Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace. In addition, you can bind to the `CloudEvent` type from the [Azure.Messaging](/dotnet/api/azure.messaging.cloudevent) namespace.
+ # [C# Script](#tab/csharp-script) Send messages by using a method parameter such as `out EventGridEvent paramName`. In C# script, `paramName` is the value specified in the `name` property of *function.json*. To write multiple messages, you can use `ICollector<EventGridEvent>` or `IAsyncCollector<EventGridEvent>` in place of `out EventGridEvent`.
+### Additional types
+Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace. In addition, you can bind to the `CloudEvent` type from the [Azure.Messaging](/dotnet/api/azure.messaging.cloudevent) namespace.
+ # [Java](#tab/java) The Event Grid output binding is not available for Java.
azure-functions Functions Bindings Event Grid Trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-event-grid-trigger.md
namespace Company.Function
} ```
+### Version 3.x (preview)
+
+The following example shows a Functions 3.x [C# function](functions-dotnet-class-library.md) that binds to a `CloudEvent`:
+
+```cs
+using Azure.Messaging;
+using Microsoft.Azure.WebJobs;
+using Microsoft.Azure.WebJobs.Extensions.EventGrid;
+using Microsoft.Extensions.Logging;
+
+namespace Azure.Extensions.WebJobs.Sample
+{
+ public static class CloudEventTriggerFunction
+ {
+ [FunctionName("CloudEventTriggerFunction")]
+ public static void Run(
+ ILogger logger,
+ [EventGridTrigger] CloudEvent e)
+ {
+ logger.LogInformation("Event received {type} {subject}", e.Type, e.Subject);
+ }
+ }
+}
+```
+
+The following example shows a Functions 3.x [C# function](functions-dotnet-class-library.md) that binds to an `EventGridEvent`:
+
+```cs
+using Microsoft.Azure.WebJobs;
+using Microsoft.Azure.WebJobs.Extensions.EventGrid;
+using Azure.Messaging.EventGrid;
+using Microsoft.Extensions.Logging;
+
+namespace Azure.Extensions.WebJobs.Sample
+{
+ public static class EventGridEventTriggerFunction
+ {
+ [FunctionName("EventGridEventTriggerFunction")]
+ public static void Run(
+ ILogger logger,
+ [EventGridTrigger] EventGridEvent e)
+ {
+ logger.LogInformation("Event received {type} {subject}", e.EventType, e.Subject);
+ }
+ }
+}
+```
+ # [C# Script](#tab/csharp-script) The following example shows a trigger binding in a *function.json* file and a [C# script function](functions-reference-csharp.md) that uses the binding.
In Azure Functions 2.x and higher, you also have the option to use the following
> In Functions v1 if you try to bind to `Microsoft.Azure.WebJobs.Extensions.EventGrid.EventGridEvent`, the compiler will display a "deprecated" message and advise you to use `Microsoft.Azure.EventGrid.Models.EventGridEvent` instead. To use the newer type, reference the [Microsoft.Azure.EventGrid](https://www.nuget.org/packages/Microsoft.Azure.EventGrid) NuGet package and fully qualify the `EventGridEvent` type name by prefixing it with `Microsoft.Azure.EventGrid.Models`. ### Additional types
-Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace.
+Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace. In addition, you can bind to the `CloudEvent` type from the [Azure.Messaging](/dotnet/api/azure.messaging.cloudevent) namespace.
# [C# Script](#tab/csharp-script)
In Azure Functions 2.x and higher, you also have the option to use the following
> In Functions v1 if you try to bind to `Microsoft.Azure.WebJobs.Extensions.EventGrid.EventGridEvent`, the compiler will display a "deprecated" message and advise you to use `Microsoft.Azure.EventGrid.Models.EventGridEvent` instead. To use the newer type, reference the [Microsoft.Azure.EventGrid](https://www.nuget.org/packages/Microsoft.Azure.EventGrid) NuGet package and fully qualify the `EventGridEvent` type name by prefixing it with `Microsoft.Azure.EventGrid.Models`. For information about how to reference NuGet packages in a C# script function, see [Using NuGet packages](functions-reference-csharp.md#using-nuget-packages) ### Additional types
-Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace.
+Apps using the 3.0.0 or higher version of the Event Grid extension use the `EventGridEvent` type from the [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid.eventgridevent) namespace. In addition, you can bind to the `CloudEvent` type from the [Azure.Messaging](/dotnet/api/azure.messaging.cloudevent) namespace.
# [Java](#tab/java)
azure-functions Functions Bindings Event Grid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-event-grid.md
Working with the trigger and bindings requires that you reference the appropriat
#### Event Grid extension 3.x and higher
-A new version of the Event Grid bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventGrid/3.0.0-beta.1). For .NET applications, it changes the types that you can bind to, replacing the types from `Microsoft.Azure.EventGrid.Models` with newer types from [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid).
+A new version of the Event Grid bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventGrid/3.0.0-beta.2). For .NET applications, it changes the types that you can bind to, replacing the types from `Microsoft.Azure.EventGrid.Models` with newer types from [Azure.Messaging.EventGrid](/dotnet/api/azure.messaging.eventgrid). [Cloud events](/dotnet/api/azure.messaging.cloudevent) are also supported in the new Event Grid extension.
> [!NOTE] > The preview package is not included in an extension bundle and must be installed manually. For .NET apps, add a reference to the package. For all other app types, see [Update your extensions].
Functions 1.x apps automatically have a reference the [Microsoft.Azure.WebJobs](
## Next steps * [Run a function when an Event Grid event is dispatched](./functions-bindings-event-grid-trigger.md)
-* [Dispatch an Event Grid event](./functions-bindings-event-grid-trigger.md)
+* [Dispatch an Event Grid event](./functions-bindings-event-grid-trigger.md)
azure-functions Functions Bindings Storage Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-storage-blob.md
Working with the trigger and bindings requires that you reference the appropriat
#### Storage extension 5.x and higher
-A new version of the Storage bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0-beta.2). This preview introduces the ability to [connect using an identity instead of a secret](./functions-reference.md#configure-an-identity-based-connection). For .NET applications, it also changes the types that you can bind to, replacing the types from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` with newer types from [Azure.Storage.Blobs](/dotnet/api/azure.storage.blobs).
+A new version of the Storage bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0-beta.3). This preview introduces the ability to [connect using an identity instead of a secret](./functions-reference.md#configure-an-identity-based-connection). For .NET applications, it also changes the types that you can bind to, replacing the types from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` with newer types from [Azure.Storage.Blobs](/dotnet/api/azure.storage.blobs).
> [!NOTE] > The preview package is not included in an extension bundle and must be installed manually. For .NET apps, add a reference to the package. For all other app types, see [Update your extensions].
azure-functions Functions Bindings Storage Queue https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-storage-queue.md
Working with the trigger and bindings requires that you reference the appropriat
#### Storage extension 5.x and higher
-A new version of the Storage bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0-beta.2). This preview introduces the ability to [connect using an identity instead of a secret](./functions-reference.md#configure-an-identity-based-connection). For .NET applications, it also changes the types that you can bind to, replacing the types from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` with newer types from [Azure.Storage.Queues](/dotnet/api/azure.storage.queues).
+A new version of the Storage bindings extension is available as a [preview NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0-beta.3). This preview introduces the ability to [connect using an identity instead of a secret](./functions-reference.md#configure-an-identity-based-connection). For .NET applications, it also changes the types that you can bind to, replacing the types from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` with newer types from [Azure.Storage.Queues](/dotnet/api/azure.storage.queues).
> [!NOTE] > The preview package is not included in an extension bundle and must be installed manually. For .NET apps, add a reference to the package. For all other app types, see [Update your extensions].
azure-functions Functions Create Your First Function Visual Studio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-your-first-function-visual-studio.md
adobe-target-content: ./functions-create-your-first-function-visual-studio-uiex
# Quickstart: Create your first C# function in Azure using Visual Studio
-In this article, you use Visual Studio to create a C# class library (.NET Core 3.1) function that responds to HTTP requests. After testing the code locally, you deploy it to the serverless environment of Azure Functions. This project runs in-process on .NET Core 3.1. If you instead want to run out-of-process on .NET 5.0, see [Develop and publish .NET 5 functions using Azure Functions](dotnet-isolated-process-developer-howtos.md).
+Azure Functions lets you run your C# code in a serverless environment in Azure.
+In this article, you learn how to:
+
+> [!div class="checklist"]
+> * Use Visual Studio to create a C# class library (.NET Core 3.1) project.
+> * Create a function that responds to HTTP requests.
+> * Run your code locally to verify function behavior.
+> * Deploy your code project to Azure Functions.
+
Completing this quickstart incurs a small cost of a few USD cents or less in your Azure account.
+
+The project you create runs on .NET Core 3.1. If you instead want to create a project that runs on .NET 5.0, see [Develop and publish .NET 5 functions using Azure Functions](dotnet-isolated-process-developer-howtos.md).
## Prerequisites
azure-functions Functions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference.md
For example, the `connection` property for a Azure Blob trigger definition might
Some connections in Azure Functions are configured to use an identity instead of a secret. Support depends on the extension using the connection. In some cases, a connection string may still be required in Functions even though the service to which you are connecting supports identity-based connections.
-> [!IMPORTANT]
-> Even if a binding extension supports identity-based connections, that configuration may not be supported yet in the Consumption plan. See the support table below.
-Identity-based connections are supported by the following trigger and binding extensions:
+Identity-based connections are supported by the following trigger and binding extensions in all plans:
-| Extension name | Extension version | Supported in the Consumption plan |
-|-|-||
-| Azure Blob | [Version 5.0.0-beta1 or later](./functions-bindings-storage-blob.md#storage-extension-5x-and-higher) | No |
-| Azure Queue | [Version 5.0.0-beta1 or later](./functions-bindings-storage-queue.md#storage-extension-5x-and-higher) | No |
-| Azure Event Hubs | [Version 5.0.0-beta1 or later](./functions-bindings-event-hubs.md#event-hubs-extension-5x-and-higher) | No |
-| Azure Service Bus | [Version 5.0.0-beta2 or later](./functions-bindings-service-bus.md#service-bus-extension-5x-and-higher) | No |
-> [!NOTE]
-> Support for identity-based connections is not yet available for storage connections used by the Functions runtime for core behaviors. This means that the `AzureWebJobsStorage` setting must be a connection string.
+| Extension name | Extension version |
+|-|-|
+| Azure Blob | [Version 5.0.0-beta1 or later](./functions-bindings-storage-blob.md#storage-extension-5x-and-higher) |
+| Azure Queue | [Version 5.0.0-beta1 or later](./functions-bindings-storage-queue.md#storage-extension-5x-and-higher) |
+| Azure Event Hubs | [Version 5.0.0-beta1 or later](./functions-bindings-event-hubs.md#event-hubs-extension-5x-and-higher) |
+| Azure Service Bus | [Version 5.0.0-beta2 or later](./functions-bindings-service-bus.md#service-bus-extension-5x-and-higher) |
++
+Storage connections used by the Functions runtime for core behaviors still require the `AzureWebJobsStorage` setting. Support for identity-based connections is available and follows the below format.
+
+```json
+AzureWebJobsStorage {
+ "blobServiceUri": "https://<STORAGE_ACCOUNT_NAME>.blob.core.windows.net",
+ "queueServiceUri": "https://<STORAGE_ACCOUNT_NAME>.queue.core.windows.net",
+ "fileServiceUri": "https://<STORAGE_ACCOUNT_NAME>.file.core.windows.net",
+ "tableServiceUri": "https://<STORAGE_ACCOUNT_NAME>.table.core.windows.net",
+ "credential": "managedidentity"
+}
+```
+
+When your AzureWebJobsStorage storage account follows the `https://<accountName>.blob/queue/file/table.core.windows.net` format, is not using a custom DNS, and not running in sovereign clouds, the following simplified format can be used.
+
+```json
+AzureWebJobsStorage {
+ "accountName": "<STORAGE_ACCOUNT_NAME>",
+ "credential": "managedidentity"
+}
+```
#### Connection properties
azure-functions Security Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/security-concepts.md
Security Center integrates with your function app in the portal. It provides, fo
### Log and monitor
-One way to detect attacks is through activity monitoring activity and logging analytics. Functions integrates with Application Insights to collects log, performance, and error data for your function app. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your functions are used. To learn more, see [Monitor Azure Functions](functions-monitoring.md).
+One way to detect attacks is through activity monitoring and logging analytics. Functions integrates with Application Insights to collects log, performance, and error data for your function app. Application Insights automatically detects performance anomalies and includes powerful analytics tools to help you diagnose issues and to understand how your functions are used. To learn more, see [Monitor Azure Functions](functions-monitoring.md).
Functions also integrates with Azure Monitor Logs to enable you to consolidate function app logs with system events for easier analysis. You can use diagnostic settings to configure streaming export of platform logs and metrics for your functions to the destination of your choice, such as a Logs Analytics workspace. To learn more, see [Monitoring Azure Functions with Azure Monitor Logs](functions-monitor-log-analytics.md).
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agents-overview.md
The following tables list the operating systems that are supported by the Azure
<sup>1</sup> Requires Python (2 or 3) to be installed on the machine.
-<sup>2</sup> Requires Python 2 to be installed on the machine.
-
-<sup>3</sup> Known issue collecting Syslog events. Only performance data is currently supported.
+<sup>3</sup> Known issue collecting Syslog events in versions prior to 1.9.0
#### Dependency agent Linux kernel support Since the Dependency agent works at the kernel level, support is also dependent on the kernel version. The following table lists the major and minor Linux OS release and supported kernel versions for the Dependency agent.
Get more details on each of the agents at the following:
- [Overview of the Log Analytics agent](./log-analytics-agent.md) - [Azure Diagnostics extension overview](./diagnostics-extension-overview.md)-- [Collect custom metrics for a Linux VM with the InfluxData Telegraf agent](../essentials/collect-custom-metrics-linux-telegraf.md)
+- [Collect custom metrics for a Linux VM with the InfluxData Telegraf agent](../essentials/collect-custom-metrics-linux-telegraf.md)
azure-monitor Data Collection Rule Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-rule-overview.md
Last updated 01/19/2021+
Each data source has a data source type. Each type defines a unique set of prope
## Limits For limits that apply to each data collection rule, see [Azure Monitor service limits](../service-limits.md#data-collection-rules).
+## Data residency
+Data Collection Rules as a service is deployed regionally. A rule gets created and stored in the region you specify, and is backed up to the [paired-region](../../best-practices-availability-paired-regions.md#azure-regional-pairs) within the same Geo.
+
+**Single region data residency**: The previewed feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. Single region residency is enabled by default in these regions.
## Create a DCR You can currently use any of the following methods to create a DCR:
azure-monitor Alerts Troubleshoot Metric https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-troubleshoot-metric.md
If you believe your metric alert shouldn't have fired but it did, the following
- The selected **Aggregation** in the metric chart is the same as **Aggregation type** in your alert rule - The selected **Time granularity** is the same as the **Aggregation granularity (period)** in your alert rule (and not set to 'Automatic')
-5. If the alert fired while there are already fired alerts that monitor the same criteria (that arenΓÇÖt resolved), check if the alert rule has been configured with the *autoMitigate* property set to **false** (this property can only be configured via REST/PowerShell/CLI, so check the script used to deploy the alert rule). In such case, the alert rule does not autoresolve fired alerts, and does not require a fired alert to be resolved before firing again.
+5. If the alert fired while there are already fired alerts that monitor the same criteria (that arenΓÇÖt resolved), check if the alert rule has been configured not to automatically resolve alerts. Such configuration causes the alert rule to become stateless, meaning that the alert rule does not auto-resolve fired alerts, and does not require a fired alert to be resolved before firing again on the same time-series.
+ You can check if the alert rule is configured not to auto-resolve in one of the following ways:
+ - By editing the alert rule in the Azure portal, and reviewing if the 'Automatically resolve alerts' checkbox is unchecked (available under the 'Alert rule details' section).
+ - By reviewing the script used to deploy the alert rule, or by retrieving the alert rule definition, and checking if the *autoMitigate* property is set to **false**.
## Can't find the metric to alert on - virtual machines guest metrics
When deleting an Azure resource, associated metric alert rules aren't deleted au
## Make metric alerts occur every time my condition is met
-Metric alerts are stateful by default, and therefore additional alerts are not fired if thereΓÇÖs already a fired alert on a given time series. If you wish to make a specific metric alert rule stateless, and get alerted on every evaluation in which the alert condition is met, create the alert rule programmatically (for example, via [Resource Manager](./alerts-metric-create-templates.md), [PowerShell](/powershell/module/az.monitor/), [REST](/rest/api/monitor/metricalerts/createorupdate), [CLI](/cli/azure/monitor/metrics/alert)), and set the *autoMitigate* property to 'False'.
+Metric alerts are stateful by default, and therefore additional alerts are not fired if thereΓÇÖs already a fired alert on a given time series. If you wish to make a specific metric alert rule stateless, and get alerted on every evaluation in which the alert condition is met, follow one of these options:
+- If you're creating the alert rule programmatically (for example, via [Resource Manager](./alerts-metric-create-templates.md), [PowerShell](/powershell/module/az.monitor/), [REST](/rest/api/monitor/metricalerts/createorupdate), [CLI](/cli/azure/monitor/metrics/alert)), set the *autoMitigate* property to 'False'.
+- If you're creating the alert rule via the Azure portal, uncheck the 'Automatically resolve alerts' option (available under the 'Alert rule details' section).
> [!NOTE] > Making a metric alert rule stateless prevents fired alerts from becoming resolved, so even after the condition isnΓÇÖt met anymore, the fired alerts will remain in a fired state until the 30 days retention period.
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability and responsiveness of any web site - Azure Monitor
+ Title: Monitor availability with URL ping tests- Azure Monitor
description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Previously updated : 04/15/2021 Last updated : 05/25/2021
-# Monitor the availability of any website
+# Monitor availability with URL ping tests
The name "URL ping test" is a bit of a misnomer. To be clear, these tests are not making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
azure-monitor Metrics Supported https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/metrics-supported.md
description: List of metrics available for each resource type with Azure Monitor
Previously updated : 04/15/2021 Last updated : 05/26/2021 + # Supported metrics with Azure Monitor > [!NOTE]
For important additional information, see [Monitoring Agents Overview](../agents
> [!IMPORTANT] > This latest update adds a new column and reordered the metrics to be alphabetic. The addition information means that the tables below may have a horizontal scroll bar at the bottom, depending on the width of your browser window. If you believe you are missing information, use the scroll bar to see the entirety of the table.+ ## microsoft.aadiam/azureADMetrics |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|qpu_metric|Yes|QPU|Count|Average|QPU. Range 0-100 for S1, 0-200 for S2 and 0-400 for S4|ServerResourceType| |QueryPoolBusyThreads|Yes|Query Pool Busy Threads|Count|Average|Number of busy threads in the query thread pool.|ServerResourceType| |QueryPoolIdleThreads|Yes|Threads: Query pool idle threads|Count|Average|Number of idle threads for I/O jobs in the processing thread pool.|ServerResourceType|
-|QueryPoolJobQueueLength|Yes|Threads: Query pool job queue length|Count|Average|Number of jobs in the queue of the query thread pool.|ServerResourceType|
+|QueryPoolJobQueueLength|Yes|Threads: Query pool job queue lengt|Count|Average|Number of jobs in the queue of the query thread pool.|ServerResourceType|
|Quota|Yes|Memory: Quota|Bytes|Average|Current memory quota, in bytes. Memory quota is also known as a memory grant or memory reservation.|ServerResourceType| |QuotaBlocked|Yes|Memory: Quota Blocked|Count|Average|Current number of quota requests that are blocked until other memory quotas are freed.|ServerResourceType| |RowsConvertedPerSec|Yes|Processing: Rows converted per sec|CountPerSecond|Average|Rate of rows converted during processing.|ServerResourceType|
For important additional information, see [Monitoring Agents Overview](../agents
|total-requests|Yes|total-requests|Count|Average|Total number of requests in the lifetime of the process|Deployment, AppName, Pod| |working-set|Yes|working-set|Count|Average|Amount of working set used by the process (MB)|Deployment, AppName, Pod| + ## Microsoft.Automation/automationAccounts |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Unusable Cores|Yes|Unusable Cores|Count|Average|Number of unusable cores|Scenario, ClusterName| |Unusable Nodes|Yes|Unusable Nodes|Count|Average|Number of unusable nodes|Scenario, ClusterName| + ## microsoft.bing/accounts |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|allexpiredkeys|Yes|Expired Keys (Instance Based)|Count|Total||ShardId, Port, Primary| |allgetcommands|Yes|Gets (Instance Based)|Count|Total||ShardId, Port, Primary| |alloperationsPerSecond|Yes|Operations Per Second (Instance Based)|Count|Maximum||ShardId, Port, Primary|
+|allpercentprocessortime|Yes|CPU (Instance Based)|Percent|Maximum||ShardId, Port, Primary|
|allserverLoad|Yes|Server Load (Instance Based)|Percent|Maximum||ShardId, Port, Primary| |allsetcommands|Yes|Sets (Instance Based)|Count|Total||ShardId, Port, Primary| |alltotalcommandsprocessed|Yes|Total Operations (Instance Based)|Count|Total||ShardId, Port, Primary|
For important additional information, see [Monitoring Agents Overview](../agents
|SuccessE2ELatency|Yes|Success E2E Latency|Milliseconds|Average|The end-to-end latency of successful requests made to a storage service or the specified API operation, in milliseconds. This value includes the required processing time within Azure Storage to read the request, send the response, and receive acknowledgment of the response.|GeoType, ApiName, Authentication| |SuccessServerLatency|Yes|Success Server Latency|Milliseconds|Average|The latency used by Azure Storage to process a successful request, in milliseconds. This value does not include the network latency specified in SuccessE2ELatency.|GeoType, ApiName, Authentication| |Transactions|Yes|Transactions|Count|Total|The number of requests made to a storage service or the specified API operation. This number includes successful and failed requests, as well as requests which produced errors. Use ResponseType dimension for the number of different type of response.|ResponseType, GeoType, ApiName, Authentication|
-|UsedCapacity|No|Used capacity|Bytes|Average|Account used capacity|No Dimensions|
+|UsedCapacity|Yes|Used capacity|Bytes|Average|Account used capacity|No Dimensions|
## Microsoft.ClassicStorage/storageAccounts/blobServices
For important additional information, see [Monitoring Agents Overview](../agents
|DataOut|Yes|Data Out|Bytes|Total|Size of outgoing data in bytes.|ApiName, OperationName, Region| |Latency|Yes|Latency|MilliSeconds|Average|Latency in milliseconds.|ApiName, OperationName, Region| |LearnedEvents|Yes|Learned Events|Count|Total|Number of Learned Events.|IsMatchBaseline, Mode, RunId|
-|MatchedRewards|Yes|Matched Rewards|Count|Total| Number of Matched Rewards.|IsMatchBaseline, Mode, RunId|
-|ObservedRewards|Yes|Observed Rewards|Count|Total|Number of Observed Rewards.|IsMatchBaseline, Mode, RunId|
+|MatchedRewards|Yes|Matched Rewards|Count|Total| Number of Matched Rewards.|Mode, RunId|
+|ObservedRewards|Yes|Observed Rewards|Count|Total|Number of Observed Rewards.|Mode, RunId|
|ProcessedCharacters|Yes|Processed Characters|Count|Total|Number of Characters.|ApiName, FeatureName, UsageChannel, Region| |ProcessedTextRecords|Yes|Processed Text Records|Count|Total|Count of Text Records.|ApiName, FeatureName, UsageChannel, Region| |ServerErrors|Yes|Server Errors|Count|Total|Number of calls with service internal error (HTTP response code 5xx).|ApiName, OperationName, Region| |SpeechSessionDuration|Yes|Speech Session Duration|Seconds|Total|Total duration of speech session in seconds.|ApiName, OperationName, Region| |SuccessfulCalls|Yes|Successful Calls|Count|Total|Number of successful calls.|ApiName, OperationName, Region|
+|SynthesizedCharacters|Yes|Synthesized Characters|Count|Total|Number of Characters.|ApiName, FeatureName, UsageChannel, Region|
|TotalCalls|Yes|Total Calls|Count|Total|Total number of calls.|ApiName, OperationName, Region| |TotalErrors|Yes|Total Errors|Count|Total|Total number of calls with error response (HTTP response code 4xx or 5xx).|ApiName, OperationName, Region| |TotalTokenCalls|Yes|Total Token Calls|Count|Total|Total number of token calls.|ApiName, OperationName, Region| |TotalTransactions|Yes|Total Transactions|Count|Total|Total number of transactions.|No Dimensions|
+|VoiceModelHostingHours|Yes|Voice Model Hosting Hours|Count|Total|Number of Hours.|ApiName, FeatureName, UsageChannel, Region|
+|VoiceModelTrainingMinutes|Yes|Voice Model Training Minutes|Count|Total|Number of Minutes.|ApiName, FeatureName, UsageChannel, Region|
## Microsoft.Communication/CommunicationServices
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|Composite Disk Read Bytes/sec|No|Disk Read Bytes/sec(Preview)|Bytes|Average|Bytes/sec read from disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
-|Composite Disk Read Operations/sec|No|Disk Read Operations/sec(Preview)|Bytes|Average|Number of read IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
-|Composite Disk Write Bytes/sec|No|Disk Write Bytes/sec(Preview)|Bytes|Average|Bytes/sec written to disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
-|Composite Disk Write Operations/sec|No|Disk Write Operations/sec(Preview)|Bytes|Average|Number of Write IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available||
+|Composite Disk Read Bytes/sec|No|Disk Read Bytes/sec(Preview)|Bytes|Average|Bytes/sec read from disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|
+|Composite Disk Read Operations/sec|No|Disk Read Operations/sec(Preview)|Bytes|Average|Number of read IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|
+|Composite Disk Write Bytes/sec|No|Disk Write Bytes/sec(Preview)|Bytes|Average|Bytes/sec written to disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|
+|Composite Disk Write Operations/sec|No|Disk Write Operations/sec(Preview)|Bytes|Average|Number of Write IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|
## Microsoft.Compute/virtualMachines
For important additional information, see [Monitoring Agents Overview](../agents
|VM Uncached IOPS Consumed Percentage|Yes|VM Uncached IOPS Consumed Percentage|Percent|Average|Percentage of uncached disk IOPS consumed by the VM|No Dimensions|
+## Microsoft.ConnectedVehicle/platformAccounts
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ClaimsProviderRequestLatency|Yes|Claims request execution time|Milliseconds|Average|The average execution time of requests to the customer claims provider endpoint in milliseconds.|VehicleId, DeviceName|
+|ClaimsProviderRequests|Yes|Claims provider requests|Count|Total|Number of requests to claims provider|VehicleId, DeviceName|
+|ConnectionServiceRequestRuntime|Yes|Vehicle connection service request execution time|Milliseconds|Average|Vehicle conneciton request execution time average in milliseconds|VehicleId, DeviceName|
+|ConnectionServiceRequests|Yes|Vehicle connection service requests|Count|Total|Total number of vehicle connection requests|VehicleId, DeviceName|
+|ProvisionerServiceRequestRuntime|Yes|Vehicle provision execution time|Milliseconds|Average|The average execution time of vehicle provision requests in milliseconds|VehicleId, DeviceName|
+|ProvisionerServiceRequests|Yes|Vehicle provision service requests|Count|Total|Total number of vehicle provision requests|VehicleId, DeviceName|
+|StateStoreReadRequestLatency|Yes|State store read execution time|Milliseconds|Average|State store read request execution time average in milliseconds.|VehicleId, DeviceName|
+|StateStoreReadRequests|Yes|State store read requests|Count|Total|Number of read requests to state store|VehicleId, DeviceName|
+|StateStoreWriteRequestLatency|Yes|State store write execution time|Milliseconds|Average|State store write request execution time average in milliseconds.|VehicleId, DeviceName|
+|StateStoreWriteRequests|Yes|State store write requests|Count|Total|Number of write requests to state store|VehicleId, DeviceName|
++ ## Microsoft.ContainerInstance/containerGroups |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |AgentPoolCPUTime|Yes|AgentPool CPU Time|Seconds|Total|AgentPool CPU Time in seconds|No Dimensions|
-|RunDuration|Yes|Run Duration|Milliseconds|Total|Run Duration in milliseconds|No Dimensions|
-|SuccessfulPullCount|Yes|Successful Pull Count|Count|Average|Number of successful image pulls|No Dimensions|
-|SuccessfulPushCount|Yes|Successful Push Count|Count|Average|Number of successful image pushes|No Dimensions|
-|TotalPullCount|Yes|Total Pull Count|Count|Average|Number of image pulls in total|No Dimensions|
-|TotalPushCount|Yes|Total Push Count|Count|Average|Number of image pushes in total|No Dimensions|
+|RunDuration|Yes|Run Duration|MilliSeconds|Total|Run Duration in milliseconds|No Dimensions|
+|StorageUsed|Yes|Storage used|Bytes|Average|The amount of storage used by the container registry. For a registry account, it's the sum of capacity used by all the repositories within a registry. It's sum of capacity used by shared layers, manifest files, and replica copies in each of its repositories.|Geolocation|
+|SuccessfulPullCount|Yes|Successful Pull Count|Count|Total|Number of successful image pulls|No Dimensions|
+|SuccessfulPushCount|Yes|Successful Push Count|Count|Total|Number of successful image pushes|No Dimensions|
+|TotalPullCount|Yes|Total Pull Count|Count|Total|Number of image pulls in total|No Dimensions|
+|TotalPushCount|Yes|Total Push Count|Count|Total|Number of image pushes in total|No Dimensions|
## Microsoft.ContainerService/managedClusters
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |apiserver_current_inflight_requests|No|Inflight Requests|Count|Average|Maximum number of currently used inflight requests on the apiserver per request kind in the last second|requestKind|
-|cluster_autoscaler_cluster_safe_to_autoscale|No|Cluster Health|Count|Average|Determines whether or not cluster autoscaler will take action on the cluster||
-|cluster_autoscaler_scale_down_in_cooldown|No|Scale Down Cooldown|Count|Average|Determines if the scale down is in cooldown - No nodes will be removed during this timeframe||
-|cluster_autoscaler_unneeded_nodes_count|No|Unneeded Nodes|Count|Average|Cluster auotscaler marks those nodes as candidates for deletion and are eventually deleted||
-|cluster_autoscaler_unschedulable_pods_count|No|Unschedulable Pods|Count|Average|Number of pods that are currently unschedulable in the cluster||
-|kube_node_status_allocatable_cpu_cores|No|Total number of available cpu cores in a managed cluster|Count|Average|Total number of available cpu cores in a managed cluster||
-|kube_node_status_allocatable_memory_bytes|No|Total amount of available memory in a managed cluster|Bytes|Average|Total amount of available memory in a managed cluster||
+|cluster_autoscaler_cluster_safe_to_autoscale|No|Cluster Health|Count|Average|Determines whether or not cluster autoscaler will take action on the cluster|No Dimensions|
+|cluster_autoscaler_scale_down_in_cooldown|No|Scale Down Cooldown|Count|Average|Determines if the scale down is in cooldown - No nodes will be removed during this timeframe|No Dimensions|
+|cluster_autoscaler_unneeded_nodes_count|No|Unneeded Nodes|Count|Average|Cluster auotscaler marks those nodes as candidates for deletion and are eventually deleted|No Dimensions|
+|cluster_autoscaler_unschedulable_pods_count|No|Unschedulable Pods|Count|Average|Number of pods that are currently unschedulable in the cluster|No Dimensions|
+|kube_node_status_allocatable_cpu_cores|No|Total number of available cpu cores in a managed cluster|Count|Average|Total number of available cpu cores in a managed cluster|No Dimensions|
+|kube_node_status_allocatable_memory_bytes|No|Total amount of available memory in a managed cluster|Bytes|Average|Total amount of available memory in a managed cluster|No Dimensions|
|kube_node_status_condition|No|Statuses for various node conditions|Count|Average|Statuses for various node conditions|condition, status, status2, node| |kube_pod_status_phase|No|Number of pods by phase|Count|Average|Number of pods by phase|phase, namespace, pod| |kube_pod_status_ready|No|Number of pods in Ready state|Count|Average|Number of pods in Ready state|namespace, pod, condition|
For important additional information, see [Monitoring Agents Overview](../agents
|d2c.endpoints.egress.storage|Yes|Routing: messages delivered to storage|Count|Total|The number of times IoT Hub routing successfully delivered messages to storage endpoints.|No Dimensions| |d2c.endpoints.egress.storage.blobs|Yes|Routing: blobs delivered to storage|Count|Total|The number of times IoT Hub routing delivered blobs to storage endpoints.|No Dimensions| |d2c.endpoints.egress.storage.bytes|Yes|Routing: data delivered to storage|Bytes|Total|The amount of data (bytes) IoT Hub routing delivered to storage endpoints.|No Dimensions|
-|d2c.endpoints.latency.builtIn.events|Yes|Routing: message latency for messages/events|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into the built-in endpoint (messages/events).|No Dimensions|
-|d2c.endpoints.latency.eventHubs|Yes|Routing: message latency for Event Hub|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and message ingress into an Event Hub endpoint.|No Dimensions|
-|d2c.endpoints.latency.serviceBusQueues|Yes|Routing: message latency for Service Bus Queue|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus queue endpoint.|No Dimensions|
-|d2c.endpoints.latency.serviceBusTopics|Yes|Routing: message latency for Service Bus Topic|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus topic endpoint.|No Dimensions|
-|d2c.endpoints.latency.storage|Yes|Routing: message latency for storage|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a storage endpoint.|No Dimensions|
-|d2c.telemetry.egress.dropped|Yes|Routing: telemetry messages dropped |Count|Total|The number of times messages were dropped by IoT Hub routing due to dead endpoints. This value does not count messages delivered to fallback route as dropped messages are not delivered there.|No Dimensions|
+|d2c.endpoints.latency.builtIn.events|Yes|Routing: message latency for messages/events|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into the built-in endpoint (messages/events).|No Dimensions|
+|d2c.endpoints.latency.eventHubs|Yes|Routing: message latency for Event Hub|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and message ingress into an Event Hub endpoint.|No Dimensions|
+|d2c.endpoints.latency.serviceBusQueues|Yes|Routing: message latency for Service Bus Queue|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus queue endpoint.|No Dimensions|
+|d2c.endpoints.latency.serviceBusTopics|Yes|Routing: message latency for Service Bus Topic|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a Service Bus topic endpoint.|No Dimensions|
+|d2c.endpoints.latency.storage|Yes|Routing: message latency for storage|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into a storage endpoint.|No Dimensions|
+|d2c.telemetry.egress.dropped|Yes|Routing: telemetry messages dropped |Count|Total|The number of times messages were dropped by IoT Hub routing due to dead endpoints. This value does not count messages delivered to fallback route as dropped messages are not delivered there.|No Dimensions|
|d2c.telemetry.egress.fallback|Yes|Routing: messages delivered to fallback|Count|Total|The number of times IoT Hub routing delivered messages to the endpoint associated with the fallback route.|No Dimensions| |d2c.telemetry.egress.invalid|Yes|Routing: telemetry messages incompatible|Count|Total|The number of times IoT Hub routing failed to deliver messages due to an incompatibility with the endpoint. This value does not include retries.|No Dimensions|
-|d2c.telemetry.egress.orphaned|Yes|Routing: telemetry messages orphaned |Count|Total|The number of times messages were orphaned by IoT Hub routing because they didn't match any routing rules (including the fallback rule). |No Dimensions|
+|d2c.telemetry.egress.orphaned|Yes|Routing: telemetry messages orphaned |Count|Total|The number of times messages were orphaned by IoT Hub routing because they didn't match any routing rules (including the fallback rule). |No Dimensions|
|d2c.telemetry.egress.success|Yes|Routing: telemetry messages delivered|Count|Total|The number of times messages were successfully delivered to all endpoints using IoT Hub routing. If a message is routed to multiple endpoints, this value increases by one for each successful delivery. If a message is delivered to the same endpoint multiple times, this value increases by one for each successful delivery.|No Dimensions| |d2c.telemetry.ingress.allProtocol|Yes|Telemetry message send attempts|Count|Total|Number of device-to-cloud telemetry messages attempted to be sent to your IoT hub|No Dimensions| |d2c.telemetry.ingress.sendThrottle|Yes|Number of throttling errors|Count|Total|Number of throttling errors due to device throughput throttles|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|devices.connectedDevices.allProtocol|Yes|Connected devices (deprecated) |Count|Total|Number of devices connected to your IoT hub|No Dimensions| |devices.totalDevices|Yes|Total devices (deprecated)|Count|Total|Number of devices registered to your IoT hub|No Dimensions| |EventGridDeliveries|Yes|Event Grid deliveries|Count|Total|The number of IoT Hub events published to Event Grid. Use the Result dimension for the number of successful and failed requests. EventType dimension shows the type of event (https://aka.ms/ioteventgrid).|Result, EventType|
-|EventGridLatency|Yes|Event Grid latency|Milliseconds|Average|The average latency (milliseconds) from when the Iot Hub event was generated to when the event was published to Event Grid. This number is an average between all event types. Use the EventType dimension to see latency of a specific type of event.|EventType|
+|EventGridLatency|Yes|Event Grid latency|MilliSeconds|Average|The average latency (milliseconds) from when the Iot Hub event was generated to when the event was published to Event Grid. This number is an average between all event types. Use the EventType dimension to see latency of a specific type of event.|EventType|
|jobs.cancelJob.failure|Yes|Failed job cancellations|Count|Total|The count of all failed calls to cancel a job.|No Dimensions| |jobs.cancelJob.success|Yes|Successful job cancellations|Count|Total|The count of all successful calls to cancel a job.|No Dimensions| |jobs.completed|Yes|Completed jobs|Count|Total|The count of all completed jobs.|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|jobs.queryJobs.success|Yes|Successful job queries|Count|Total|The count of all successful calls to query jobs.|No Dimensions| |RoutingDataSizeInBytesDelivered|Yes|Routing Delivery Message Size in Bytes (preview)|Bytes|Total|The total size in bytes of messages delivered by IoT hub to an endpoint. You can use the EndpointName and EndpointType dimensions to view the size of the messages in bytes delivered to your different endpoints. The metric value increases for every message delivered, including if the message is delivered to multiple endpoints or if the message is delivered to the same endpoint multiple times.|EndpointType, EndpointName, RoutingSource| |RoutingDeliveries|Yes|Routing Deliveries (preview)|Count|Total|The number of times IoT Hub attempted to deliver messages to all endpoints using routing. To see the number of successful or failed attempts, use the Result dimension. To see the reason of failure, like invalid, dropped, or orphaned, use the FailureReasonCategory dimension. You can also use the EndpointName and EndpointType dimensions to understand how many messages were delivered to your different endpoints. The metric value increases by one for each delivery attempt, including if the message is delivered to multiple endpoints or if the message is delivered to the same endpoint multiple times.|EndpointType, EndpointName, FailureReasonCategory, Result, RoutingSource|
-|RoutingDeliveryLatency|Yes|Routing Delivery Latency (preview)|Milliseconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into an endpoint. You can use the EndpointName and EndpointType dimensions to understand the latency to your different endpoints.|EndpointType, EndpointName, RoutingSource|
+|RoutingDeliveryLatency|Yes|Routing Delivery Latency (preview)|MilliSeconds|Average|The average latency (milliseconds) between message ingress to IoT Hub and telemetry message ingress into an endpoint. You can use the EndpointName and EndpointType dimensions to understand the latency to your different endpoints.|EndpointType, EndpointName, RoutingSource|
|totalDeviceCount|No|Total devices|Count|Average|Number of devices registered to your IoT hub|No Dimensions| |twinQueries.failure|Yes|Failed twin queries|Count|Total|The count of all failed twin queries.|No Dimensions| |twinQueries.resultSize|Yes|Twin queries result size|Bytes|Average|The average, min, and max of the result size of all successful twin queries.|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|CassandraTableUpdate|No|Cassandra Table Updated|Count|Count|Cassandra Table Updated|ResourceName, ChildResourceName, | |CreateAccount|Yes|Account Created|Count|Count|Account Created|No Dimensions| |DataUsage|No|Data Usage|Bytes|Total|Total data usage reported at 5 minutes granularity|CollectionName, DatabaseName, Region|
+|DedicatedGatewayAverageCPUUsage|No|DedicatedGatewayAverageCPUUsage|Percent|Average|Average CPU usage across dedicated gateway instances|Region, |
+|DedicatedGatewayAverageMemoryUsage|No|DedicatedGatewayAverageMemoryUsage|Bytes|Average|Average memory usage across dedicated gateway instances, which is used for both routing requests and caching data|Region|
+|DedicatedGatewayMaximumCPUUsage|No|DedicatedGatewayMaximumCPUUsage|Percent|Average|Average Maximum CPU usage across dedicated gateway instances|Region, |
|DedicatedGatewayRequests|Yes|DedicatedGatewayRequests|Count|Count|Requests at the dedicated gateway|DatabaseName, CollectionName, CacheExercised, OperationName, Region| |DeleteAccount|Yes|Account Deleted|Count|Count|Account Deleted|No Dimensions| |DocumentCount|No|Document Count|Count|Total|Total document count reported at 5 minutes granularity|CollectionName, DatabaseName, Region|
For important additional information, see [Monitoring Agents Overview](../agents
|GremlinGraphThroughputUpdate|No|Gremlin Graph Throughput Updated|Count|Count|Gremlin Graph Throughput Updated|ResourceName, ChildResourceName, | |GremlinGraphUpdate|No|Gremlin Graph Updated|Count|Count|Gremlin Graph Updated|ResourceName, ChildResourceName, | |IndexUsage|No|Index Usage|Bytes|Total|Total index usage reported at 5 minutes granularity|CollectionName, DatabaseName, Region|
-|IntegratedCacheEvictedEntriesSize|No|IntegratedCacheEvictedEntriesSize|Bytes|Average|Size of the entries evicted from the integrated cache|CacheType, Region|
-|IntegratedCacheHitRate|No|IntegratedCacheHitRate|Percent|Average|Cache hit rate for integrated caches|CacheType, Region|
-|IntegratedCacheSize|No|IntegratedCacheSize|Bytes|Average|Size of the integrated caches for dedicated gateway requests|CacheType, Region|
-|IntegratedCacheTTLExpirationCount|No|IntegratedCacheTTLExpirationCount|Count|Average|Number of entries removed from the integrated cache due to TTL expiration|CacheType, Region|
+|IntegratedCacheEvictedEntriesSize|No|IntegratedCacheEvictedEntriesSize|Bytes|Average|Size of the entries evicted from the integrated cache|Region|
+|IntegratedCacheItemExpirationCount|No|IntegratedCacheItemExpirationCount|Count|Average|Number of items evicted from the integrated cache due to TTL expiration|Region, |
+|IntegratedCacheItemHitRate|No|IntegratedCacheItemHitRate|Percent|Average|Number of point reads that used the integrated cache divided by number of point reads routed through the dedicated gateway with eventual consistency|Region, |
+|IntegratedCacheQueryExpirationCount|No|IntegratedCacheQueryExpirationCount|Count|Average|Number of queries evicted from the integrated cache due to TTL expiration|Region, |
+|IntegratedCacheQueryHitRate|No|IntegratedCacheQueryHitRate|Percent|Average|Number of queries that used the integrated cache divided by number of queries routed through the dedicated gateway with eventual consistency|Region, |
|MetadataRequests|No|Metadata Requests|Count|Count|Count of metadata requests. Cosmos DB maintains system metadata collection for each account, that allows you to enumerate collections, databases, etc, and their configurations, free of charge.|DatabaseName, CollectionName, Region, StatusCode, | |MongoCollectionCreate|No|Mongo Collection Created|Count|Count|Mongo Collection Created|ResourceName, ChildResourceName, | |MongoCollectionDelete|No|Mongo Collection Deleted|Count|Count|Mongo Collection Deleted|ResourceName, ChildResourceName, |
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.||
+|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.|No Dimensions|
|AvailableMemory|No|Available Memory|Percent|Maximum|Available memory for the Event Hub Cluster as a percentage of total memory.|Role|
-|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.||
-|CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.||
-|CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.||
-|ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.||
-|ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.||
+|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.|No Dimensions|
+|CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.|No Dimensions|
+|CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.|No Dimensions|
+|ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.|No Dimensions|
+|ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.|No Dimensions|
|CPU|No|CPU|Percent|Maximum|CPU utilization for the Event Hub Cluster as a percentage|Role|
-|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.||
-|IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.||
-|IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.||
-|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.||
-|OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.||
+|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.|No Dimensions|
+|IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.|No Dimensions|
+|IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.|No Dimensions|
+|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.|No Dimensions|
+|OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.|No Dimensions|
|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|OperationResult| |ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|OperationResult| |Size|No|Size|Bytes|Average|Size of an EventHub in Bytes.|Role|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.||
+|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.|No Dimensions|
|CaptureBacklog|No|Capture Backlog.|Count|Total|Capture Backlog for Microsoft.EventHub.|EntityName| |CapturedBytes|No|Captured Bytes.|Bytes|Total|Captured Bytes for Microsoft.EventHub.|EntityName| |CapturedMessages|No|Captured Messages.|Count|Total|Captured Messages for Microsoft.EventHub.|EntityName| |ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.|EntityName| |ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.|EntityName|
-|EHABL|Yes|Archive backlog messages (Deprecated)|Count|Total|Event Hub archive messages in backlog for a namespace (Deprecated)||
-|EHAMBS|Yes|Archive message throughput (Deprecated)|Bytes|Total|Event Hub archived message throughput in a namespace (Deprecated)||
-|EHAMSGS|Yes|Archive messages (Deprecated)|Count|Total|Event Hub archived messages in a namespace (Deprecated)||
-|EHINBYTES|Yes|Incoming bytes (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace (Deprecated)||
-|EHINMBS|Yes|Incoming bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace. This metric is deprecated. Please use Incoming bytes metric instead (Deprecated)||
-|EHINMSGS|Yes|Incoming Messages (Deprecated)|Count|Total|Total incoming messages for a namespace (Deprecated)||
-|EHOUTBYTES|Yes|Outgoing bytes (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace (Deprecated)||
-|EHOUTMBS|Yes|Outgoing bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace. This metric is deprecated. Please use Outgoing bytes metric instead (Deprecated)||
-|EHOUTMSGS|Yes|Outgoing Messages (Deprecated)|Count|Total|Total outgoing messages for a namespace (Deprecated)||
-|FAILREQ|Yes|Failed Requests (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)||
+|EHABL|Yes|Archive backlog messages (Deprecated)|Count|Total|Event Hub archive messages in backlog for a namespace (Deprecated)|No Dimensions|
+|EHAMBS|Yes|Archive message throughput (Deprecated)|Bytes|Total|Event Hub archived message throughput in a namespace (Deprecated)|No Dimensions|
+|EHAMSGS|Yes|Archive messages (Deprecated)|Count|Total|Event Hub archived messages in a namespace (Deprecated)|No Dimensions|
+|EHINBYTES|Yes|Incoming bytes (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace (Deprecated)|No Dimensions|
+|EHINMBS|Yes|Incoming bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub incoming message throughput for a namespace. This metric is deprecated. Please use Incoming bytes metric instead (Deprecated)|No Dimensions|
+|EHINMSGS|Yes|Incoming Messages (Deprecated)|Count|Total|Total incoming messages for a namespace (Deprecated)|No Dimensions|
+|EHOUTBYTES|Yes|Outgoing bytes (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace (Deprecated)|No Dimensions|
+|EHOUTMBS|Yes|Outgoing bytes (obsolete) (Deprecated)|Bytes|Total|Event Hub outgoing message throughput for a namespace. This metric is deprecated. Please use Outgoing bytes metric instead (Deprecated)|No Dimensions|
+|EHOUTMSGS|Yes|Outgoing Messages (Deprecated)|Count|Total|Total outgoing messages for a namespace (Deprecated)|No Dimensions|
+|FAILREQ|Yes|Failed Requests (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)|No Dimensions|
|IncomingBytes|Yes|Incoming Bytes.|Bytes|Total|Incoming Bytes for Microsoft.EventHub.|EntityName| |IncomingMessages|Yes|Incoming Messages|Count|Total|Incoming Messages for Microsoft.EventHub.|EntityName| |IncomingRequests|Yes|Incoming Requests|Count|Total|Incoming Requests for Microsoft.EventHub.|EntityName|
-|INMSGS|Yes|Incoming Messages (obsolete) (Deprecated)|Count|Total|Total incoming messages for a namespace. This metric is deprecated. Please use Incoming Messages metric instead (Deprecated)||
-|INREQS|Yes|Incoming Requests (Deprecated)|Count|Total|Total incoming send requests for a namespace (Deprecated)||
-|INTERR|Yes|Internal Server Errors (Deprecated)|Count|Total|Total internal server errors for a namespace (Deprecated)||
-|MISCERR|Yes|Other Errors (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)||
+|INMSGS|Yes|Incoming Messages (obsolete) (Deprecated)|Count|Total|Total incoming messages for a namespace. This metric is deprecated. Please use Incoming Messages metric instead (Deprecated)|No Dimensions|
+|INREQS|Yes|Incoming Requests (Deprecated)|Count|Total|Total incoming send requests for a namespace (Deprecated)|No Dimensions|
+|INTERR|Yes|Internal Server Errors (Deprecated)|Count|Total|Total internal server errors for a namespace (Deprecated)|No Dimensions|
+|MISCERR|Yes|Other Errors (Deprecated)|Count|Total|Total failed requests for a namespace (Deprecated)|No Dimensions|
|OutgoingBytes|Yes|Outgoing Bytes.|Bytes|Total|Outgoing Bytes for Microsoft.EventHub.|EntityName| |OutgoingMessages|Yes|Outgoing Messages|Count|Total|Outgoing Messages for Microsoft.EventHub.|EntityName|
-|OUTMSGS|Yes|Outgoing Messages (obsolete) (Deprecated)|Count|Total|Total outgoing messages for a namespace. This metric is deprecated. Please use Outgoing Messages metric instead (Deprecated)||
+|OUTMSGS|Yes|Outgoing Messages (obsolete) (Deprecated)|Count|Total|Total outgoing messages for a namespace. This metric is deprecated. Please use Outgoing Messages metric instead (Deprecated)|No Dimensions|
|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|EntityName, OperationResult| |ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|EntityName, OperationResult| |Size|No|Size|Bytes|Average|Size of an EventHub in Bytes.|EntityName| |SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|EntityName, OperationResult|
-|SUCCREQ|Yes|Successful Requests (Deprecated)|Count|Total|Total successful requests for a namespace (Deprecated)||
-|SVRBSY|Yes|Server Busy Errors (Deprecated)|Count|Total|Total server busy errors for a namespace (Deprecated)||
+|SUCCREQ|Yes|Successful Requests (Deprecated)|Count|Total|Total successful requests for a namespace (Deprecated)|No Dimensions|
+|SVRBSY|Yes|Server Busy Errors (Deprecated)|Count|Total|Total server busy errors for a namespace (Deprecated)|No Dimensions|
|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|EntityName, OperationResult| |UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|EntityName, OperationResult|
For important additional information, see [Monitoring Agents Overview](../agents
|IoTConnectorMeasurementIngestionLatencyMs|Yes|Average Group Stage Latency|Milliseconds|Average|The time period between when the IoT Connector received the device data and when the data is processed by the FHIR conversion stage.|Operation, ConnectorName| |IoTConnectorNormalizedEvent|Yes|Number of Normalized Messages|Count|Sum|The total number of mapped normalized values outputted from the normalization stage of the the Azure IoT Connector for FHIR.|Operation, ConnectorName| |IoTConnectorTotalErrors|Yes|Total Error Count|Count|Sum|The total number of errors logged by the Azure IoT Connector for FHIR|Name, Operation, ErrorType, ErrorSeverity, ConnectorName|
-|ServiceApiErrors|Yes|Service Errors|Count|Sum|The total number of internal server errors generated by the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
-|ServiceApiLatency|Yes|Service Latency|Milliseconds|Average|The response latency of the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
-|ServiceApiRequests|Yes|Service Requests|Count|Sum|The total number of requests received by the service.|Protocol, Authentication, Operation, ResourceType, StatusCode, StatusCodeClass, StatusCodeText|
|TotalErrors|Yes|Total Errors|Count|Sum|The total number of internal server errors encountered by the service.|Protocol, StatusCode, StatusCodeClass, StatusCodeText| |TotalLatency|Yes|Total Latency|Milliseconds|Average|The response latency of the service.|Protocol| |TotalRequests|Yes|Total Requests|Count|Sum|The total number of requests received by the service.|Protocol|
+## Microsoft.HealthcareApis/workspaces/iotconnectors
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|DeviceEvent|Yes|Number of Incoming Messages|Count|Sum|The total number of messages received by the Azure IoT Connector for FHIR prior to any normalization.|Operation, ResourceName|
+|DeviceEventProcessingLatencyMs|Yes|Average Normalize Stage Latency|Milliseconds|Average|The average time between an event's ingestion time and the time the event is processed for normalization.|Operation, ResourceName|
+|IoTConnectorTotalErrors|Yes|Total Error Count|Count|Sum|The total number of errors logged by the Azure IoT Connector for FHIR|Name, Operation, ErrorType, ErrorSeverity, ResourceName|
+|Measurement|Yes|Number of Measurements|Count|Sum|The number of normalized value readings received by the FHIR conversion stage of the Azure IoT Connector for FHIR.|Operation, ResourceName|
+|MeasurementGroup|Yes|Number of Message Groups|Count|Sum|The total number of unique groupings of measurements across type, device, patient, and configured time period generated by the FHIR conversion stage.|Operation, ResourceName|
+|MeasurementIngestionLatencyMs|Yes|Average Group Stage Latency|Milliseconds|Average|The time period between when the IoT Connector received the device data and when the data is processed by the FHIR conversion stage.|Operation, ResourceName|
+|NormalizedEvent|Yes|Number of Normalized Messages|Count|Sum|The total number of mapped normalized values outputted from the normalization stage of the the Azure IoT Connector for FHIR.|Operation, ResourceName|
++ ## microsoft.hybridnetwork/networkfunctions |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |MetricThreshold|Yes|Metric Threshold|Count|Average|The configured autoscale threshold when autoscale ran.|MetricTriggerRule|
-|ObservedCapacity|Yes|Observed Capacity|Count|Average|The capacity reported to autoscale when it executed.||
+|ObservedCapacity|Yes|Observed Capacity|Count|Average|The capacity reported to autoscale when it executed.|No Dimensions|
|ObservedMetricValue|Yes|Observed Metric Value|Count|Average|The value computed by autoscale when executed|MetricTriggerSource| |ScaleActionsInitiated|Yes|Scale Actions Initiated|Count|Total|The direction of the scale operation.|ScaleDirection|
For important additional information, see [Monitoring Agents Overview](../agents
|deviceDataUsage|Yes|Total Device Data Usage|Bytes|Total|Bytes transferred to and from any devices connected to IoT Central application|No Dimensions| |provisionedDeviceCount|No|Total Provisioned Devices|Count|Average|Number of devices provisioned in IoT Central application|No Dimensions| + ## microsoft.keyvault/managedhsms |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Availability|No|Overall Service Availability|Percent|Average|Service requests availability|ActivityType, ActivityName, StatusCode, StatusCodeClass| |ServiceApiHit|Yes|Total Service Api Hits|Count|Count|Number of total service api hits|ActivityType, ActivityName| |ServiceApiLatency|No|Overall Service Api Latency|Milliseconds|Average|Overall latency of service api requests|ActivityType, ActivityName, StatusCode, StatusCodeClass|
-|ServiceApiResult|Yes|Total Service Api Results|Count|Count|Number of total service api results|ActivityType, ActivityName, StatusCode, StatusCodeClass|
## Microsoft.KeyVault/vaults
For important additional information, see [Monitoring Agents Overview](../agents
|Availability|Yes|Overall Vault Availability|Percent|Average|Vault requests availability|ActivityType, ActivityName, StatusCode, StatusCodeClass| |SaturationShoebox|No|Overall Vault Saturation|Percent|Average|Vault capacity used|ActivityType, ActivityName, TransactionType| |ServiceApiHit|Yes|Total Service Api Hits|Count|Count|Number of total service api hits|ActivityType, ActivityName|
-|ServiceApiLatency|Yes|Overall Service Api Latency|Milliseconds|Average|Overall latency of service api requests|ActivityType, ActivityName, StatusCode, StatusCodeClass|
+|ServiceApiLatency|Yes|Overall Service Api Latency|MilliSeconds|Average|Overall latency of service api requests|ActivityType, ActivityName, StatusCode, StatusCodeClass|
|ServiceApiResult|Yes|Total Service Api Results|Count|Count|Number of total service api results|ActivityType, ActivityName, StatusCode, StatusCodeClass|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|capacity_cpu_cores|Yes|Total number of cpu cores in a connected cluster|Count|Total|Total number of cpu cores in a connected cluster||
+|capacity_cpu_cores|Yes|Total number of cpu cores in a connected cluster|Count|Total|Total number of cpu cores in a connected cluster|No Dimensions|
## Microsoft.Kusto/Clusters
For important additional information, see [Monitoring Agents Overview](../agents
|InstanceCount|Yes|Instance Count|Count|Average|Total instance count|No Dimensions| |KeepAlive|Yes|Keep alive|Count|Average|Sanity check indicates the cluster responds to queries|No Dimensions| |MaterializedViewAgeMinutes|Yes|Materialized View Age|Count|Average|The materialized view age in minutes|Database, MaterializedViewName|
+|MaterializedViewAgeSeconds|Yes|Materialized View Age|Seconds|Average|The materialized view age in seconds|Database, MaterializedViewName|
|MaterializedViewDataLoss|Yes|Materialized View Data Loss|Count|Maximum|Indicates potential data loss in materialized view|Database, MaterializedViewName, Kind| |MaterializedViewExtentsRebuild|Yes|Materialized View Extents Rebuild|Count|Average|Number of extents rebuild|Database, MaterializedViewName| |MaterializedViewHealth|Yes|Materialized View Health|Count|Average|The health of the materialized view (1 for healthy, 0 for non-healthy)|Database, MaterializedViewName|
For important additional information, see [Monitoring Agents Overview](../agents
|Cancel Requested Runs|Yes|Cancel Requested Runs|Count|Total|Number of runs where cancel was requested for this workspace. Count is updated when cancellation request has been received for a run.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName| |Cancelled Runs|Yes|Cancelled Runs|Count|Total|Number of runs cancelled for this workspace. Count is updated when a run is successfully cancelled.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName| |Completed Runs|Yes|Completed Runs|Count|Total|Number of runs completed successfully for this workspace. Count is updated when a run has completed and output has been collected.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName|
+|CpuCapacityMillicores|Yes|CpuCapacityMillicores|Count|Average|Maximum capacity of a CPU node in millicores. Capacity is aggregated in one minute intervals.|RunId, InstanceId, ComputeName|
|CpuUtilization|Yes|CpuUtilization|Count|Average|Percentage of utilization on a CPU node. Utilization is reported at one minute intervals.|Scenario, runId, NodeId, ClusterName|
+|CpuUtilizationMillicores|Yes|CpuUtilizationMillicores|Count|Average|Utilization of a CPU node in millicores. Utilization is aggregated in one minute intervals.|RunId, InstanceId, ComputeName|
+|CpuUtilizationPercentage|Yes|CpuUtilizationPercentage|Count|Average|Utilization percentage of a CPU node. Utilization is aggregated in one minute intervals.|RunId, InstanceId, ComputeName|
|Errors|Yes|Errors|Count|Total|Number of run errors in this workspace. Count is updated whenever run encounters an error.|Scenario| |Failed Runs|Yes|Failed Runs|Count|Total|Number of runs failed for this workspace. Count is updated when a run fails.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName| |Finalizing Runs|Yes|Finalizing Runs|Count|Total|Number of runs entered finalizing state for this workspace. Count is updated when a run has completed but output collection still in progress.|Scenario, RunType, PublishedPipelineId, ComputeType, PipelineStepType, ExperimentName|
+|GpuCapacityMilliGPUs|Yes|GpuCapacityMilliGPUs|Count|Average|Maximum capacity of a GPU device in milli-GPUs. Capacity is aggregated in one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
+|GpuEnergyJoules|Yes|GpuEnergyJoules|Count|Total|Interval energy in Joules on a GPU node. Energy is reported at one minute intervals.|Scenario, runId, rootRunId, NodeId, DeviceId, ClusterName|
+|GpuMemoryCapacityMegabytes|Yes|GpuMemoryCapacityMegabytes|Count|Average|Maximum memory capacity of a GPU device in megabytes. Capacity aggregated in at one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
|GpuMemoryUtilization|Yes|GpuMemoryUtilization|Count|Average|Percentage of memory utilization on a GPU node. Utilization is reported at one minute intervals.|Scenario, runId, NodeId, DeviceId, ClusterName|
+|GpuMemoryUtilizationMegabytes|Yes|GpuMemoryUtilizationMegabytes|Count|Average|Memory utilization of a GPU device in megabytes. Utilization aggregated in at one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
+|GpuMemoryUtilizationPercentage|Yes|GpuMemoryUtilizationPercentage|Count|Average|Memory utilization percentage of a GPU device. Utilization aggregated in at one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
|GpuUtilization|Yes|GpuUtilization|Count|Average|Percentage of utilization on a GPU node. Utilization is reported at one minute intervals.|Scenario, runId, NodeId, DeviceId, ClusterName|
+|GpuUtilizationMilliGPUs|Yes|GpuUtilizationMilliGPUs|Count|Average|Utilization of a GPU device in milli-GPUs. Utilization is aggregated in one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
+|GpuUtilizationPercentage|Yes|GpuUtilizationPercentage|Count|Average|Utilization percentage of a GPU device. Utilization is aggregated in one minute intervals.|RunId, InstanceId, DeviceId, ComputeName|
|Idle Cores|Yes|Idle Cores|Count|Average|Number of idle cores|Scenario, ClusterName| |Idle Nodes|Yes|Idle Nodes|Count|Average|Number of idle nodes. Idle nodes are the nodes which are not running any jobs but can accept new job if available.|Scenario, ClusterName| |Leaving Cores|Yes|Leaving Cores|Count|Average|Number of leaving cores|Scenario, ClusterName|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |Availability|Yes|Availability|Percent|Average|Availability of the APIs|ApiCategory, ApiName|
+|CreatorUsage|No|Creator Usage|Bytes|Average|Azure Maps Creator usage statistics|ServiceName|
|Usage|No|Usage|Count|Count|Count of API calls|ApiCategory, ApiName, ResultType, ResponseCode|
For important additional information, see [Monitoring Agents Overview](../agents
|ContentKeyPolicyCount|Yes|Content Key Policy count|Count|Average|How many content key policies are already created in current media service account|No Dimensions| |ContentKeyPolicyQuota|Yes|Content Key Policy quota|Count|Average|How many content key polices are allowed for current media service account|No Dimensions| |ContentKeyPolicyQuotaUsedPercentage|Yes|Content Key Policy quota used percentage|Percent|Average|Content Key Policy used percentage in current media service account|No Dimensions|
-|MaxChannelsAndLiveEventsCount|Yes|Max live event quota|Count|Maximum|The maximum number of live events allowed in the current media services account|No Dimensions|
-|MaxRunningChannelsAndLiveEventsCount|Yes|Max running live event quota|Count|Maximum|The maximum number of running live events allowed in the current media services account|No Dimensions|
+|MaxChannelsAndLiveEventsCount|Yes|Max live event quota|Count|Average|The maximum number of live events allowed in the current media services account|No Dimensions|
+|MaxRunningChannelsAndLiveEventsCount|Yes|Max running live event quota|Count|Average|The maximum number of running live events allowed in the current media services account|No Dimensions|
|RunningChannelsAndLiveEventsCount|Yes|Running live event count|Count|Average|The total number of running live events in the current media services account|No Dimensions| |StreamingPolicyCount|Yes|Streaming Policy count|Count|Average|How many streaming policies are already created in current media service account|No Dimensions| |StreamingPolicyQuota|Yes|Streaming Policy quota|Count|Average|How many streaming policies are allowed for current media service account|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|TotalThroughput|Yes|Total throughput|BytesPerSecond|Average|Sum of all throughput in bytes per second|No Dimensions| |VolumeAllocatedSize|Yes|Volume allocated size|Bytes|Average|The provisioned size of a volume|No Dimensions| |VolumeConsumedSizePercentage|Yes|Percentage Volume Consumed Size|Percent|Average|The percentage of the volume consumed including snapshots.|No Dimensions|
+|VolumeCoolTierDataReadSize|Yes|Volume cool tier data read size|Bytes|Average|Data read in using GET per volume|No Dimensions|
+|VolumeCoolTierDataWriteSize|Yes|Volume cool tier data write size|Bytes|Average|Data tiered out using PUT per volume|No Dimensions|
+|VolumeCoolTierSize|Yes|Volume cool tier size|Bytes|Average|Volume Footprint for Cool Tier|No Dimensions|
|VolumeLogicalSize|Yes|Volume Consumed Size|Bytes|Average|Logical size of the volume (used bytes)|No Dimensions| |VolumeSnapshotSize|Yes|Volume snapshot size|Bytes|Average|Size of all snapshots in volume|No Dimensions| |WriteIops|Yes|Write iops|CountPerSecond|Average|Write In/out operations per second|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|XregionReplicationTotalTransferBytes|Yes|Volume replication total transfer|Bytes|Average|Cumulative bytes transferred for the relationship.|No Dimensions|
-## Microsoft.Network/applicationGateways
+## Microsoft.Network/applicationgateways
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
For important additional information, see [Monitoring Agents Overview](../agents
|BackendFirstByteResponseTime|No|Backend First Byte Response Time|MilliSeconds|Average|Time interval between start of establishing a connection to backend server and receiving the first byte of the response header, approximating processing time of backend server|Listener, BackendServer, BackendPool, BackendHttpSetting| |BackendLastByteResponseTime|No|Backend Last Byte Response Time|MilliSeconds|Average|Time interval between start of establishing a connection to backend server and receiving the last byte of the response body|Listener, BackendServer, BackendPool, BackendHttpSetting| |BackendResponseStatus|Yes|Backend Response Status|Count|Total|The number of HTTP response codes generated by the backend members. This does not include any response codes generated by the Application Gateway.|BackendServer, BackendPool, BackendHttpSetting, HttpStatusGroup|
+|BackendTlsNegotiationError|Yes|Backend TLS Connection Errors|Count|Total|TLS Connection Errors for Application Gateway Backend|BackendHttpSetting, BackendPool, ErrorType|
|BlockedCount|Yes|Web Application Firewall Blocked Requests Rule Distribution|Count|Total|Web Application Firewall blocked requests rule distribution|RuleGroup, RuleId| |BlockedReqCount|Yes|Web Application Firewall Blocked Requests Count|Count|Total|Web Application Firewall blocked requests count|No Dimensions| |BytesReceived|Yes|Bytes Received|Bytes|Total|The total number of bytes received by the Application Gateway from the clients|Listener|
For important additional information, see [Monitoring Agents Overview](../agents
|HealthyHostCount|Yes|Healthy Host Count|Count|Average|Number of healthy backend hosts|BackendSettingsPool| |MatchedCount|Yes|Web Application Firewall Total Rule Distribution|Count|Total|Web Application Firewall Total Rule Distribution for the incoming traffic|RuleGroup, RuleId| |NewConnectionsPerSecond|No|New connections per second|CountPerSecond|Average|New connections per second established with Application Gateway|No Dimensions|
+|RejectedConnections|Yes|Rejected Connections|Count|Total|Count of rejected connections for Application Gateway Frontend|No Dimensions|
|ResponseStatus|Yes|Response Status|Count|Total|Http response status returned by Application Gateway|HttpStatusGroup| |Throughput|No|Throughput|BytesPerSecond|Average|Number of bytes per second the Application Gateway has served|No Dimensions| |TlsProtocol|Yes|Client TLS Protocol|Count|Total|The number of TLS and non-TLS requests initiated by the client that established connection with the Application Gateway. To view TLS protocol distribution, filter by the dimension TLS Protocol.|Listener, TlsProtocol|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|pingmesh|No|Bastion Communication Status|Count|Average|Communication status shows 1 if all communication is good and 0 if its bad.||
+|pingmesh|No|Bastion Communication Status|Count|Average|Communication status shows 1 if all communication is good and 0 if its bad.|No Dimensions|
|sessions|No|Session Count|Count|Total|Sessions Count for the Bastion. View in sum and per instance.|host| |total|Yes|Total Memory|Count|Average|Total memory stats.|host| |usage_user|No|Used CPU|Count|Average|CPU Usage stats.|cpu, host|
For important additional information, see [Monitoring Agents Overview](../agents
|ErGatewayConnectionBitsOutPerSecond|No|BitsOutPerSecond|BitsPerSecond|Average|Bits egressing Azure per second|ConnectionName| |ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer(Preview)|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance| |ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer (Preview)|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|
-|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization|Count|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization|Percent|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change (Preview)|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance| |ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network(Preview)|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions| |ExpressRouteGatewayPacketsPerSecond|No|Packets per second|CountPerSecond|Average|Packet count of ExpressRoute Gateway|roleInstance|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|PEBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|PrivateEndpointId|
-|PEBytesOut|Yes|Bytes Out|Count|Total|Total number of Bytes Out|PrivateEndpointId|
+|PEBytesIn|No|Bytes In|Count|Total|Total number of Bytes Out|No Dimensions|
+|PEBytesOut|No|Bytes Out|Count|Total|Total number of Bytes Out|No Dimensions|
## Microsoft.Network/privateLinkServices
For important additional information, see [Monitoring Agents Overview](../agents
|AverageBandwidth|Yes|Gateway S2S Bandwidth|BytesPerSecond|Average|Average site-to-site bandwidth of a gateway in bytes per second|No Dimensions| |ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer(Preview)|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRouteGateway|roleInstance| |ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer (Preview)|Count|Maximum|Count Of Routes Learned From Peer by ExpressRouteGateway|roleInstance|
-|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization|Count|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
+|ExpressRouteGatewayCpuUtilization|Yes|CPU utilization|Percent|Average|CPU Utilization of the ExpressRoute Gateway|roleInstance|
|ExpressRouteGatewayFrequencyOfRoutesChanged|No|Frequency of Routes change (Preview)|Count|Total|Frequency of Routes change in ExpressRoute Gateway|roleInstance| |ExpressRouteGatewayNumberOfVmInVnet|No|Number of VMs in the Virtual Network(Preview)|Count|Maximum|Number of VMs in the Virtual Network|No Dimensions| |ExpressRouteGatewayPacketsPerSecond|No|Packets per second|CountPerSecond|Average|Packet count of ExpressRoute Gateway|roleInstance|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|BytesDroppedDDoS|Yes|Inbound bytes dropped DDoS|BytesPerSecond|Maximum|Inbound bytes dropped DDoS|ProtectedIPAddress|
+|BytesForwardedDDoS|Yes|Inbound bytes forwarded DDoS|BytesPerSecond|Maximum|Inbound bytes forwarded DDoS|ProtectedIPAddress|
+|BytesInDDoS|Yes|Inbound bytes DDoS|BytesPerSecond|Maximum|Inbound bytes DDoS|ProtectedIPAddress|
+|DDoSTriggerSYNPackets|Yes|Inbound SYN packets to trigger DDoS mitigation|CountPerSecond|Maximum|Inbound SYN packets to trigger DDoS mitigation|ProtectedIPAddress|
+|DDoSTriggerTCPPackets|Yes|Inbound TCP packets to trigger DDoS mitigation|CountPerSecond|Maximum|Inbound TCP packets to trigger DDoS mitigation|ProtectedIPAddress|
+|DDoSTriggerUDPPackets|Yes|Inbound UDP packets to trigger DDoS mitigation|CountPerSecond|Maximum|Inbound UDP packets to trigger DDoS mitigation|ProtectedIPAddress|
+|IfUnderDDoSAttack|Yes|Under DDoS attack or not|Count|Maximum|Under DDoS attack or not|ProtectedIPAddress|
+|PacketsDroppedDDoS|Yes|Inbound packets dropped DDoS|CountPerSecond|Maximum|Inbound packets dropped DDoS|ProtectedIPAddress|
+|PacketsForwardedDDoS|Yes|Inbound packets forwarded DDoS|CountPerSecond|Maximum|Inbound packets forwarded DDoS|ProtectedIPAddress|
+|PacketsInDDoS|Yes|Inbound packets DDoS|CountPerSecond|Maximum|Inbound packets DDoS|ProtectedIPAddress|
|PingMeshAverageRoundtripMs|Yes|Round trip time for Pings to a VM|MilliSeconds|Average|Round trip time for Pings sent to a destination VM|SourceCustomerAddress, DestinationCustomerAddress| |PingMeshProbesFailedPercent|Yes|Failed Pings to a VM|Percent|Average|Percent of number of failed Pings to total sent Pings of a destination VM|SourceCustomerAddress, DestinationCustomerAddress|
+|TCPBytesDroppedDDoS|Yes|Inbound TCP bytes dropped DDoS|BytesPerSecond|Maximum|Inbound TCP bytes dropped DDoS|ProtectedIPAddress|
+|TCPBytesForwardedDDoS|Yes|Inbound TCP bytes forwarded DDoS|BytesPerSecond|Maximum|Inbound TCP bytes forwarded DDoS|ProtectedIPAddress|
+|TCPBytesInDDoS|Yes|Inbound TCP bytes DDoS|BytesPerSecond|Maximum|Inbound TCP bytes DDoS|ProtectedIPAddress|
+|TCPPacketsDroppedDDoS|Yes|Inbound TCP packets dropped DDoS|CountPerSecond|Maximum|Inbound TCP packets dropped DDoS|ProtectedIPAddress|
+|TCPPacketsForwardedDDoS|Yes|Inbound TCP packets forwarded DDoS|CountPerSecond|Maximum|Inbound TCP packets forwarded DDoS|ProtectedIPAddress|
+|TCPPacketsInDDoS|Yes|Inbound TCP packets DDoS|CountPerSecond|Maximum|Inbound TCP packets DDoS|ProtectedIPAddress|
+|UDPBytesDroppedDDoS|Yes|Inbound UDP bytes dropped DDoS|BytesPerSecond|Maximum|Inbound UDP bytes dropped DDoS|ProtectedIPAddress|
+|UDPBytesForwardedDDoS|Yes|Inbound UDP bytes forwarded DDoS|BytesPerSecond|Maximum|Inbound UDP bytes forwarded DDoS|ProtectedIPAddress|
+|UDPBytesInDDoS|Yes|Inbound UDP bytes DDoS|BytesPerSecond|Maximum|Inbound UDP bytes DDoS|ProtectedIPAddress|
+|UDPPacketsDroppedDDoS|Yes|Inbound UDP packets dropped DDoS|CountPerSecond|Maximum|Inbound UDP packets dropped DDoS|ProtectedIPAddress|
+|UDPPacketsForwardedDDoS|Yes|Inbound UDP packets forwarded DDoS|CountPerSecond|Maximum|Inbound UDP packets forwarded DDoS|ProtectedIPAddress|
+|UDPPacketsInDDoS|Yes|Inbound UDP packets DDoS|CountPerSecond|Maximum|Inbound UDP packets DDoS|ProtectedIPAddress|
## Microsoft.Network/virtualRouters
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|cpu_metric|Yes|CPU (Gen2)|Percent|Average|CPU Utilization. Supported only for Power BI Embedded Generation 2 resources.|No Dimensions|
|memory_metric|Yes|Memory (Gen1)|Bytes|Average|Memory. Range 0-3 GB for A1, 0-5 GB for A2, 0-10 GB for A3, 0-25 GB for A4, 0-50 GB for A5 and 0-100 GB for A6. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions| |memory_thrashing_metric|Yes|Memory Thrashing (Datasets) (Gen1)|Percent|Average|Average memory thrashing. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
+|overload_metric|Yes|Overload (Gen2)|Count|Average|Resource Overload, 1 if resource is overloaded, otherwise 0. Supported only for Power BI Embedded Generation 2 resources.|No Dimensions|
|qpu_high_utilization_metric|Yes|QPU High Utilization (Gen1)|Count|Total|QPU High Utilization In Last Minute, 1 For High QPU Utilization, Otherwise 0. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions| |QueryDuration|Yes|Query Duration (Datasets) (Gen1)|Milliseconds|Average|DAX Query duration in last interval. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions| |QueryPoolJobQueueLength|Yes|Query Pool Job Queue Length (Datasets) (Gen1)|Count|Average|Number of jobs in the queue of the query thread pool. Supported only for Power BI Embedded Generation 1 resources.|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ScanCancelled|Yes|Scan Cancelled|Count|Total|Indicates the number of scans cancelled.||
-|ScanCompleted|Yes|Scan Completed|Count|Total|Indicates the number of scans completed successfully.||
-|ScanFailed|Yes|Scan Failed|Count|Total|Indicates the number of scans failed.||
-|ScanTimeTaken|Yes|Scan time taken|Seconds|Total|Indicates the total scan time in seconds.||
+|ScanCancelled|Yes|Scan Cancelled|Count|Total|Indicates the number of scans cancelled.|No Dimensions|
+|ScanCompleted|Yes|Scan Completed|Count|Total|Indicates the number of scans completed successfully.|No Dimensions|
+|ScanFailed|Yes|Scan Failed|Count|Total|Indicates the number of scans failed.|No Dimensions|
+|ScanTimeTaken|Yes|Scan time taken|Seconds|Total|Indicates the total scan time in seconds.|No Dimensions|
## Microsoft.Relay/namespaces
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
+|DocumentsProcessedCount|Yes|Document processed count|Count|Total|Number of documents processed|DataSourceName, Failed, IndexerName, IndexName, SkillsetName|
|SearchLatency|Yes|Search Latency|Seconds|Average|Average search latency for the search service|No Dimensions| |SearchQueriesPerSecond|Yes|Search queries per second|CountPerSecond|Average|Search queries per second for the search service|No Dimensions|
+|SkillExecutionCount|Yes|Skill execution invocation count|Count|Total|Number of skill executions|DataSourceName, Failed, IndexerName, SkillName, SkillsetName, SkillType|
|ThrottledSearchQueriesPercentage|Yes|Throttled search queries percentage|Percent|Average|Percentage of search queries that were throttled for the search service|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| ||||||||
-|ActiveConnections|No|ActiveConnections|Count|Total|Total Active Connections for Microsoft.ServiceBus.||
+|ActiveConnections|No|ActiveConnections|Count|Total|Total Active Connections for Microsoft.ServiceBus.|No Dimensions|
|ActiveMessages|No|Count of active messages in a Queue/Topic.|Count|Average|Count of active messages in a Queue/Topic.|EntityName| |ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.ServiceBus.|EntityName| |ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.ServiceBus.|EntityName|
For important additional information, see [Monitoring Agents Overview](../agents
|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.ServiceBus.|EntityName, OperationResult| |WSXNS|No|Memory Usage (Deprecated)|Percent|Maximum|Service bus premium namespace memory usage metric. This metric is deprecated. Please use the Memory Usage (NamespaceMemoryUsage) metric instead.|Replica| + ## Microsoft.SignalRService/SignalR |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|OutboundTraffic|Yes|Outbound Traffic|Bytes|Total|The outbound traffic of service|No Dimensions| |TotalConnectionCount|Yes|Connection Count|Count|Maximum|The amount of user connection.|No Dimensions| + ## Microsoft.Sql/managedInstances |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|cpu_percent|Yes|CPU percentage|Percent|Average|CPU percentage|No Dimensions| |cpu_used|Yes|CPU used|Count|Average|CPU used. Applies to vCore-based databases.|No Dimensions| |deadlock|Yes|Deadlocks|Count|Total|Deadlocks. Not applicable to data warehouses.|No Dimensions|
+|delta_num_of_bytes_read|Yes|Remote data reads|Bytes|Total|IO's from data reads. Units are in IO's which is equivilent to bytes divided by 8192.|No Dimensions|
+|delta_num_of_bytes_written|Yes|Remote log writes|Bytes|Total|IO's from log writes. Units are in IO's which is equivilent to bytes divided by 8192.|No Dimensions|
|diff_backup_size_bytes|Yes|Differential backup storage size|Bytes|Maximum|Cumulative differential backup storage size. Applies to vCore-based databases. Not applicable to Hyperscale databases.|No Dimensions| |dtu_consumption_percent|Yes|DTU percentage|Percent|Average|DTU Percentage. Applies to DTU-based databases.|No Dimensions| |dtu_limit|Yes|DTU Limit|Count|Average|DTU Limit. Applies to DTU-based databases.|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|workers_percent|Yes|Workers percentage|Percent|Average|Workers percentage. Not applicable to data warehouses.|No Dimensions| |xtp_storage_percent|Yes|In-Memory OLTP storage percent|Percent|Average|In-Memory OLTP storage percent. Not applicable to data warehouses.|No Dimensions| - ## Microsoft.Sql/servers/elasticPools |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
## Microsoft.Synapse/workspaces+ |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |BuiltinSqlPoolDataProcessedBytes|No|Data processed (bytes)|Bytes|Total|Amount of data processed by queries|No Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|IntegrationActivityRunsEnded|No|Activity runs ended|Count|Total|Count of integration activities that succeeded, failed, or were cancelled|Result, FailureType, Activity, ActivityType, Pipeline| |IntegrationPipelineRunsEnded|No|Pipeline runs ended|Count|Total|Count of integration pipeline runs that succeeded, failed, or were cancelled|Result, FailureType, Pipeline| |IntegrationTriggerRunsEnded|No|Trigger Runs ended|Count|Total|Count of integration triggers that succeeded, failed, or were cancelled|Result, FailureType, Trigger|
-|SQLStreamingBackloggedInputEventSources|No|Backlogged input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events sources backlogged.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingConversionErrors|No|Data conversion errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of output events that could not be converted to the expected output schema. Error policy can be changed to 'Drop' to drop events that encounter this scenario.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingDeserializationError|No|Input deserialization errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events that could not be deserialized.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingEarlyInputEvents|No|Early input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events which application time is considered early compared to arrival time, according to early arrival policy.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingInputEventBytes|No|Input event bytes (preview)|Count|Total|This is a preview metric available in East US, West Europe. Amount of data received by the streaming job, in bytes. This can be used to validate that events are being sent to the input source.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingInputEvents|No|Input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingInputEventsSourcesPerSecond|No|Input sources received (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events sources per second.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingLateInputEvents|No|Late input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events which application time is considered late compared to arrival time, according to late arrival policy.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingOutOfOrderEvents|No|Out of order events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of Event Hub Events (serialized messages) received by the Event Hub Input Adapter, received out of order that were either dropped or given an adjusted timestamp, based on the Event Ordering Policy.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingOutputEvents|No|Output events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of output events.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingOutputWatermarkDelaySeconds|No|Watermark delay (preview)|Count|Maximum|This is a preview metric available in East US, West Europe. Output watermark delay in seconds.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingBackloggedInputEventSources|No|Backlogged input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events sources backlogged.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingConversionErrors|No|Data conversion errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of output events that could not be converted to the expected output schema. Error policy can be changed to 'Drop' to drop events that encounter this scenario.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingDeserializationError|No|Input deserialization errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events that could not be deserialized.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingEarlyInputEvents|No|Early input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events which application time is considered early compared to arrival time, according to early arrival policy.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingInputEventBytes|No|Input event bytes (preview)|Count|Total|This is a preview metric available in East US, West Europe. Amount of data received by the streaming job, in bytes. This can be used to validate that events are being sent to the input source.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingInputEvents|No|Input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingInputEventsSourcesPerSecond|No|Input sources received (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events sources per second.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingLateInputEvents|No|Late input events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of input events which application time is considered late compared to arrival time, according to late arrival policy.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingOutOfOrderEvents|No|Out of order events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of Event Hub Events (serialized messages) received by the Event Hub Input Adapter, received out of order that were either dropped or given an adjusted timestamp, based on the Event Ordering Policy.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingOutputEvents|No|Output events (preview)|Count|Total|This is a preview metric available in East US, West Europe. Number of output events.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingOutputWatermarkDelaySeconds|No|Watermark delay (preview)|Count|Maximum|This is a preview metric available in East US, West Europe. Output watermark delay in seconds.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
|SQLStreamingResourceUtilization|No|Resource % utilization (preview)|Percent|Maximum|This is a preview metric available in East US, West Europe.
- Resource utilization expressed as a percentage. High utilization indicates that the job is using close to the maximum allocated resources.|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
-|SQLStreamingRuntimeErrors|No|Runtime errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Total number of errors related to query processing (excluding errors found while ingesting events or outputting results).|ResourceName, SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+ Resource utilization expressed as a percentage. High utilization indicates that the job is using close to the maximum allocated resources.|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
+|SQLStreamingRuntimeErrors|No|Runtime errors (preview)|Count|Total|This is a preview metric available in East US, West Europe. Total number of errors related to query processing (excluding errors found while ingesting events or outputting results).|SQLPoolName, SQLDatabaseName, JobName, LogicalName, PartitionId, ProcessorInstance|
## Microsoft.Synapse/workspaces/bigDataPools
For important additional information, see [Monitoring Agents Overview](../agents
|BigDataPoolApplicationsEnded|No|Ended Apache Spark applications|Count|Total|Count of Apache Spark pool applications ended|JobType, JobResult|
+## Microsoft.Synapse/workspaces/kustoPools
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|BatchBlobCount|Yes|Batch Blob Count|Count|Average|Number of data sources in an aggregated batch for ingestion.|Database|
+|BatchDuration|Yes|Batch Duration|Seconds|Average|The duration of the aggregation phase in the ingestion flow.|Database|
+|BatchesProcessed|Yes|Batches Processed|Count|Total|Number of batches aggregated for ingestion. Batching Type: whether the batch reached batching time, data size or number of files limit set by batching policy|Database, SealReason|
+|BatchSize|Yes|Batch Size|Bytes|Average|Uncompressed expected data size in an aggregated batch for ingestion.|Database|
+|BlobsDropped|Yes|Blobs Dropped|Count|Total|Number of blobs permanently rejected by a component.|Database, ComponentType, ComponentName|
+|BlobsProcessed|Yes|Blobs Processed|Count|Total|Number of blobs processed by a component.|Database, ComponentType, ComponentName|
+|BlobsReceived|Yes|Blobs Received|Count|Total|Number of blobs received from input stream by a component.|Database, ComponentType, ComponentName|
+|CacheUtilization|Yes|Cache utilization|Percent|Average|Utilization level in the cluster scope|No Dimensions|
+|ContinuousExportMaxLatenessMinutes|Yes|Continuous Export Max Lateness|Count|Maximum|The lateness (in minutes) reported by the continuous export jobs in the cluster|No Dimensions|
+|ContinuousExportNumOfRecordsExported|Yes|Continuous export ΓÇô num of exported records|Count|Total|Number of records exported, fired for every storage artifact written during the export operation|ContinuousExportName, Database|
+|ContinuousExportPendingCount|Yes|Continuous Export Pending Count|Count|Maximum|The number of pending continuous export jobs ready for execution|No Dimensions|
+|ContinuousExportResult|Yes|Continuous Export Result|Count|Count|Indicates whether Continuous Export succeeded or failed|ContinuousExportName, Result, Database|
+|CPU|Yes|CPU|Percent|Average|CPU utilization level|No Dimensions|
+|DiscoveryLatency|Yes|Discovery Latency|Seconds|Average|Reported by data connections (if exist). Time in seconds from when a message is enqueued or event is created until it is discovered by data connection. This time is not included in the Azure Data Explorer total ingestion duration.|ComponentType, ComponentName|
+|EventsDropped|Yes|Events Dropped|Count|Total|Number of events dropped permanently by data connection. An Ingestion result metric with a failure reason will be sent.|ComponentType, ComponentName|
+|EventsProcessed|Yes|Events Processed|Count|Total|Number of events processed by the cluster|ComponentType, ComponentName|
+|EventsProcessedForEventHubs|Yes|Events Processed (for Event/IoT Hubs)|Count|Total|Number of events processed by the cluster when ingesting from Event/IoT Hub|EventStatus|
+|EventsReceived|Yes|Events Received|Count|Total|Number of events received by data connection.|ComponentType, ComponentName|
+|ExportUtilization|Yes|Export Utilization|Percent|Maximum|Export utilization|No Dimensions|
+|IngestionLatencyInSeconds|Yes|Ingestion Latency|Seconds|Average|Latency of data ingested, from the time the data was received in the cluster until it's ready for query. The ingestion latency period depends on the ingestion scenario.|No Dimensions|
+|IngestionResult|Yes|Ingestion result|Count|Total|Number of ingestion operations|IngestionResultDetails|
+|IngestionUtilization|Yes|Ingestion utilization|Percent|Average|Ratio of used ingestion slots in the cluster|No Dimensions|
+|IngestionVolumeInMB|Yes|Ingestion Volume|Bytes|Total|Overall volume of ingested data to the cluster|Database|
+|InstanceCount|Yes|Instance Count|Count|Average|Total instance count|No Dimensions|
+|KeepAlive|Yes|Keep alive|Count|Average|Sanity check indicates the cluster responds to queries|No Dimensions|
+|MaterializedViewAgeMinutes|Yes|Materialized View Age|Count|Average|The materialized view age in minutes|Database, MaterializedViewName|
+|MaterializedViewDataLoss|Yes|Materialized View Data Loss|Count|Maximum|Indicates potential data loss in materialized view|Database, MaterializedViewName, Kind|
+|MaterializedViewExtentsRebuild|Yes|Materialized View Extents Rebuild|Count|Average|Number of extents rebuild|Database, MaterializedViewName|
+|MaterializedViewHealth|Yes|Materialized View Health|Count|Average|The health of the materialized view (1 for healthy, 0 for non-healthy)|Database, MaterializedViewName|
+|MaterializedViewRecordsInDelta|Yes|Materialized View Records In Delta|Count|Average|The number of records in the non-materialized part of the view|Database, MaterializedViewName|
+|MaterializedViewResult|Yes|Materialized View Result|Count|Average|The result of the materialization process|Database, MaterializedViewName, Result|
+|QueryDuration|Yes|Query duration|Milliseconds|Average|QueriesΓÇÖ duration in seconds|QueryStatus|
+|QueryResult|No|Query Result|Count|Count|Total number of queries.|QueryStatus|
+|QueueLength|Yes|Queue Length|Count|Average|Number of pending messages in a component's queue.|ComponentType|
+|QueueOldestMessage|Yes|Queue Oldest Message|Count|Average|Time in seconds from when the oldest message in queue was inserted.|ComponentType|
+|ReceivedDataSizeBytes|Yes|Received Data Size Bytes|Bytes|Average|Size of data received by data connection. This is the size of the data stream, or of raw data size if provided.|ComponentType, ComponentName|
+|StageLatency|Yes|Stage Latency|Seconds|Average|Cumulative time from when a message is discovered until it is received by the reporting component for processing (discovery time is set when message is enqueued for ingestion queue, or when discovered by data connection).|Database, ComponentType|
+|SteamingIngestRequestRate|Yes|Streaming Ingest Request Rate|Count|RateRequestsPerSecond|Streaming ingest request rate (requests per second)|No Dimensions|
+|StreamingIngestDataRate|Yes|Streaming Ingest Data Rate|Count|Average|Streaming ingest data rate (MB per second)|No Dimensions|
+|StreamingIngestDuration|Yes|Streaming Ingest Duration|Milliseconds|Average|Streaming ingest duration in milliseconds|No Dimensions|
+|StreamingIngestResults|Yes|Streaming Ingest Result|Count|Average|Streaming ingest result|Result|
+|TotalNumberOfConcurrentQueries|Yes|Total number of concurrent queries|Count|Maximum|Total number of concurrent queries|No Dimensions|
+|TotalNumberOfExtents|Yes|Total number of extents|Count|Total|Total number of data extents|No Dimensions|
+|TotalNumberOfThrottledCommands|Yes|Total number of throttled commands|Count|Total|Total number of throttled commands|CommandType|
+|TotalNumberOfThrottledQueries|Yes|Total number of throttled queries|Count|Maximum|Total number of throttled queries|No Dimensions|
++ ## Microsoft.Synapse/workspaces/sqlPools |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|PercentageCpuReady|Yes|Percentage CPU Ready|Milliseconds|Total|Ready time is the time spend waiting for CPU(s) to become available in the past update interval.|No Dimensions|
+## Microsoft.Web/hostingEnvironments
+
+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
+||||||||
+|ActiveRequests|Yes|Active Requests (deprecated)|Count|Total|ActiveRequests|Instance|
+|AverageResponseTime|Yes|Average Response Time (deprecated)|Seconds|Average|AverageResponseTime|Instance|
+|BytesReceived|Yes|Data In|Bytes|Total|BytesReceived|Instance|
+|BytesSent|Yes|Data Out|Bytes|Total|BytesSent|Instance|
+|CpuPercentage|Yes|CPU Percentage|Percent|Average|CpuPercentage|Instance|
+|DiskQueueLength|Yes|Disk Queue Length|Count|Average|DiskQueueLength|Instance|
+|Http101|Yes|Http 101|Count|Total|Http101|Instance|
+|Http2xx|Yes|Http 2xx|Count|Total|Http2xx|Instance|
+|Http3xx|Yes|Http 3xx|Count|Total|Http3xx|Instance|
+|Http401|Yes|Http 401|Count|Total|Http401|Instance|
+|Http403|Yes|Http 403|Count|Total|Http403|Instance|
+|Http404|Yes|Http 404|Count|Total|Http404|Instance|
+|Http406|Yes|Http 406|Count|Total|Http406|Instance|
+|Http4xx|Yes|Http 4xx|Count|Total|Http4xx|Instance|
+|Http5xx|Yes|Http Server Errors|Count|Total|Http5xx|Instance|
+|HttpQueueLength|Yes|Http Queue Length|Count|Average|HttpQueueLength|Instance|
+|HttpResponseTime|Yes|Response Time|Seconds|Average|HttpResponseTime|Instance|
+|LargeAppServicePlanInstances|Yes|Large App Service Plan Workers|Count|Average|Large App Service Plan Workers|No Dimensions|
+|MediumAppServicePlanInstances|Yes|Medium App Service Plan Workers|Count|Average|Medium App Service Plan Workers|No Dimensions|
+|MemoryPercentage|Yes|Memory Percentage|Percent|Average|MemoryPercentage|Instance|
+|Requests|Yes|Requests|Count|Total|Requests|Instance|
+|SmallAppServicePlanInstances|Yes|Small App Service Plan Workers|Count|Average|Small App Service Plan Workers|No Dimensions|
+|TotalFrontEnds|Yes|Total Front Ends|Count|Average|Total Front Ends|No Dimensions|
++ ## Microsoft.Web/hostingEnvironments/multiRolePools |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|DiskQueueLength|Yes|Disk Queue Length|Count|Average|The average number of both read and write requests that were queued on storage. A high disk queue length is an indication of an app that might be slowing down because of excessive disk I/O.|Instance| |HttpQueueLength|Yes|Http Queue Length|Count|Average|The average number of HTTP requests that had to sit on the queue before being fulfilled. A high or increasing HTTP Queue length is a symptom of a plan under heavy load.|Instance| |MemoryPercentage|Yes|Memory Percentage|Percent|Average|The average memory used across all instances of the plan.|Instance|
-|SocketInboundAll|Yes|SocketInboundAll|Count|Average|SocketInboundAll|Instance|
-|SocketLoopback|Yes|SocketLoopback|Count|Average|SocketLoopback|Instance|
-|SocketOutboundAll|Yes|SocketOutboundAll|Count|Average|SocketOutboundAll|Instance|
-|SocketOutboundEstablished|Yes|SocketOutboundEstablished|Count|Average|SocketOutboundEstablished|Instance|
-|SocketOutboundTimeWait|Yes|SocketOutboundTimeWait|Count|Average|SocketOutboundTimeWait|Instance|
-|TcpCloseWait|Yes|TCP Close Wait|Count|Average|TCP Close Wait|Instance|
-|TcpClosing|Yes|TCP Closing|Count|Average|TCP Closing|Instance|
-|TcpEstablished|Yes|TCP Established|Count|Average|TCP Established|Instance|
-|TcpFinWait1|Yes|TCP Fin Wait 1|Count|Average|TCP Fin Wait 1|Instance|
-|TcpFinWait2|Yes|TCP Fin Wait 2|Count|Average|TCP Fin Wait 2|Instance|
-|TcpLastAck|Yes|TCP Last Ack|Count|Average|TCP Last Ack|Instance|
-|TcpSynReceived|Yes|TCP Syn Received|Count|Average|TCP Syn Received|Instance|
-|TcpSynSent|Yes|TCP Syn Sent|Count|Average|TCP Syn Sent|Instance|
-|TcpTimeWait|Yes|TCP Time Wait|Count|Average|TCP Time Wait|Instance|
-
+|SocketInboundAll|Yes|Socket Count for Inbound Requests|Count|Average|The average number of sockets used for incoming HTTP requests across all the instances of the plan.|Instance|
+|SocketLoopback|Yes|Socket Count for Loopback Connections|Count|Average|The average number of sockets used for loopback connections across all the instances of the plan.|Instance|
+|SocketOutboundAll|Yes|Socket Count of Outbound Requests|Count|Average|The average number of sockets used for outbound connections across all the instances of the plan irrespective of their TCP states. Having too many outbound connections can cause connectivity errors.|Instance|
+|SocketOutboundEstablished|Yes|Established Socket Count for Outbound Requests|Count|Average|The average number of sockets in ESTABLISHED state used for outbound connections across all the instances of the plan.|Instance|
+|SocketOutboundTimeWait|Yes|Time Wait Socket Count for Outbound Requests|Count|Average|The average number of sockets in TIME_WAIT state used for outbound connections across all the instances of the plan. High or increasing outbound socket counts in TIME_WAIT state can cause connectivity errors.|Instance|
+|TcpCloseWait|Yes|TCP Close Wait|Count|Average|The average number of sockets in CLOSE_WAIT state across all the instances of the plan.|Instance|
+|TcpClosing|Yes|TCP Closing|Count|Average|The average number of sockets in CLOSING state across all the instances of the plan.|Instance|
+|TcpEstablished|Yes|TCP Established|Count|Average|The average number of sockets in ESTABLISHED state across all the instances of the plan.|Instance|
+|TcpFinWait1|Yes|TCP Fin Wait 1|Count|Average|The average number of sockets in FIN_WAIT_1 state across all the instances of the plan.|Instance|
+|TcpFinWait2|Yes|TCP Fin Wait 2|Count|Average|The average number of sockets in FIN_WAIT_2 state across all the instances of the plan.|Instance|
+|TcpLastAck|Yes|TCP Last Ack|Count|Average|The average number of sockets in LAST_ACK state across all the instances of the plan.|Instance|
+|TcpSynReceived|Yes|TCP Syn Received|Count|Average|The average number of sockets in SYN_RCVD state across all the instances of the plan.|Instance|
+|TcpSynSent|Yes|TCP Syn Sent|Count|Average|The average number of sockets in SYN_SENT state across all the instances of the plan.|Instance|
+|TcpTimeWait|Yes|TCP Time Wait|Count|Average|The average number of sockets in TIME_WAIT state across all the instances of the plan.|Instance|
## Microsoft.Web/sites- |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| |||||||| |AppConnections|Yes|Connections|Count|Average|The number of bound sockets existing in the sandbox (w3wp.exe and its child processes). A bound socket is created by calling bind()/connect() APIs and remains until said socket is closed with CloseHandle()/closesocket().|Instance|
For important additional information, see [Monitoring Agents Overview](../agents
|TotalAppDomains|Yes|Total App Domains|Count|Average|The current number of AppDomains loaded in this application.|Instance| |TotalAppDomainsUnloaded|Yes|Total App Domains Unloaded|Count|Average|The total number of AppDomains unloaded since the start of the application.|Instance| - ## Microsoft.Web/sites/slots |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
For important additional information, see [Monitoring Agents Overview](../agents
|TotalAppDomains|Yes|Total App Domains|Count|Average|The current number of AppDomains loaded in this application.|Instance| |TotalAppDomainsUnloaded|Yes|Total App Domains Unloaded|Count|Average|The total number of AppDomains unloaded since the start of the application.|Instance| - ## Microsoft.Web/staticSites |Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|
azure-monitor Resource Logs Categories https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/resource-logs-categories.md
Title: Azure Monitor Resource Logs supported services and categories description: Reference of Azure Monitor Understand the supported services and event schema for Azure resource logs. Previously updated : 03/30/2021 Last updated : 05/26/2021 # Supported categories for Azure Resource Logs
If you think there is something is missing, you can open a GitHub comment at the
|Category|Category Display Name|Costs To Export| ||||
+|Audit|Audit|Yes|
|HttpRequest|HTTP Requests|Yes|
If you think there is something is missing, you can open a GitHub comment at the
|Usage|Usage Records|No|
+## Microsoft.ConnectedVehicle/platformAccounts
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Logs|MCVP Logs|Yes|
++ ## Microsoft.ContainerRegistry/registries |Category|Category Display Name|Costs To Export|
If you think there is something is missing, you can open a GitHub comment at the
|EventRoutesOperation|EventRoutesOperation|No| |ModelsOperation|ModelsOperation|No| |QueryOperation|QueryOperation|No|
+|ResourceProviderOperation|ResourceProviderOperation|Yes|
## Microsoft.DocumentDB/databaseAccounts
If you think there is something is missing, you can open a GitHub comment at the
|PartitionKeyRUConsumption|PartitionKeyRUConsumption|No| |PartitionKeyStatistics|PartitionKeyStatistics|No| |QueryRuntimeStatistics|QueryRuntimeStatistics|No|
+|TableApiRequests|TableApiRequests|Yes|
## Microsoft.EventGrid/domains
If you think there is something is missing, you can open a GitHub comment at the
|KeyDeliveryRequests|Key Delivery Requests|No|
-## Microsoft.Network/applicationGateways
+## Microsoft.Network/applicationgateways
|Category|Category Display Name|Costs To Export| ||||
If you think there is something is missing, you can open a GitHub comment at the
|FrontdoorWebApplicationFirewallLog|Frontdoor Web Application Firewall Log|No|
+## Microsoft.Network/loadBalancers
+
+|Category|Category Display Name|Costs To Export|
+||||
+|LoadBalancerAlertEvent|Load Balancer Alert Events|No|
+|LoadBalancerProbeHealthStatus|Load Balancer Probe Health Status|No|
++ ## Microsoft.Network/networksecuritygroups |Category|Category Display Name|Costs To Export|
If you think there is something is missing, you can open a GitHub comment at the
|BigDataPoolAppsEnded|Big Data Pool Applications Ended|No|
+## Microsoft.Synapse/workspaces/kustoPools
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Command|Command|Yes|
+|FailedIngestion|Failed ingest operations|Yes|
+|IngestionBatching|Ingestion batching|Yes|
+|Query|Query|Yes|
+|SucceededIngestion|Successful ingest operations|Yes|
+|TableDetails|Table details|Yes|
+|TableUsageStatistics|Table usage statistics|Yes|
++ ## Microsoft.Synapse/workspaces/sqlPools |Category|Category Display Name|Costs To Export|
If you think there is something is missing, you can open a GitHub comment at the
|AppServiceEnvironmentPlatformLogs|App Service Environment Platform Logs|No|
-## microsoft.web/sites
+## Microsoft.Web/sites
|Category|Category Display Name|Costs To Export| ||||
azure-monitor Stream Monitoring Data Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/stream-monitoring-data-event-hubs.md
Routing your monitoring data to an event hub with Azure Monitor enables you to e
| IBM QRadar | No | The Microsoft Azure DSM and Microsoft Azure Event Hub Protocol are available for download from [the IBM support website](https://www.ibm.com/support). You can learn more about the integration with Azure at [QRadar DSM configuration](https://www.ibm.com/docs/en/dsm?topic=options-configuring-microsoft-azure-event-hubs-communicate-qradar). | | Splunk | No | [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/) is an open source project available in Splunkbase. <br><br> If you cannot install an add-on in your Splunk instance, if for example you're using a proxy or running on Splunk Cloud, you can forward these events to the Splunk HTTP Event Collector using [Azure Function For Splunk](https://github.com/Microsoft/AzureFunctionforSplunkVS), which is triggered by new messages in the event hub. | | SumoLogic | No | Instructions for setting up SumoLogic to consume data from an event hub are available at [Collect Logs for the Azure Audit App from Event Hub](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure-Audit/02Collect-Logs-for-Azure-Audit-from-Event-Hub). |
-| ArcSight | No | The ArcSight Azure Event Hub smart connector is available as part of [the ArcSight smart connector collection](https://community.softwaregrp.com/t5/Discussions/Announcing-General-Availability-of-ArcSight-Smart-Connectors-7/m-p/1671852). |
+| ArcSight | No | The ArcSight Azure Event Hub smart connector is available as part of [the ArcSight smart connector collection](https://community.microfocus.com/cyberres/arcsight/f/arcsight-product-announcements/163662/announcing-general-availability-of-arcsight-smart-connectors-7-10-0-8114-0). |
| Syslog server | No | If you want to stream Azure Monitor data directly to a syslog server, you can use a [solution based on an Azure function](https://github.com/miguelangelopereira/azuremonitor2syslog/). | LogRhythm | No| Instructions to set up LogRhythm to collect logs from an event hub are available [here](https://logrhythm.com/six-tips-for-securing-your-azure-cloud-environment/). |Logz.io | Yes | For more information, see [Getting started with monitoring and logging using Logz.io for Java apps running on Azure](/azure/developer/java/fundamentals/java-get-started-with-logzio)
azure-monitor Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/faq.md
Traffic to Azure Monitor uses the Microsoft peering ExpressRoute circuit. See [E
### How can I confirm that the Log Analytics agent is able to communicate with Azure Monitor?
-From Control Panel on the agent computer, select **Security & Settings**, **Microsoft Monitoring Agent. Under the **Azure Log Analytics (OMS)** tab, a green check mark icon confirms that the agent is able to communicate with Azure Monitor. A yellow warning icon means the agent is having issues. One common reason is the **Microsoft Monitoring Agent** service has stopped. Use service control manager to restart the service.
+From Control Panel on the agent computer, select **Security & Settings**, **Microsoft Monitoring Agent**. Under the **Azure Log Analytics (OMS)** tab, a green check mark icon confirms that the agent is able to communicate with Azure Monitor. A yellow warning icon means the agent is having issues. One common reason is the **Microsoft Monitoring Agent** service has stopped. Use service control manager to restart the service.
### How do I stop the Log Analytics agent from communicating with Azure Monitor?
Here's how AMA impacts the two SCOM related monitor scenarios:
- **Scenario 2**: For onboarding/connecting SCOM to Log Analytics workspaces, since this is enabled via a SCOM connector for Log Analytics/Azure Monitor, neither MMA nor AMA is required to be installed on the SCOM management server. As such there is no impact to this use case from AMA perspective. > [!NOTE]
-> You can run both scenarios above with MMA and AMA side-by-side without any impact*
+> You can run both scenarios above with MMA and AMA side-by-side without any impact.
### Will the new Azure Monitor agent support data collection for the various Log Analytics solutions?
The solution specific VM extensions exist to collect scenario specific data or p
HereΓÇÖs a diagram explaining the **new extensibility architecture**:
-![Extensions architecture](agents/media/azure-monitor-agent/extensibility-arch-diag.png)
+![Extensions architecture](agents/media/azure-monitor-agent/extensibility-arch-new.png)
### Which Log Analytics solutions are supported on the new Azure Monitor Agent?
Log Analytics solutions can be enabled using the new Azure Monitor Agent either
| **SQL Monitoring (new)** | Public preview exclusively on AMA: [SQL insights (preview)](insights/sql-insights-overview.md) |
+### How can I collect Windows security events using the new Azure Monitor Agent?
+There's two ways you can collect Security events using the new agent, when sending to Log Analytics workspace(s):
+- You can use AMA to natively collect Security Events, same as other Windows Events. These flow to the ['Event'](/azure/azure-monitor/reference/tables/Event) table in your Log Analytics workspace.
+- If you have Sentinel enabled on the workspace, the Security Events flow via AMA into the ['SecurityEvent'](/azure/azure-monitor/reference/tables/SecurityEvent) table instead (same as using Log Analytics Agent). This will always require the solution to be enabled first.
++ ### Can the new Azure Monitor Agent and Log Analytics Agent co-exist side-by-side? Yes they can, but with certain considerations. Read more [here](agents/azure-monitor-agent-overview.md#coexistence-with-other-agents).
azure-monitor Partners https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/partners.md
LogRhythm, a leader in NextGen SIEM, empowers organizations on six continents to
Microfocus **ArcSight** has a smart connector for Azure Monitor event hubs.
-[See the ArcSight documentation](https://community.softwaregrp.com/t5/Discussions/Announcing-General-Availability-of-ArcSight-Smart-Connectors-7/m-p/1671852)
+[See the ArcSight documentation](https://community.microfocus.com/cyberres/arcsight/f/arcsight-product-announcements/163662/announcing-general-availability-of-arcsight-smart-connectors-7-10-0-8114-0)
Microfocus **Operations Bridge** automatically monitors all Hybrid IT resources ΓÇô any device, operating system, database, application, or service, regardless of where it runs and applies AIOps to all data types ΓÇô events, metrics, logs, and dependencies. It provides a unique combination of quality-of-service monitoring, coupled with deep application health analytics, and includes comprehensive performance and availability monitoring of Microsoft Azure services. Operations Bridge enables customers to provide a single pane of glass, available on any device with a browser, in ways both business and IT stakeholders can understand.
Using Azure Monitor to route monitoring data to an Azure Event Hub allows you t
| IBM QRadar | No | The Microsoft Azure DSM and Microsoft Azure Event Hub Protocol are available for download from [the IBM support website](https://www.ibm.com/support). You can learn more about the integration with Azure at [QRadar DSM configuration](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_microsoft_azure_overview.html?cp=SS42VS_7.3.0). | | Splunk | No | [Microsoft Azure Add-On for Splunk](https://splunkbase.splunk.com/app/3757/) is an open source project available in Splunkbase. <br><br> If you cannot install an add-on in your Splunk instance, if for example you're using a proxy or running on Splunk Cloud, you can forward these events to the Splunk HTTP Event Collector using [Azure Function For Splunk](https://github.com/Microsoft/AzureFunctionforSplunkVS), which is triggered by new messages in the event hub. | | SumoLogic | No | Instructions for setting up SumoLogic to consume data from an event hub are available at [Collect Logs for the Azure Audit App from Event Hub](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure-Audit/02Collect-Logs-for-Azure-Audit-from-Event-Hub). |
-| ArcSight | No | The ArcSight Azure Event Hub smart connector is available as part of [the ArcSight smart connector collection](https://community.softwaregrp.com/t5/Discussions/Announcing-General-Availability-of-ArcSight-Smart-Connectors-7/m-p/1671852). |
+| ArcSight | No | The ArcSight Azure Event Hub smart connector is available as part of [the ArcSight smart connector collection](https://community.microfocus.com/cyberres/arcsight/f/arcsight-product-announcements/163662/announcing-general-availability-of-arcsight-smart-connectors-7-10-0-8114-0). |
| Syslog server | No | If you want to stream Azure Monitor data directly to a syslog server, you can use a [solution based on an Azure function](https://github.com/miguelangelopereira/azuremonitor2syslog/). | LogRhythm | No| Instructions to set up LogRhythm to collect logs from an event hub are available [here](https://logrhythm.com/six-tips-for-securing-your-azure-cloud-environment/). |Logz.io | Yes | For more information, see [Getting started with monitoring and logging using Logz.io for Java apps running on Azure](/azure/developer/java/fundamentals/java-get-started-with-logzio)
azure-monitor Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualizations.md
Visualizations such as charts and graphs can help you analyze your monitoring da
- Easy, collaborative-friendly authoring experience. - Templates support public GitHub-based template gallery.
-### Limitations
-- No automatic refresh.-- No dense layout like dashboards, which make workbooks less useful as a single pane of glass. Intended more for providing deeper insights.- ## Azure Dashboards [Azure dashboards](../azure-portal/azure-portal-dashboards.md) are the primary dashboarding technology for Azure. They're particularly useful in providing single pane of glass over your Azure infrastructure and services allowing you to quickly identify important issues.
azure-netapp-files Azure Netapp Files Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-faqs.md
na ms.devlang: na Previously updated : 05/03/2021 Last updated : 05/25/2021 # FAQs About Azure NetApp Files
If you are using Azure NetApp Files with Azure Active Directory Domain Services,
Azure NetApp Files supports Windows Server 2008r2SP1-2019 versions of Active Directory Domain Services.
-### Why does the available space on my SMB client not show the provisioned size?
-
-The volume size reported by the SMB client is the maximum size the Azure NetApp Files volume can grow to. The size of the Azure NetApp Files volume as shown on the SMB client is not reflective of the quota or size of the volume. You can get the Azure NetApp Files volume size or quota through the Azure portal or the API.
- ### IΓÇÖm having issues connecting to my SMB share. What should I do? As a best practice, set the maximum tolerance for computer clock synchronization to five minutes. For more information, see [Maximum tolerance for computer clock synchronization](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852172(v=ws.11)).
azure-portal How To Create Azure Support Request https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/supportability/how-to-create-azure-support-request.md
Title: How to create an Azure support request
description: Customers who need assistance can use the Azure portal to find self-service solutions and to create and manage support requests. ms.assetid: fd6841ea-c1d5-4bb7-86bd-0c708d193b89 Previously updated : 03/16/2021 Last updated : 05/25/2021 # Create an Azure support request
Next, we collect additional details about the problem. Providing thorough and de
1. After we have all the information about the problem, choose how to get support. In the **Support method** section of **Details**, select the severity of impact. The maximum severity level depends on your [support plan](https://azure.microsoft.com/support/plans).
- By default the **Share diagnostic information** option is selected. This allows Azure support to gather [diagnostic information](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) from your Azure resources. In some cases, there is a second question that isn't selected by default, such as requesting access to a virtual machine's memory.
+ By default the **Share diagnostic information** option is selected. This allows Azure support to gather [diagnostic information](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) from your Azure resources. You can clear this option if you prefer not to share diagnostic information. In some cases, there is a second question that isn't selected by default, such as requesting access to a virtual machine's memory.
1. Provide your preferred contact method, a good time to contact you, and your support language.
azure-portal How To Manage Azure Support Request https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/supportability/how-to-manage-azure-support-request.md
description: Describes how to view support requests, send messages, change the r
tags: billing ms.assetid: 86697fdf-3499-4cab-ab3f-10d40d3c1f70 Previously updated : 12/14/2020 Last updated : 05/25/2021 # To add: close and reopen, review request status, update contact info
On this page, you can search, filter, and sort support requests. Select a suppor
## Share diagnostic information with Azure support
-When you create a support request, by default the **Share diagnostic information** option is selected. This allows Azure support to gather [diagnostic information](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) from your Azure resources:
+When you create a support request, the **Share diagnostic information** option is selected by default. This option allows Azure support to gather [diagnostic information](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) from your Azure resources that can potentially help resolve your issue.
-* You can't clear this option after a request is created.
+To change your **Share diagnostic information** selection after the request has been created:
-* If you cleared the option when creating a request, you can select it after the request is created.
-
- 1. On the **All support requests** page, select the support request.
+1. On the **All support requests** page, select the support request.
+
+1. On the **Support Request** page, look for **Share diagnostic information** and then select **Change**.
- 1. On the **Support Request** page, select **Grant permission**, then select **Yes** and **OK**.
+1. Select **Yes** or **No**, then select **OK** to confirm.
- :::image type="content" source="media/how-to-manage-azure-support-request/grant-permission-manage.png" alt-text="Grant permissions for diagnostic information":::
+ :::image type="content" source="media/how-to-manage-azure-support-request/grant-permission-manage.png" alt-text="Grant permissions for diagnostic information":::
## Upload files
azure-sql Data Discovery And Classification Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/data-discovery-and-classification-overview.md
Your most sensitive data might include business, financial, healthcare, or perso
## <a id="what-is-dc"></a>What is Data Discovery & Classification?
-Data Discovery & Classification introduces a set of basic services and new capabilities in Azure. It forms a new information-protection paradigm for SQL Database, SQL Managed Instance, and Azure Synapse, aimed at protecting the data and not just the database. The paradigm includes:
+Data Discovery & Classification forms a new information-protection paradigm for SQL Database, SQL Managed Instance, and Azure Synapse, aimed at protecting the data and not just the database. Currently it supports the following capabilities:
- **Discovery and recommendations:** The classification engine scans your database and identifies columns that contain potentially sensitive data. It then provides you with an easy way to review and apply recommended classification via the Azure portal.
The classification includes two metadata attributes:
### Define and customize your classification taxonomy
-Data Discovery & Classification comes with a built-in set of sensitivity labels and a built-in set of information types and discovery logic. You can now customize this taxonomy and define a set and ranking of classification constructs specifically for your environment.
+Data Discovery & Classification comes with a built-in set of sensitivity labels and a built-in set of information types and discovery logic. You can customize this taxonomy and define a set and ranking of classification constructs specifically for your environment.
You define and customize of your classification taxonomy in one central place for your entire Azure organization. That location is in [Azure Security Center](../../security-center/security-center-introduction.md), as part of your security policy. Only someone with administrative rights on the organization's root management group can do this task.
You can use the REST API to programmatically manage classifications and recommen
- Consider configuring [Azure SQL Auditing](../../azure-sql/database/auditing-overview.md) for monitoring and auditing access to your classified sensitive data. - For a presentation that includes data Discovery & Classification, see [Discovering, classifying, labeling & protecting SQL data | Data Exposed](https://www.youtube.com/watch?v=itVi9bkJUNc).-- To classify your Azure SQL Databases and Azure Synapse Analytics with Azure Purview labels using T-SQL commands, see [Classify your Azure SQL data using Azure Purview labels](../../sql-database/scripts/sql-database-import-purview-labels.md).
+- To classify your Azure SQL Databases and Azure Synapse Analytics with Azure Purview labels using T-SQL commands, see [Classify your Azure SQL data using Azure Purview labels](../../sql-database/scripts/sql-database-import-purview-labels.md).
azure-sql File Space Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/file-space-manage.md
Previously updated : 12/22/2020 Last updated : 04/16/2021 # Manage file space for databases in Azure SQL Database [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
However, the following APIs also measure the size of space allocated for databas
Azure SQL Database does not automatically shrink data files to reclaim unused allocated space due to the potential impact to database performance. However, customers may shrink data files via self-service at a time of their choosing by following the steps described in [reclaim unused allocated space](#reclaim-unused-allocated-space).
-> [!NOTE]
-> Unlike data files, Azure SQL Database automatically shrinks log files since that operation does not impact database performance.
+### Shrinking transaction log file
+
+Unlike data files, Azure SQL Database automatically shrinks transaction log file to avoid excessive space usage that can lead to out-of-space errors. It is usually not necessary for customers to shrink the transaction log file.
+
+In Premium and Business Critical service tiers, if the transaction log becomes large, it may significantly contribute to local storage consumption toward the [maximum local storage](resource-limits-logical-server.md#storage-space-governance) limit. If local storage consumption is close to the limit, customers may choose to shrink transaction log using the [DBCC SHRINKFILE](/sql/t-sql/database-console-commands/dbcc-shrinkfile-transact-sql) command as shown in the following example. This releases local storage as soon as the command completes, without waiting for the periodic automatic shrink operation.
+
+```tsql
+DBCC SHRINKFILE (2);
+```
## Understanding types of storage space for a database
Understanding the following storage space quantities are important for managing
|Database quantity|Definition|Comments| ||||
-|**Data space used**|The amount of space used to store database data in 8 KB pages.|Generally, space used increases (decreases) on inserts (deletes). In some cases, the space used does not change on inserts or deletes depending on the amount and pattern of data involved in the operation and any fragmentation. For example, deleting one row from every data page does not necessarily decrease the space used.|
+|**Data space used**|The amount of space used to store database data.|Generally, space used increases (decreases) on inserts (deletes). In some cases, the space used does not change on inserts or deletes depending on the amount and pattern of data involved in the operation and any fragmentation. For example, deleting one row from every data page does not necessarily decrease the space used.|
|**Data space allocated**|The amount of formatted file space made available for storing database data.|The amount of space allocated grows automatically, but never decreases after deletes. This behavior ensures that future inserts are faster since space does not need to be reformatted.| |**Data space allocated but unused**|The difference between the amount of data space allocated and data space used.|This quantity represents the maximum amount of free space that can be reclaimed by shrinking database data files.| |**Data max size**|The maximum amount of space that can be used for storing database data.|The amount of data space allocated cannot grow beyond the data max size.|
For more information about this command, see [SHRINKDATABASE](/sql/t-sql/databas
### Auto-shrink
-Alternatively, auto shrink can be enabled for a database. Auto shrink reduces file management complexity and is less impactful to database performance than `SHRINKDATABASE` or `SHRINKFILE`. Auto shrink can be particularly helpful for managing elastic pools with many databases. However, auto shrink can be less effective in reclaiming file space than `SHRINKDATABASE` and `SHRINKFILE`.
-By default, Auto Shrink is disabled as recommended for most databases. For more information, see [Considerations for AUTO_SHRINK](/troubleshoot/sql/admin/considerations-autogrow-autoshrink#considerations-for-auto_shrink).
+Alternatively, auto-shrink can be enabled for a database. Auto-shrink reduces file management complexity and is less impactful to database performance than `SHRINKDATABASE` or `SHRINKFILE`. Auto-shrink can be particularly helpful in managing elastic pools with many databases that experience significant growth and reduction in space used. However, auto shrink can be less effective in reclaiming file space than `SHRINKDATABASE` and `SHRINKFILE`.
+
+By default, auto-shrink is disabled, which is recommended for most databases. If it becomes necessary to enable auto-shrink, it is recommended to disable it once space management goals have been achieved, instead of keeping it enabled permanently. For more information, see [Considerations for AUTO_SHRINK](/troubleshoot/sql/admin/considerations-autogrow-autoshrink#considerations-for-auto_shrink).
-To enable auto shrink, modify the name of the database in the following command.
+To enable auto-shrink, execute the following command in your database (not in the master database).
```sql Enable auto-shrink for the database.
-ALTER DATABASE [db1] SET AUTO_SHRINK ON;
+-- Enable auto-shrink for the current database.
+ALTER DATABASE CURRENT SET AUTO_SHRINK ON;
``` For more information about this command, see [DATABASE SET](/sql/t-sql/statements/alter-database-transact-sql-set-options) options. ### Rebuild indexes
-After database data files are shrunk, indexes may become fragmented and lose their performance optimization effectiveness. If performance degradation occurs, then consider rebuilding database indexes. For more information on fragmentation and rebuilding indexes, see [Reorganize and Rebuild Indexes](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes).
+After data files are shrunk, indexes may become fragmented and lose their performance optimization effectiveness. If performance degradation occurs, consider rebuilding database indexes. For more information on fragmentation and index maintenance, see [Optimize index maintenance to improve query performance and reduce resource consumption](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes).
## Next steps
azure-sql Maintenance Window https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/maintenance-window.md
Previously updated : 04/28/2021 Last updated : 05/25/2021 # Maintenance window (Preview)
You can further adjust the maintenance updates to a time suitable to your Azure
* Weekday window, 10PM to 6AM local time Monday - Thursday * Weekend window, 10PM to 6AM local time Friday - Sunday
-Once the maintenance window selection is made and service configuration completed, planned maintenance will occur only during the window of your choice.
+Once the maintenance window selection is made and service configuration completed, planned maintenance will occur only during the window of your choice. While maintenance events typically complete within a single window, some of them may span two or more adjacent windows.
> [!Important] > In very rare circumstances where any postponement of action could cause serious impact, like applying critical security patch, configured maintenance window may be temporarily overriden.
For more on the client connection policy in Azure SQL Managed Instance see [Azur
## Considerations for Azure SQL Managed Instance
-Azure SQL Managed Instance consists of service components hosted on a dedicated set of isolated virtual machines that run inside the customer's virtual network subnet. These virtual machines form [virtual cluster(s)](../managed-instance/connectivity-architecture-overview.md#high-level-connectivity-architecture) that can host multiple managed instances. Maintenance window configured on instances of one subnet can influence the number of virtual clusters within the subnet and distribution of instances among virtual clusters. This may require a consideration of few effects.
+Azure SQL Managed Instance consists of service components hosted on a dedicated set of isolated virtual machines that run inside the customer's virtual network subnet. These virtual machines form [virtual cluster(s)](../managed-instance/connectivity-architecture-overview.md#high-level-connectivity-architecture) that can host multiple managed instances. Maintenance window configured on instances of one subnet can influence the number of virtual clusters within the subnet, distribution of instances among virtual clusters, and virtual cluster management operations. This may require a consideration of few effects.
### Maintenance window configuration is long running operation All instances hosted in a virtual cluster share the maintenance window. By default, all managed instances are hosted in the virtual cluster with the default maintenance window. Specifying another maintenance window for managed instance during its creation or afterwards means that it must be placed in virtual cluster with corresponding maintenance window. If there is no such virtual cluster in the subnet, a new one must be created first to accommodate the instance. Accommodating additional instance in the existing virtual cluster may require cluster resize. Both operations contribute to the duration of configuring maintenance window for a managed instance.
Configuring and changing maintenance window causes change of the IP address of t
> [!Important] > Make sure that NSG and firewall rules won't block data traffic after IP address change.
+### Serialization of virtual cluster management operations
+Operations affecting the virtual cluster, like service upgrades and virtual cluster resize (adding new or removing unneeded compute nodes) are serialized. In other words, a new virtual cluster management operation cannot start until the previous one is completed. In case that maintenance window closes before the ongoing service upgrade or maintenance operation is completed, any other virtual cluster management operations submitted in the meantime will be put on hold until next maintenance window opens and service upgrade or maintenance operation completes. It is not common for a maintenance operation to take longer than a single window per virtual cluster, but it can happen in case of very complex maintenance operations.
+The serialization of virtual cluster management operations is general behavior that applies to the default maintenance policy as well. With a maintenance window schedule configured, the period between two adjacent windows can be few days long. Submitted operations can also be on hold for few days if the maintenance operation spans two windows. That is very rare case, but creation of new instances or resize of the existing instances (if additional compute nodes are needed) may be blocked during this period.
+ ## Next steps * [Advance notifications](advance-notifications.md)
azure-sql Resource Limits Dtu Elastic Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-dtu-elastic-pools.md
If all DTUs of an elastic pool are used, then each database in the pool receives
> [!NOTE] > For `tempdb` limits, see [tempdb limits](/sql/relational-databases/databases/tempdb-database#tempdb-database-in-sql-database).
+>
+> For additional information on storage limits in the Premium service tier, see [Storage space governance](resource-limits-logical-server.md#storage-space-governance).
### Database properties for pooled databases
azure-sql Resource Limits Dtu Single Databases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-dtu-single-databases.md
Previously updated : 04/09/2021 Last updated : 04/16/2021 # Resource limits for single databases using the DTU purchasing model - Azure SQL Database [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
The following tables show the resources available for a single database at each
> [!IMPORTANT] > More than 1 TB of storage in the Premium tier is currently available in all regions except: China East, China North, Germany Central, and Germany Northeast. In these regions, the storage max in the Premium tier is limited to 1 TB. For more information, see [P11-P15 current limitations](single-database-scale.md#p11-and-p15-constraints-when-max-size-greater-than-1-tb).+ > [!NOTE] > For `tempdb` limits, see [tempdb limits](/sql/relational-databases/databases/tempdb-database#tempdb-database-in-sql-database).
+>
+> For additional information on storage limits in the Premium service tier, see [Storage space governance](resource-limits-logical-server.md#storage-space-governance).
## Next steps
azure-sql Resource Limits Logical Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-logical-server.md
Previously updated : 03/25/2021 Last updated : 04/16/2021 # Resource limits for Azure SQL Database and Azure Synapse Analytics servers
This article provides an overview of the resource limits for the [logical server
### Storage size
-For single databases resource storage sizes, refer to either [DTU-based resource limits](resource-limits-dtu-single-databases.md) or [vCore-based resource limits](resource-limits-vcore-single-databases.md) for the storage size limits per pricing tier.
+For single databases resource storage sizes, refer to either [DTU-based resource limits](resource-limits-dtu-single-databases.md) or [vCore-based resource limits](resource-limits-vcore-single-databases.md) for the storage size limits per pricing tier (also known as service objective).
## What happens when database resource limits are reached
When encountering high compute utilization, mitigation options include:
### Storage
-When database space used reaches the max size limit, database inserts and updates that increase the data size fail and clients receive an [error message](troubleshoot-common-errors-issues.md). SELECT and DELETE statements continue to succeed.
+When database space used reaches the maximum data size limit, database inserts and updates that increase data size fail and clients receive an [error message](troubleshoot-common-errors-issues.md). SELECT and DELETE statements remain unaffected.
+
+In Premium and Business Critical service tiers, clients also receive an error message if combined storage consumption by data, transaction log, and tempdb exceeds maximum local storage size. For more information, see [Storage space governance](#storage-space-governance).
When encountering high space utilization, mitigation options include: -- Increasing the max size of the database or elastic pool, or adding more storage. See [Scale single database resources](single-database-scale.md) and [Scale elastic pool resources](elastic-pool-scale.md).
+- Increase maximum data size of the database or elastic pool, or scale up to a service objective with a higher maximum data size limit. See [Scale single database resources](single-database-scale.md) and [Scale elastic pool resources](elastic-pool-scale.md).
- If the database is in an elastic pool, then alternatively the database can be moved outside of the pool so that its storage space isn't shared with other databases.-- Shrink a database to reclaim unused space. For more information, see [Manage file space in Azure SQL Database](file-space-manage.md).
+- Shrink a database to reclaim unused space. In elastic pools, shrinking a database provides more storage for other databases in the pool. For more information, see [Manage file space in Azure SQL Database](file-space-manage.md).
- Check if high space utilization is due to a spike in the size of Persistent Version Store (PVS). PVS is a part of each database, and is used to implement [Accelerated Database Recovery](../accelerated-database-recovery.md). To determine current PVS size, see [PVS troubleshooting](/sql/relational-databases/accelerated-database-recovery-management#troubleshooting). A common reason for large PVS size is a transaction that is open for a long time (hours), preventing cleanup of older versions in PVS.
+- For large databases in Premium and Business Critical service tiers, you may receive an out-of-space error even though used space in the database is below its maximum size limit. This may happen if tempdb or transaction log consume a large amount of storage toward the maximum local storage limit. [Fail over](high-availability-sla.md#testing-application-fault-resiliency) the database or elastic pool to reset tempdb to its initial smaller size, or [shrink](file-space-manage.md#shrinking-transaction-log-file) transaction log to reduce local storage consumption.
### Sessions and workers (requests)
Azure SQL Database resource governance is hierarchical in nature. From top to bo
Data IO governance is a process in Azure SQL Database used to limit both read and write physical IO against data files of a database. IOPS limits are set for each service level to minimize the "noisy neighbor" effect, to provide resource allocation fairness in the multi-tenant service, and to stay within the capabilities of the underlying hardware and storage.
-For single databases, workload group limits are applied to all storage IO against the database, while resource pool limits apply to all storage IO against all databases in the same resource pool, including the `tempdb` database. For elastic pools, workload group limits apply to each database in the pool, whereas resource pool limit applies to the entire elastic pool, including the `tempdb` database, which is shared among all databases in the pool. In general, resource pool limits may not be achievable by the workload against a database (either single or pooled), because workload group limits are lower than resource pool limits and limit IOPS/throughput sooner. However, pool limits may be reached by the combined workload against multiple databases on the same pool.
+For single databases, workload group limits are applied to all storage IO against the database, while resource pool limits apply to all storage IO against all databases on the same dedicated SQL pool, including the tempdb database. For elastic pools, workload group limits apply to each database in the pool, whereas resource pool limit applies to the entire elastic pool, including the tempdb database, which is shared among all databases in the pool. In general, resource pool limits may not be achievable by the workload against a database (either single or pooled), because workload group limits are lower than resource pool limits and limit IOPS/throughput sooner. However, pool limits may be reached by the combined workload against multiple databases on the same pool.
For example, if a query generates 1000 IOPS without any IO resource governance, but the workload group maximum IOPS limit is set to 900 IOPS, the query won't be able to generate more than 900 IOPS. However, if the resource pool maximum IOPS limit is set to 1500 IOPS, and the total IO from all workload groups associated with the resource pool exceeds 1500 IOPS, then the IO of the same query may be reduced below the workgroup limit of 900 IOPS.
When encountering a log rate limit that is hampering desired scalability, consid
### Storage space governance
-In Premium and Business Critical service tiers, data and transaction log files are stored on the local SSD volume of the machine hosting the database or elastic pool. This provides high IOPS and throughput, and low IO latency. The size of this local volume depends on hardware capabilities, and is finite. On a given machine, local volume space is consumed by customer databases including `tempdb`, the operating system, management software, monitoring data, logs, etc. As databases are created, deleted, and increase/decrease their space usage, local space consumption on a machine fluctuates over time.
+In Premium and Business Critical service tiers, customer data including *data files*, *transaction log files*, and *tempdb files* is stored on the local SSD storage of the machine hosting the database or elastic pool. Local SSD storage provides high IOPS and throughput, and low IO latency. In addition to customer data, local storage is used for the operating system, management software, monitoring data and logs, and other files necessary for system operation.
+
+The size of local storage is finite and depends on hardware capabilities, which determine the **maximum local storage** limit, or local storage set aside for customer data. This limit is set to maximize customer data storage, while ensuring safe and reliable system operation. To find the **maximum local storage** value for each service objective, see resource limits documentation for [single databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md).
+
+You can also find this value, and the amount of local storage currently used by a given database or elastic pool, using the following query:
+
+```tsql
+SELECT server_name, database_name, slo_name, user_data_directory_space_quota_mb, user_data_directory_space_usage_mb
+FROM sys.dm_user_db_resource_governance
+WHERE database_id = DB_ID();
+```
+
+|Column|Description|
+| :-- | :-- |
+|`server_name`|Logical server name|
+|`database_name`|Database name|
+|`slo_name`|Service objective name, including hardware generation|
+|`user_data_directory_space_quota_mb`|**Maximum local storage**, in MB|
+|`user_data_directory_space_usage_mb`|Current local storage consumption by data files, transaction log files, and tempdb files, in MB. Updated every five minutes.|
+|||
-If the system detects that available free space on a machine is low and a database or elastic pool is at risk of running out of space, it will move the database or elastic pool to a different machine with sufficient free space, allowing growth up to maximum size limits of the configured service objective. This move occurs in an online fashion, similarly to a database scaling operation, and has a similar [impact](single-database-scale.md#impact), including a short (seconds) failover at the end of the operation. This failover terminates open connections and rolls back transactions, potentially impacting applications using the database at that time.
+This query should be executed in the user database, not in the master database. For elastic pools, the query can be executed in any database in the pool. Reported values apply to the entire pool.
-Because data is physically copied to a different machine, moving larger databases may require a substantial amount of time. During that time, if local space consumption by a large user database or elastic pool, or by the `tempdb` database grows very rapidly, the risk of running out of space increases. The system initiates database movement in a balanced fashion to prevent out-of-space errors and to avoid unnecessary failovers.
+> [!IMPORTANT]
+> In Premium and Business Critical service tiers, if the workload attempts to increase combined local storage consumption by data files, transaction log files, and tempdb files over the **maximum local storage** limit, an out-of-space error will occur.
+
+As databases are created, deleted, and increase or decrease in size, local storage consumption on a machine fluctuates over time. If the system detects that available local storage on a machine is low, and a database or an elastic pool is at risk of running out of space, it will move the database or elastic pool to a different machine with sufficient local storage available.
+
+This move occurs in an online fashion, similarly to a database scaling operation, and has a similar [impact](single-database-scale.md#impact), including a short (seconds) failover at the end of the operation. This failover terminates open connections and rolls back transactions, potentially impacting applications using the database at that time.
+
+Because all data is copied to a local storage volume on a different machine, moving larger databases may require a substantial amount of time. During that time, if local space consumption by the database or elastic pool, or by the tempdb database grows rapidly, the risk of running out of space increases. The system initiates database movement in a balanced fashion to minimize out-of-space errors while avoiding unnecessary failovers.
+
+> [!NOTE]
+> Database movement due to insufficient local storage only occurs in the Premium or Business Critical service tiers. It does not occur in the Hyperscale, General Purpose, Standard, and Basic service tiers, because in those tiers data files are not stored on local storage.
## Next steps
azure-sql Resource Limits Vcore Elastic Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-vcore-elastic-pools.md
description: This page describes some common vCore resource limits for elastic p
-+ ms.devlang: Previously updated : 04/09/2021 Last updated : 04/16/2021 # Resource limits for elastic pools using the vCore purchasing model [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
You can set the service tier, compute size (service objective), and storage amou
|Max data size (GB)|1024|1024|1024|1024|1024| |Max log size (GB)|307|307|307|307|307| |TempDB max data size (GB)|64|96|128|160|192|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|
|IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|9,000|13,500|18,000|22,500|27,000| |Max log rate per pool (MBps)|20|30|40|50|60|
You can set the service tier, compute size (service objective), and storage amou
|Max data size (GB)|1024|1024|1024|1024|1024|1024| |Max log size (GB)|307|307|307|307|307|307| |TempDB max data size (GB)|224|256|288|320|512|768|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356|
|IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|31,500|36,000|40,500|45,000|72,000|96,000| |Max log rate per pool (MBps)|70|80|80|80|80|80|
You can set the service tier, compute size (service objective), and storage amou
|Max data size (GB)|1024|1536|1536|1536|3072|3072| |Max log size (GB)|307|307|461|461|922|922| |TempDB max data size (GB)|128|192|256|320|384|448|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|18,000|27,000|36,000|45,000|54,000|63,000|
You can set the service tier, compute size (service objective), and storage amou
|Max data size (GB)|3072|3072|3072|4096|4096|4096|4096| |Max log size (GB)|922|922|922|1229|1229|1229|1229| |TempDB max data size (GB)|512|576|640|768|1024|1280|2560|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|72,000|81,000|90,000|108,000|144,000|180,000|256,000|
You can set the service tier, compute size (service objective), and storage amou
|Max data size (GB)|512|640|768|896|1024|1152| |Max log size (GB)|171|213|256|299|341|384| |TempDB max data size (GB)|256|320|384|448|512|576|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|13836|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|12,499|15,624|18,748|21,873|24,998|28,123|
If all vCores of an elastic pool are busy, then each database in the pool receiv
|Max data size (GB)|1280|1536|2048|4096|4096| |Max log size (GB)|427|512|683|1024|1024| |TempDB max data size (GB)|640|768|1024|2048|4096|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|31,248|37,497|49,996|99,993|160,000|
If all vCores of an elastic pool are busy, then each database in the pool receiv
|Max data size (GB)|768|768|768|768| |Max log size (GB)|230|230|230|230| |TempDB max data size (GB)|64|128|192|256|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1406|1406|1406|1406|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS per pool <sup>2</sup>|15750|31500|47250|56000|
azure-sql Resource Limits Vcore Single Databases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-vcore-single-databases.md
description: This page describes some common vCore resource limits for a single
-+ ms.devlang: Previously updated : 04/09/2021 Last updated : 04/16/2021 # Resource limits for single databases using the vCore purchasing model [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|1024|1024|1024|1024|1024|1024| |Max log size (GB)|307|307|307|307|307|307| |TempDB max data size (GB)|32|64|96|128|160|192|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356|
|IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|4,000|8,000|12,000|16,000|20,000|24,000| |Max log rate (MBps)|8|16|24|32|40|48|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|1024|1024|1024|1024|1024|1024| |Max log size (GB)|307|307|307|307|307|307| |TempDB max data size (GB)|224|256|288|320|512|768|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356|
|IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS |28,000|32,000|36,000|40,000|64,000|76,800| |Max log rate (MBps)|56|64|64|64|64|64|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|1024|1024|1536|1536|1536|3072|3072| |Max log size (GB)|307|307|461|461|461|922|922| |TempDB max data size (GB)|64|128|192|256|320|384|448|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|8000|16,000|24,000|32,000|40,000|48,000|56,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|3072|3072|3072|4096|4096|4096|4096| |Max log size (GB)|922|922|922|1024|1024|1024|1024| |TempDB max data size (GB)|512|576|640|768|1024|1280|2560|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|64,000|72,000|80,000|96,000|128,000|160,000|204,800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|512|640|768|896|1024|1152| |Max log size (GB)|171|213|256|299|341|384| |TempDB max data size (GB)|256|320|384|448|512|576|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|13836|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|12,499|15,624|18,748|21,873|24,998|28,123|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|1280|1536|2048|4096|4096| |Max log size (GB)|427|512|683|1024|1024| |TempDB max data size (GB)|4096|2048|1024|768|640|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|31,248|37,497|49,996|99,993|160,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max data size (GB)|768|768|768|768| |Max log size (GB)|230|230|230|230| |TempDB max data size (GB)|64|128|192|256|
+|[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1406|1406|1406|1406|
|Storage type|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)| |Max data IOPS *|14000|28000|42000|44800|
azure-sql Vnet Service Endpoint Rule Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/vnet-service-endpoint-rule-overview.md
Previously updated : 11/14/2019 Last updated : 05/26/2021 # Use virtual network service endpoints and rules for servers in Azure SQL Database
PolyBase and the COPY statement are commonly used to load data into Azure Synaps
### SQL Database blob auditing
-Blob auditing pushes audit logs to your own storage account. If this storage account uses the virtual network service endpoints feature, connectivity from SQL Database to the storage account will break.
+Azure SQL auditing can write SQL audit logs to your own storage account. If this storage account uses the virtual network service endpoints feature, see how to [write audit to a storage account behind VNet and firewall](https://docs.microsoft.com/azure/azure-sql/database/audit-write-storage-account-behind-vnet-firewall).
## Add a virtual network firewall rule to your server
azure-sql Transact Sql Tsql Differences Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md
Linkeds servers on Azure SQL Managed Instance support only SQL authentication. A
### PolyBase
-Work on enabling Polybase support in SQL Managed Instance is [in progress](https://feedback.azure.com/forums/915676-sql-managed-instance/suggestions/35698078-enable-polybase-on-sql-managed-instance). In the meantime, as a workaroiund you can use linked servers to [a serverless SQL pool in Synapse Analytics](https://devblogs.microsoft.com/azure-sql/linked-server-to-synapse-sql-to-implement-polybase-like-scenarios-in-managed-instance/) or SQL Server to query data from files stored in Azure Data Lake or Azure Storage.
+Work on enabling Polybase support in SQL Managed Instance is [in progress](https://feedback.azure.com/forums/915676-sql-managed-instance/suggestions/35698078-enable-polybase-on-sql-managed-instance). In the meantime, as a workaround you can use linked servers to [a serverless SQL pool in Synapse Analytics](https://devblogs.microsoft.com/azure-sql/linked-server-to-synapse-sql-to-implement-polybase-like-scenarios-in-managed-instance/) or SQL Server to query data from files stored in Azure Data Lake or Azure Storage.
For general information about PolyBase, see [PolyBase](/sql/relational-databases/polybase/polybase-guide). ### Replication
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/frequently-asked-questions-faq.md
This article provides answers to some of the most common questions about running
1. **Are SQL Server failover cluster instances (FCI) supported on Azure VMs?**
- Yes. You can install a failover cluster instance using either [premium file shares (PFS)](failover-cluster-instance-premium-file-share-manually-configure.md) or [storage spaces direct (S2D)](failover-cluster-instance-storage-spaces-direct-manually-configure.md) for the storage subsystem. Premium file shares provide IOPS and throughput capacities that will meet the needs of many workloads. For IO-intensive workloads, consider using storage spaces direct based on manged premium or ultra-disks. Alternatively, you can use third-party clustering or storage solutions as described in [High availability and disaster recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md#azure-only-high-availability-solutions).
+ Yes. You can configure a [failover cluster instance](failover-cluster-instance-overview.md) using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md), [premium file shares (PFS)](failover-cluster-instance-premium-file-share-manually-configure.md), or [storage spaces direct (S2D)](failover-cluster-instance-storage-spaces-direct-manually-configure.md) for the storage subsystem. Premium file shares provide IOPS and throughput capacities that meet the needs of many workloads. For IO-intensive workloads, consider using storage spaces direct based on managed premium or ultra-disks. Alternatively, you can use third-party clustering or storage solutions as described in [High availability and disaster recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md#azure-only-high-availability-solutions).
> [!IMPORTANT] > At this time, the _full_ [SQL Server IaaS Agent Extension](sql-server-iaas-agent-extension-automate-management.md) is not supported for SQL Server FCI on Azure. We recommend that you uninstall the _full_ extension from VMs that participate in the FCI, and install the extension in _lightweight_ mode instead. This extension supports features, such as Automated Backup and Patching and some portal features for SQL Server. These features will not work for SQL Server VMs after the _full_ agent is uninstalled.
This article provides answers to some of the most common questions about running
* [Overview of SQL Server on a Linux VM](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md) * [Provision SQL Server on a Linux VM](../linux/sql-vm-create-portal-quickstart.md) * [FAQ (Linux)](../linux/frequently-asked-questions-faq.md)
-* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
+* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
azure-video-analyzer Record Stream Inference Data With Video https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/record-stream-inference-data-with-video.md
Next, browse to the src/cloud-to-device-console-app folder. Here you'll see the
1. Next, under the **livePipelineSet** and **pipelineTopologyDelete** nodes, ensure that the value of **topologyName** matches the value of the **name** property in the above pipeline topology: `"pipelineTopologyName" : "CVRHttpExtensionObjectTracking"`
-1. Open the [pipeline topology](https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/cvr-with-httpExtension-objTracking/topology.json) in a browser, and look at videoName - it is hard-coded to `sample-cvr-inferencing`. This is acceptable for a tutorial. In production, you would take care to ensure that each unique RTSP camera is recorded to a video resource with a unique name.
+1. Open the [pipeline topology](https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/cvr-with-httpExtension-objTracking/topology.json) in a browser, and look at videoName - it is hard-coded to `sample-cvr-with-inference-metadata`. This is acceptable for a tutorial. In production, you would take care to ensure that each unique RTSP camera is recorded to a video resource with a unique name.
1. Examine the settings for the HTTP extension node.
When the video sink node starts to record media, it emits this event of type **M
{ "body": { "outputType": "videoName",
- "outputLocation": "sample-cvr-inferencing"
+ "outputLocation": "sample-cvr-with-inference-metadata"
}, "applicationProperties": { "topic": "/subscriptions/{subscriptionID}/resourceGroups/{resource-group-name}/providers/microsoft.media/videoAnalyzers/{ava-account-name}",
As the name suggests, the RecordingStarted event is sent when recording has star
{ "body": { "outputType": "videoName",
- "outputLocation": "sample-cvr-inferencing"
+ "outputLocation": "sample-cvr-with-inference-metadata"
}, "applicationProperties": { "topic": "/subscriptions/{subscriptionID}/resourceGroups/{resource-group-name}/providers/microsoft.media/videoAnalyzers/{ava-account-name}",
When you deactivate the live pipeline, the video sink node stops recording media
{ "body": { "outputType": "videoName",
- "outputLocation": "sample-cvr-inferencing"
+ "outputLocation": "sample-cvr-with-inference-metadata"
}, "applicationProperties": { "topic": "/subscriptions/{subscriptionID}/resourceGroups/{resource-group-name}/providers/microsoft.media/videoAnalyzers/{ava-account-name}",
You can examine the Video Analyzer video resource that was created by the live p
1. Open your web browser, and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal. The default view is your service dashboard. 1. Locate your Video Analyzers account among the resources you have in your subscription, and open the account pane. 1. Select **Videos** in the **Video Analyzers** list.
-1. You'll find a video listed with the name `sample-cvr-inferencing`. This is the name chosen in your pipeline topology file.
+1. You'll find a video listed with the name `sample-cvr-with-inference-metadata`. This is the name chosen in your pipeline topology file.
1. Select the video. 1. On the video details page, click the **Play** icon
azure-video-analyzer Use Intel Grpc Video Analytics Serving Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-intel-grpc-video-analytics-serving-tutorial.md
Right-click the Azure Video Analyzer device and select **Start Monitoring Built-
![Start monitoring](./media/quickstarts/start-monitoring-iot-hub-events.png) ### Run the sample program to detect vehicles, persons or bike
-If you open the [pipeline topology](https://raw.githubusercontent.com/Azure/azure-video-analyzer/main/pipelines/live/topologies/grpcExtensionOpenVINO/topology.json) for this tutorial in a browser, you will see that the value of `grpcExtensionAddress` has been set to `tcp://avaExtension:5001`, compared to the *httpExtensionOpenVINO* tutorial you do not need to change the url to the gRPC Server. Instead you instruct the module to run a specific pipeline by the `extensionConfiguration` in the operations file. When not provided it defaults to "object_detection" for "person_vehicle_bike_detection". You can experiment with other supported pipelines.
+If you open the [pipeline topology](https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/grpcExtensionOpenVINO/topology.json) for this tutorial in a browser, you will see that the value of `grpcExtensionAddress` has been set to `tcp://avaExtension:5001`, compared to the *httpExtensionOpenVINO* tutorial you do not need to change the url to the gRPC Server. Instead you instruct the module to run a specific pipeline by the `extensionConfiguration` in the operations file. When not provided it defaults to "object_detection" for "person_vehicle_bike_detection". You can experiment with other supported pipelines.
1. Edit the *operations.json* file: * Change the link to the live pipeline topology:
azure-video-analyzer Use Line Crossing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-line-crossing.md
In Visual Studio Code, browse to the src/cloud-to-device-console-app folder. Her
1. Edit the operations.json file: * Change the link to the pipeline topology:
- * "pipelineTopologyUrl" : "https://raw.githubusercontent.com/Azure/azure-video-analyzer/main//pipelines/live/topologies/line-crossing/topology.json"
+ * "pipelineTopologyUrl" : "https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/line-crossing/topology.json"
* Under livePipelineSet, edit the name of the topology to match the value in the preceding link: * "topologyName" : "LineCrossingWithHttpExtension" * Under `pipelineTopologyDelete`, edit the name:
azure-video-analyzer Connect To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/connect-to-azure.md
Select the account -> **Settings** -> **Delete this account**.
The account will be permanently deleted in 90 days.
+## Firewall
+
+See [Storage account that is behind a firewall](faq.md#can-a-storage-account-connected-to-the-media-services-account-be-behind-a-firewall).
+ ## Next steps You can programmatically interact with your trial account and/or with your Video Analyzer for Media accounts that are connected to Azure by following the instructions in: [Use APIs](video-indexer-use-apis.md).
azure-video-analyzer Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/faq.md
Previously updated : 05/06/2021 Last updated : 05/25/2021
If you want to get insights on your new video, index it with Video Analyzer for