Updates from: 05/29/2021 03:02:46
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-domain-services Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/synchronization.md
The following table illustrates how specific attributes for user objects in Azur
|: |: | | accountEnabled |userAccountControl (sets or clears the ACCOUNT_DISABLED bit) | | city |l |
-| company |companyName |
+| companyName |companyName |
| country |co | | department |department | | displayName |displayName |
active-directory Fido2 Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/fido2-compatibility.md
# Browser support of FIDO2 passwordless authentication
-Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910). As discussed in the announcement, certain optional features, and extensions to the FIDO2 CTAP specification must be implemented to support secure authentication with Microsoft and Azure Active Directory accounts. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory.
+Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910), and it became [generally available](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700) in March 2021. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory.
## Supported browsers
The following are the minimum browser version requirements.
<sup>1</sup>All versions of the new Chromium-based Microsoft Edge support Fido2. Support on Microsoft Edge legacy was added in 1903. ## Next steps
-[Enable passwordless security key sign-in (preview)](./howto-authentication-passwordless-security-key.md)
+[Enable passwordless security key sign-in](./howto-authentication-passwordless-security-key.md)
<!--Image references--> [y]: ./media/fido2-compatibility/yes.png
app-service App Service Web Configure Tls Mutual Auth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-configure-tls-mutual-auth.md
For ASP.NET, the client certificate is available through the **HttpRequest.Clien
For other application stacks (Node.js, PHP, etc.), the client cert is available in your app through a base64 encoded value in the `X-ARR-ClientCert` request header.
-## ASP.NET sample
+## ASP.NET 5+, ASP.NET Core 3.1 sample
+
+For ASP.NET Core, middleware is provided to parse forwarded certificates. Separate middleware is provided to use the forwarded protocol headers. Both must be present for forwarded certificates to be accepted. You can place custom certificate validation logic in the [CertificateAuthentication options](/aspnet/core/security/authentication/certauth).
+
+```csharp
+public class Startup
+{
+ public Startup(IConfiguration configuration)
+ {
+ Configuration = configuration;
+ }
+
+ public IConfiguration Configuration { get; }
+
+ public void ConfigureServices(IServiceCollection services)
+ {
+ services.AddControllersWithViews();
+ // Configure the application to use the protocol and client ip address forwared by the frontend load balancer
+ services.Configure<ForwardedHeadersOptions>(options =>
+ {
+ options.ForwardedHeaders =
+ ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+ });
+
+ // Configure the application to client certificate forwarded the frontend load balancer
+ services.AddCertificateForwarding(options => { options.CertificateHeader = "X-ARR-ClientCert"; });
+
+ // Add certificate authentication so when authorization is performed the user will be created from the certificate
+ services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme).AddCertificate();
+ }
+
+ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+ {
+ if (env.IsDevelopment())
+ {
+ app.UseDeveloperExceptionPage();
+ }
+ else
+ {
+ app.UseExceptionHandler("/Home/Error");
+ app.UseHsts();
+ }
+
+ app.UseForwardedHeaders();
+ app.UseCertificateForwarding();
+ app.UseHttpsRedirection();
+
+ app.UseAuthentication()
+ app.UseAuthorization();
+
+ app.UseStaticFiles();
+
+ app.UseRouting();
+
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapControllerRoute(
+ name: "default",
+ pattern: "{controller=Home}/{action=Index}/{id?}");
+ });
+ }
+}
+```
+
+## ASP.NET WebForms sample
```csharp using System;
app-service Manage Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-backup.md
The following database solutions are supported with backup feature:
* Backups of TLS enabled Azure Database for PostgreSQL is not supported. If a backup is configured, you will encounter backup failures. * In-app MySQL databases are automatically backed up without any configuration. If you make manually settings for in-app MySQL databases, such as adding connection strings, the backups may not work correctly. * Using a firewall enabled storage account as the destination for your backups is not supported. If a backup is configured, you will encounter backup failures.
+* Currently, you can't use the Backup and Restore feature with the Azure App Service VNet Integration feature.
+* Currently, you can't use the Backup and Restore feature with Azure storage accounts that are configured to use Private Endpoint.
<a name="manualbackup"></a>
cosmos-db Configure Synapse Link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/configure-synapse-link.md
If you created an analytical store enabled container through the Azure portal, i
1. Select an existing container that has analytical store enabled. Expand it and modify the following values: * Open the **Scale & Settings** window.
- * Under **Setting** find,** Analytical Storage Time to Live**.
+ * Under **Setting**, find **Analytical Storage Time to Live**.
* Select **On (no default)** or select **On** and set a TTL value * Click **Save** to save the changes.
frontdoor How To Monitor Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/standard-premium/how-to-monitor-metrics.md
Title: Monitoring metrics for Azure Front Door Standard/Premium description: This article describes the Azure Front Door Standard/Premium monitoring metrics. -+
You can configure alerts for each metric such as a threshold for 4XXErrorRate or
| - | - | - | | Bytes Hit ratio | The percentage of egress from AFD cache, computed against the total egress.ΓÇ»</br> **Byte Hit Ratio** = (egress from edge - egress from origin)/egress from edge. </br> **Scenarios excluded in bytes hit ratio calculation**:</br> 1. You explicitly configure no cache either through Rules Engine or Query String caching behavior. </br> 2. You explicitly configure cache-control directive with no-store or private cache. </br>3. Byte hit ratio can be low if most of the traffic is forwarded to origin rather than served from caching based on your configurations or scenarios. | Endpoint | | RequestCount | The number of client requests served by CDN. | Endpoint, client country, client region, HTTP status, HTTP status group |
-| ResponseSize | The number of client requests served by AFD. |Endpoint, client country, client region, HTTP status, HTTP status group |
+| ResponseSize | The number of bytes sent as responses from Front Door to clients. |Endpoint, client country, client region, HTTP status, HTTP status group |
| TotalLatency | The total time from the client request received by CDN **until the last response byte send from CDN to client**. |Endpoint, client country, client region, HTTP status, HTTP status group | | RequestSize | The number of bytes sent as requests from clients to AFD. | Endpoint, client country, client region, HTTP status, HTTP status group | | 4XX % ErrorRate | The percentage of all the client requests for which the response status code is 4XX. | Endpoint, Client Country, Client Region |
Alert will be charged based on Azure Monitor. For more information about alerts,
## Next steps - Learn about [Azure Front Door Standard/Premium Reports](how-to-reports.md).-- Learn about [Azure Front Door Standard/Premium Logs](how-to-logs.md).
+- Learn about [Azure Front Door Standard/Premium Logs](how-to-logs.md).
machine-learning How To Enable Studio Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-enable-studio-virtual-network.md
You can use both Azure RBAC and POSIX-style access control lists (ACLs) to contr
To use Azure RBAC, add the workspace-managed identity to the [Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) role. For more information, see [Azure role-based access control](../storage/blobs/data-lake-storage-access-control-model.md#role-based-access-control).
-To use ACLs, the workspace-managed identity can be assigned access just like any other security principle. For more information, see [Access control lists on files and directories](../storage/blobs/data-lake-storage-access-control.md#access-control-lists-on-files-and-directories).
+To use ACLs, the workspace-managed identity can be assigned access just like any other security principal. For more information, see [Access control lists on files and directories](../storage/blobs/data-lake-storage-access-control.md#access-control-lists-on-files-and-directories).
### Azure Data Lake Storage Gen1 access control
-Azure Data Lake Storage Gen1 only supports POSIX-style access control lists. You can assign the workspace-managed identity access to resources just like any other security principle. For more information, see [Access control in Azure Data Lake Storage Gen1](../data-lake-store/data-lake-store-access-control.md).
+Azure Data Lake Storage Gen1 only supports POSIX-style access control lists. You can assign the workspace-managed identity access to resources just like any other security principal. For more information, see [Access control in Azure Data Lake Storage Gen1](../data-lake-store/data-lake-store-access-control.md).
### Azure SQL Database contained user
This article is part five of a five-part virtual network series. See the rest of
* [Part 3: Secure the training environment](how-to-secure-training-vnet.md) * [Part 4: Secure the inferencing environment](how-to-secure-inferencing-vnet.md)
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
purview Register Scan Azure Synapse Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/register-scan-azure-synapse-analytics.md
Example SQL syntax to create user and grant permission:
CREATE USER [PurviewManagedIdentity] FROM EXTERNAL PROVIDER GO
-EXEC sp_addrolemember 'db_owner', [PurviewManagedIdentity]
+EXEC sp_addrolemember 'db_datareader', [PurviewManagedIdentity]
GO ```
-The authentication must have permission to get metadata for the database, schemas and tables. It must also be able to query the tables to sample for classification. The recommendation is to assign `db_owner` permission to the identity.
+The authentication must have permission to get metadata for the database, schemas and tables. It must also be able to query the tables to sample for classification. The recommendation is to assign `db_datareader` permission to the identity.
### Service Principal
In addition, you must also create an Azure AD user in Azure Synapse Analytics by
CREATE USER [ServicePrincipalName] FROM EXTERNAL PROVIDER GO
-ALTER ROLE db_owner ADD MEMBER [ServicePrincipalName]
+ALTER ROLE db_datareader ADD MEMBER [ServicePrincipalName]
GO ```
security Feature Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/fundamentals/feature-availability.md
The following tables display the current Azure Sentinel feature availability in
| - [Akamai Security Events](/azure/sentinel/connect-akamai-security-events) | Public Preview | Public Preview | | - [Alcide kAudit](/azure/sentinel/connect-alcide-kaudit) | Public Preview | Not Available | | - [Alsid for Active Directory](/azure/sentinel/connect-alsid-active-directory) | Public Preview | Not Available |
-| - [Apache HHTP Server](/azure/sentinel/connect-apache-http-server) | Public Preview | Not Available |
+| - [Apache HTTP Server](/azure/sentinel/connect-apache-http-server) | Public Preview | Not Available |
| - [Aruba ClearPass](/azure/sentinel/connect-aruba-clearpass) | Public Preview | Public Preview | | - [AWS](/azure/sentinel/connect-data-sources) | GA | GA | | - [Barracuda CloudGen Firewall](/azure/sentinel/connect-barracuda-cloudgen-firewall) | GA | GA |
service-health Resource Health Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/service-health/resource-health-overview.md
Non-platform events are triggered by user actions. Examples include stopping a v
### Unknown
-*Unknown* means that Resource Health hasn't received information about the resource for more than 10 minutes. This commonly occurs when virtual machines have been dallocated. Although this status isn't a definitive indication of the state of the resource, it can be an important data point for troubleshooting.
+*Unknown* means that Resource Health hasn't received information about the resource for more than 10 minutes. This commonly occurs when virtual machines have been deallocated. Although this status isn't a definitive indication of the state of the resource, it can be an important data point for troubleshooting.
If the resource is running as expected, the status of the resource will change to *Available* after a few minutes.