Updates from: 05/07/2021 03:06:36
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Restful Technical Profile https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/restful-technical-profile.md
The following example `TechnicalProfile` sends a verification email by using a t
## Output claims
-The **OutputClaims** element contains a list of claims returned by the REST API. You may need to map the name of the claim defined in your policy to the name defined in the REST API. You can also include claims that aren't returned by the REST API identity provider, as long as you set the `DefaultValue` attribute.
+The **OutputClaims** element contains a list of claims returned by the REST API. You may need to map the name of the claim defined in your policy to the name defined in the REST API. You can also include claims that aren't returned by the REST API, as long as you set the `DefaultValue` attribute.
The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
active-directory-b2c Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/whats-new-docs.md
Title: "What's new in Azure Active Directory business-to-customer (B2C)" description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)." Previously updated : 05/04/2021 Last updated : 06/04/2021
active-directory Application Proxy Secure Api Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-secure-api-access.md
Previously updated : 04/27/2021 Last updated : 05/06/2021
To register the AppProxyNativeAppSample native app:
1. Under **Name**, enter *AppProxyNativeAppSample*.
- 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
+ 1. Under **Supported account types**, select **Accounts in any organizational directory**.
1. Under **Redirect URL**, drop down and select **Public client (mobile & desktop)**, and then enter *https://login.microsoftonline.com/common/oauth2/nativeclient*.
After you configure the parameters, build and run the native app. When you selec
- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md) - [Quickstart: Configure a client application to access web APIs](../develop/quickstart-configure-app-access-web-apis.md)-- [How to enable native client applications to interact with proxy applications](application-proxy-configure-native-client-application.md)
+- [How to enable native client applications to interact with proxy applications](application-proxy-configure-native-client-application.md)
active-directory Concept Mfa Licensing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-mfa-licensing.md
Azure AD Multi-Factor Authentication can be used, and licensed, in a few differe
| Azure AD Premium P1 | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. | | Azure AD Premium P2 | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. | | All Microsoft 365 plans | Azure AD Multi-Factor Authentication can be [enabled on a per-user basis](howto-mfa-userstates.md), or enabled or disabled for all users using [security defaults](../fundamentals/concept-fundamentals-security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). |
-| Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
+| Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users but you cannot enable Multi-Factor Authentication on per-user basis. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
## Feature comparison of versions
active-directory Howto Add App Roles In Azure Ad Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md
Previously updated : 11/13/2020 Last updated : 05/06/2021
You define app roles by using the [Azure portal](https://portal.azure.com). App
There are two ways to declare app roles by using the Azure portal:
-* [App roles UI](#app-roles-ui--preview) | Preview
-* [App manifest editor](#app-manifest-editor)
+- [App roles UI](#app-roles-ui)
+- [App manifest editor](#app-manifest-editor)
-The number of roles you add counts toward application manifest limits enforced by Azure Active Directory. For information about these limits, see the [Manifest limits](./reference-app-manifest.md#manifest-limits) section of [Azure Active Directory app manifest reference](reference-app-manifest.md).
+The number of roles you add counts toward application manifest limits enforced by Azure Active Directory. For information about these limits, see the [Manifest limits](./reference-app-manifest.md#manifest-limits) section of [Azure Active Directory app manifest reference](reference-app-manifest.md).
-### App roles UI | Preview
-
-> [!IMPORTANT]
-> The app roles portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+### App roles UI
To create an app role by using the Azure portal's user interface:
To create an app role by using the Azure portal's user interface:
1. Select the **Directory + subscription** filter in top menu, and then choose the Azure Active Directory tenant that contains the app registration to which you want to add an app role. 1. Search for and select **Azure Active Directory**. 1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.
-1. Select **App roles | Preview**, and then select **Create app role**.
+1. Select **App roles**, and then select **Create app role**.
:::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-overview-pane.png" alt-text="An app registration's app roles pane in the Azure portal":::+ 1. In the **Create app role** pane, enter the settings for the role. The table following the image describes each setting and their parameters.
- :::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-create-context-pane.png" alt-text="An app registration's app roles create context pane in the Azure portal":::
+ :::image type="content" source="media/howto-add-app-roles-in-azure-ad-apps/app-roles-create-context-pane.png" alt-text="An app registration's app roles create context pane in the Azure portal":::
- | Field | Description | Example |
- |-|-||
- | **Display name** | Display name for the app role that appears in the admin consent and app assignment experiences. This value may contain spaces. | `Survey Writer` |
- | **Allowed member types** | Specifies whether this app role can be assigned to users, applications, or both.<br/><br/>When available to `applications`, app roles appear as application permissions in an app registration's **Manage** section > **API permissions > Add a permission > My APIs > Choose an API > Application permissions**. | `Users/Groups` |
- | **Value** | Specifies the value of the roles claim that the application should expect in the token. The value should exactly match the string referenced in the application's code. The value cannot contain spaces. | `Survey.Create` |
- | **Description** | A more detailed description of the app role displayed during admin app assignment and consent experiences. | `Writers can create surveys.` |
- | **Do you want to enable this app role?** | Specifies whether the app role is enabled. To delete an app role, deselect this checkbox and apply the change before attempting the delete operation. | *Checked* |
+ | Field | Description | Example |
+ | - | -- | -- |
+ | **Display name** | Display name for the app role that appears in the admin consent and app assignment experiences. This value may contain spaces. | `Survey Writer` |
+ | **Allowed member types** | Specifies whether this app role can be assigned to users, applications, or both.<br/><br/>When available to `applications`, app roles appear as application permissions in an app registration's **Manage** section > **API permissions > Add a permission > My APIs > Choose an API > Application permissions**. | `Users/Groups` |
+ | **Value** | Specifies the value of the roles claim that the application should expect in the token. The value should exactly match the string referenced in the application's code. The value cannot contain spaces. | `Survey.Create` |
+ | **Description** | A more detailed description of the app role displayed during admin app assignment and consent experiences. | `Writers can create surveys.` |
+ | **Do you want to enable this app role?** | Specifies whether the app role is enabled. To delete an app role, deselect this checkbox and apply the change before attempting the delete operation. | _Checked_ |
1. Select **Apply** to save your changes.
Confirm that the users and groups you added appear in the **Users and groups** l
Once you've added app roles in your application, you can assign an app role to a client app by using the Azure portal or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).
-When you assign app roles to an application, you create *application permissions*. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API calls as themselves, without the interaction of a user.
+When you assign app roles to an application, you create _application permissions_. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API calls as themselves, without the interaction of a user.
To assign app roles to an application by using the Azure portal:
The newly added roles should appear in your app registration's **API permissions
#### Grant admin consent
-Because these are *application permissions*, not delegated permissions, an admin must grant consent to use the app roles assigned to the application.
+Because these are _application permissions_, not delegated permissions, an admin must grant consent to use the app roles assigned to the application.
1. In the app registration's **API permissions** pane, select **Grant admin consent for \<tenant name\>**. 1. Select **Yes** when prompted to grant consent for the requested permissions.
To learn how to add authorization to your web API, see [Protected web API: Verif
Though you can use app roles or groups for authorization, key differences between them can influence which you decide to use for your scenario.
-| App roles | Groups |
-||-|
+| App roles | Groups |
+| | -- |
| They are specific to an application and are defined in the app registration. They move with the application. | They are not specific to an app, but to an Azure AD tenant. |
-| App roles are removed when their app registration is removed. | Groups remain intact even if the app is removed. |
-| Provided in the `roles` claim. | Provided in `groups` claim. |
+| App roles are removed when their app registration is removed. | Groups remain intact even if the app is removed. |
+| Provided in the `roles` claim. | Provided in `groups` claim. |
Developers can use app roles to control whether a user can sign in to an app or an app can obtain an access token for a web API. To extend this security control to groups, developers and admins can also assign security groups to app roles.
App roles are preferred by developers when they want to describe and control the
Learn more about app roles with the following resources.
-* Code samples on GitHub
- * [Add authorization using groups and group claims to an ASP.NET Core web app](https://aka.ms/groupssample)
- * [Angular single-page application (SPA) calling a .NET Core web API and using app roles and security groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/blob/master/README.md)
-* Reference documentation
- * [Azure AD app manifest](./reference-app-manifest.md)
- * [Azure AD access tokens](access-tokens.md)
- * [Azure AD ID tokens](id-tokens.md)
- * [Provide optional claims to your app](active-directory-optional-claims.md)
-* Video: [Implement authorization in your applications with Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0) (1:01:15)
+- Code samples on GitHub
+ - [Add authorization using groups and group claims to an ASP.NET Core web app](https://aka.ms/groupssample)
+ - [Angular single-page application (SPA) calling a .NET Core web API and using app roles and security groups](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-dotnetcore-webapi-roles-groups/blob/master/README.md)
+- Reference documentation
+ - [Azure AD app manifest](./reference-app-manifest.md)
+ - [Azure AD access tokens](access-tokens.md)
+ - [Azure AD ID tokens](id-tokens.md)
+ - [Provide optional claims to your app](active-directory-optional-claims.md)
+- Video: [Implement authorization in your applications with Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0) (1:01:15)
active-directory Msal Net Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-migration.md
If you are already familiar with the Azure AD for developers (v1.0) endpoint (an
However, you still need to use ADAL.NET if your application needs to sign in users with earlier versions of [Active Directory Federation Services (ADFS)](/windows-server/identity/active-directory-federation-services). For more information, see [ADFS support](https://aka.ms/msal-net-adfs-support). The following picture summarizes some of the differences between ADAL.NET and MSAL.NET for a public client application
-![Side-by-side code](./media/msal-compare-msaldotnet-and-adaldotnet/differences.png)
+[![Side-by-side code for public client applications](./media/msal-compare-msaldotnet-and-adaldotnet/differences.png)](./media/msal-compare-msaldotnet-and-adaldotnet/differences.png#lightbox)
+
+And the following picture summarizes some of the differences between ADAL.NET and MSAL.NET for a confidential client application
+[![Side-by-side code for confidential client applications](./media/msal-net-migration/confidential-client-application.png)](./media/msal-net-migration/confidential-client-application.png#lightbox)
### NuGet packages and Namespaces ADAL.NET is consumed from the [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package. the namespace to use is `Microsoft.IdentityModel.Clients.ActiveDirectory`.
-To use MSAL.NET you will need to add the [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) NuGet package, and use the `Microsoft.Identity.Client` namespace
+To use MSAL.NET you will need to add the [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) NuGet package, and use the `Microsoft.Identity.Client` namespace. If you are building a confidential client application, you also want to check out [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web).
### Scopes not resources
Web app | Auth Code | [Acquiring tokens with authorization codes on web apps wit
ADAL.NET allows you to extend the `TokenCache` class to implement the desired persistence functionality on platforms without a secure storage (.NET Framework and .NET core) by using the `BeforeAccess`, and `BeforeWrite` methods. For details, see [Token Cache Serialization in ADAL.NET](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Token-cache-serialization).
-MSAL.NET makes the token cache a sealed class, removing the ability to extend it. Therefore, your implementation of token cache persistence must be in the form of a helper class that interacts with the sealed token cache. This interaction is described in [Token Cache Serialization in MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization).
+MSAL.NET makes the token cache a sealed class, removing the ability to extend it. Therefore, your implementation of token cache persistence must be in the form of a helper class that interacts with the sealed token cache. This interaction is described in [Token Cache Serialization in MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization). The serialization will be different for a public client application (See [Token cache for a public client application](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization#token-cache-for-a-public-client-application)), and for a confidential client application (See [Token cache for a web app or web API](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization#token-cache-for-a-public-client-application))
## Signification of the common authority
active-directory Manage Stale Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/manage-stale-devices.md
A typical routine consists of the following steps:
To get all devices and store the returned data in a CSV file: ```PowerShell
-Get-AzureADDevice -All:$true | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-summary.csv
+Get-AzureADDevice -All:$true | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-summary.csv -NoTypeInformation
```
-If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. To get all devices with a timestamp older than specific date and store the returned data in a CSV file:
+If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. To get all devices that haven't logged on in 90 days and store the returned data in a CSV file:
```PowerShell
-$dt = [datetime]ΓÇÖ2017/01/01ΓÇÖ
-Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-Jan-1-2017-summary.csv
+$dt = (Get-Date).AddDays(-90)
+Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property AccountEnabled, DeviceId, DeviceOSType, DeviceOSVersion, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-90days-summary.csv -NoTypeInformation
``` #### Set devices to disabled
active-directory Licensing Group Advanced https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-group-advanced.md
Previously updated : 12/02/2020 Last updated : 04/05/2021
Use the following information and examples to gain a more advanced understanding
## Usage location
-Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to specify the **Usage location** property on the user. In [the Azure portal](https://portal.azure.com), you can specify usage location in **User** &gt; **Profile** &gt; **Settings**.
+Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator should specify the **Usage location** property on the user. In [the Azure portal](https://portal.azure.com), you can specify usage location in **User** &gt; **Profile** &gt; **Settings**.
For group license assignment, any users without a usage location specified inherit the location of the directory. If you have users in multiple locations, make sure to reflect that correctly in your user resources before adding users to groups with licenses. > [!NOTE]
-> Group license assignment will never modify an existing usage location value on a user. We recommend that you always set usage location as part of your user creation flow in Azure AD (e.g. via AAD Connect configuration) - that will ensure the result of license assignment is always correct, and users do not receive services in locations that are not allowed.
+> Group license assignment will never modify an existing usage location value on a user. We recommend that you always set usage location as part of your user creation flow in Azure AD (for example, via AAD Connect configuration) - that will ensure the result of license assignment is always correct, and users do not receive services in locations that are not allowed.
## Use group-based licensing with dynamic groups
For this example, modify one user and set their extensionAttribute1 to the value
> [!WARNING] > Use caution when modifying an existing groupΓÇÖs membership rule. When a rule is changed, the membership of the group will be re-evaluated and users who no longer match the new rule will be removed (users who still match the new rule will not be affected during this process). Those users will have their licenses removed during the process which may result in loss of service, or in some cases, loss of data.
->
+>
> If you have a large dynamic group you depend on for license assignment, consider validating any major changes on a smaller test group before applying them to the main group. ## Multiple groups and multiple licenses A user can be a member of multiple groups with licenses. Here are some things to consider: -- Multiple licenses for the same product can overlap, and they result in all enabled services being applied to the user. The following example shows two licensing groups: *E3 base services* contains the foundation services to deploy first, to all users. And *E3 extended services* contains additional services (Sway and Planner) to deploy only to some users. In this example, the user was added to both groups:-
- ![Screenshot of enabled services](./media/licensing-group-advanced/view-enabled-services.png)
-
- As a result, the user has 7 of the 12 services in the product enabled, while using only one license for this product.
+- Multiple licenses for the same product can overlap, and they result in all enabled services being applied to the user. An example could be that *E3 base services* contains the foundation services to deploy first, to all users, and *E3 extended services* contains additional services (Sway and Planner) to deploy only to some users. You can add the user to both groups. As a result, the user has 7 of the 12 services in the product enabled, while using only one license for this product.
- Selecting the *E3* license shows more details, including information about which services are enabled for the user by by the group license assignment.
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
- **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID >[!NOTE]
->This information is accurate as of March 2021.
+>This information is accurate as of April 2021.
| Product name | String ID | GUID | Service plans included | Service plans included (friendly names) | | | | | | |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Office 365 Advanced Threat Protection (Plan 1) | ATP_ENTERPRISE | 4ef96642-f096-40de-a3e9-d83fb2f90211 | ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939) | Office 365 Advanced Threat Protection (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939) | | OFFICE 365 E1 | STANDARDPACK | 18181a46-0d4e-45cd-891e-60aabd171b4e | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)) | | OFFICE 365 E2 | STANDARDWOFFPACK | 6634e0ce-1a9f-428c-a498-f84ec7b8aa2e | BPOS_S_TODO_1(5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>FLOW FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>POWERAPPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
-| OFFICE 365 E3 | ENTERPRISEPACK | 6fd2c87f-b296-42f0-b197-1e91e994b900 | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
+| OFFICE 365 E3 | ENTERPRISEPACK | 6fd2c87f-b296-42f0-b197-1e91e994b900 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>CONTENTEXPLORER_STANDARD (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>FORMS_PLAN_E3 (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>DESKLESS (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | AZURE RIGHTS MANAGEMENT (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>COMMON DATA SERVICE - O365 P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>COMMON DATA SERVICE FOR TEAMS_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INFORMATION PROTECTION AND GOVERNANCE ANALYTICS ΓÇô STANDARD (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>INFORMATION PROTECTION FOR OFFICE 365 ΓÇô STANDARD (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>INSIGHTS BY MYANALYTICS (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>MICROSOFT 365 APPS FOR ENTERPRISE (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MICROSOFT BOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MICROSOFT FORMS (PLAN E3) (2789c901-c14e-48ab-a76a-be334d9d793a)<br/>MICROSOFT KAIZALA PRO PLAN 3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>MICROSOFT PLANNER (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>MICROSOFT STREAM FOR O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>MICROSOFT TEAMS (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE FOR THE WEB (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>POWER APPS FOR OFFICE 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>POWER AUTOMATE FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER VIRTUAL AGENTS FOR OFFICE 365 P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>PROJECT FOR OFFICE (PLAN E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SHAREPOINT (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TO-DO (PLAN 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD (PLAN 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) |
| OFFICE 365 E3 DEVELOPER | DEVELOPERPACK | 189a915c-fe4f-4ffa-bde4-85b9628d07a0 | BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINT_S_DEVELOPER (a361d6e2-509e-4e25-a8ad-950060064ef4)<br/>SHAREPOINTWAC_DEVELOPER (527f7cdd-0e86-4c47-b879-f5fd357a3ac6)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929) | BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>MICROSOFT FORMS (PLAN E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365(c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>SHAREPOINT_S_DEVELOPER (a361d6e2-509e-4e25-a8ad-950060064ef4)<br/>OFFICE ONLINE FOR DEVELOPER (527f7cdd-0e86-4c47-b879-f5fd357a3ac6)<br/>MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929) | | Office 365 E3_USGOV_DOD | ENTERPRISEPACK_USGOV_DOD | b107e5a3-3e60-4c0d-a184-a7e4395eb44c | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS_AR_DOD (fd500458-c24c-478e-856c-a6067a8376cd)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)| Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams for DOD (AR) (fd500458-c24c-478e-856c-a6067a8376cd)<br/>Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Office Online (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SharePoint Online (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | | Office 365 E3_USGOV_GCCHIGH | ENTERPRISEPACK_USGOV_GCCHIGH | aea38a85-9bd5-4981-aa00-616b411205bf | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS_AR_GCCHIGH (9953b155-8aef-4c56-92f3-72b0487fce41)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) | Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams for GCCHigh (AR) (9953b155-8aef-4c56-92f3-72b0487fce41)<br/>Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Office Online (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>SharePoint Online (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c) |
active-directory Leave The Organization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/leave-the-organization.md
Previously updated : 06/13/2019 Last updated : 05/05/2021
To leave an organization, follow these steps.
1. Go to your Access Panel Profile page by doing one of the following steps: - In the [Azure portal](https://portal.azure.com), click your name in the upper right and select **View account**.
- - Open your [Access Panel](https://myapps.microsoft.com), click your name in the upper right, and next to **Organizations**, select the settings icon (gear).
+ - Open your [Access Panel](https://myapps.microsoft.com), click your name in the upper right, and next to **Organizations** and select **View account**.
- ![Screenshot showing user settings in Access Panel](media/leave-the-organization/UserSettings.png)
-
- > [!NOTE]
- > If youΓÇÖre not already signed in to the organization you want to leave, under **Organizations**, click the **Sign in to leave organization** link next to the organizationΓÇÖs name. After youΓÇÖre signed in, click your name again in the upper right and next to **Organizations**, select the settings icon (gear).
-
+
+2. Select **Manage Organizations**.
+ ![Screenshot showing user settings in Access Panel](media/leave-the-organization/manage-organizations.png)
+
3. Under **Organizations**, find the organization that you want to leave, and select **Leave organization**.
- ![Screenshot showing Leave organization option in the user interface](media/leave-the-organization/LeaveOrg.png)
-
-4. When asked to confirm, select **Leave**.
+ ![Screenshot showing Leave organization option in the user interface](media/leave-the-organization/leave-org.png)
+4. When asked to confirm, select **Leave**.
+> [!NOTE]
+ > You cannot leave your home organization.
## Account removal
active-directory Active Directory Compare Azure Ad To Ad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Most IT administrators are familiar with Active Directory Domain Services concep
|Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. | | Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.| [Groups](./active-directory-groups-create-azure-portal.md) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](../governance/entitlement-management-overview.md) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. | | Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](./active-directory-users-assign-role-azure-portal.md) with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for [creating custom roles](../roles/custom-overview.md) to delegate privileged access to the identity system, the apps, and resources it controls.</br>Managing roles can be enhanced with [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
-| Credential management| Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](../authentication/concept-password-ban-bad.md) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](../authentication/concept-mfa-howitworks.md) and [passwordless](../authentication/concept-authentication-passwordless.md) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](../authentication/concept-sspr-howitworks.md) system. |
+| Credential management| Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](../authentication/concept-password-ban-bad.md) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](../authentication/concept-mfa-howitworks.md) and [passwordless](../authentication/concept-authentication-passwordless.md) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](../authentication/concept-sspr-howitworks.md) system. |
| **Apps**||| | Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate[, Conditional access (CA)](../conditional-access/overview.md), will control which users, will have access to which apps under required conditions.| | Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](../manage-apps/application-proxy.md) agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
active-directory Azure Pim Resource Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
editor: '' + - Previously updated : 01/10/2020 Last updated : 04/20/2021 # View activity and audit history for Azure resource roles in Privileged Identity Management
-With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Azure portal that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management.
+With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Azure portal that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).
> [!NOTE] > If your organization has outsourced management functions to a service provider who uses [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md), role assignments authorized by that service provider won't be shown here.
active-directory Groups Assign Member Owner https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md
Follow these steps to make a user eligible to be a member or owner of a privileg
1. In the **Assignment type** list, select **Eligible** or **Active**. Privileged access groups provide two distinct assignment types:
- - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
+ - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
+
+ > [!Important]
+ > For privileged access groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.
- **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
active-directory Pim How To Activate Role https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md
Previously updated : 03/22/2021 Last updated : 03/15/2021
active-directory Pim How To Use Audit Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-how-to-use-audit-log.md
# View audit history for Azure AD roles in Privileged Identity Management
-You can use the Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to see the full audit history of activity in your Azure Active Directory (Azure AD) organization, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).
+You can use the Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your Azure Active Directory (Azure AD) organization, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).
## Determine your version of PIM
active-directory Pim Resource Roles Configure Role Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md
Follow these steps to open the settings for an Azure resource role.
![Azure resources page listing resources that can be managed](./media/pim-resource-roles-configure-role-settings/resources-list.png)
-1. Select **Role settings**.
+1. Select **Settings**.
![Role settings page listing Azure resource roles](./media/pim-resource-roles-configure-role-settings/resources-role-settings.png)
Follow these steps to open the settings for an Azure resource role.
![Role setting details page listing several assignment and activation settings](./media/pim-resource-roles-configure-role-settings/resources-role-setting-details.png)
-1. Select **Edit** to open the **Role settings** pane. The first tab allows you to update the configuration for role activation in Privileged Identity Management.
+1. Select **Edit** to open the **Edit role setting** pane. The first tab allows you to update the configuration for role activation in Privileged Identity Management.
![Edit role settings page with Activation tab open](./media/pim-resource-roles-configure-role-settings/role-settings-activation-tab.png)
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-sign-ins.md
na Previously updated : 04/29/2021 Last updated : 05/06/2021
You can use the the sign-ins log to find answers to questions like:
## Who can access it?
-You can always access your own sign-ins log.
+You can always access your own sign-ins history using this link: [https://mysignins.microsoft.com](https://mysignins.microsoft.com)
-To access the sign-ins log of another user, you need to be:
+To access the sign-ins log, you need to be:
- A global administrator
active-directory Howto Analyze Activity Logs Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
description: Learn how to analyze Azure Active Directory activity logs using Azu
documentationcenter: '' -+ editor: '' ms.assetid: 4535ae65-8591-41ba-9a7d-b7f00c574426
na Previously updated : 04/18/2019 Last updated : 05/06/2021 -+
The logs are pushed to the **AuditLogs** and **SigninLogs** tables in the worksp
1. From the default query view in the previous section, select **Schema** and expand the workspace. 2. Expand the **Log Management** section and then expand either **AuditLogs** or **SigninLogs** to view the log schema.
- ![Audit logs](./media/howto-analyze-activity-logs-log-analytics/auditlogschema.png)
- ![Signin logs](./media/howto-analyze-activity-logs-log-analytics/signinlogschema.png)
## Query the Azure AD activity logs
active-directory Howto Manage Inactive User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md
na Previously updated : 05/05/2021 Last updated : 05/06/2021
In large environments, user accounts are not always deleted when employees leave
This article explains a method to handle obsolete user accounts in Azure AD.
+> [!IMPORTANT]
+> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the **Version** selector.
+ ## What are inactive user accounts? Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. One key identifier for inactive accounts is that they haven't been used *for a while* to sign-in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them.
active-directory Reference Azure Monitor Audit Log Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema.md
- Title: Interpret the Azure Active Directory audit log schema in Azure Monitor | Microsoft Docs
-description: Describe the Azure AD audit log schema for use in Azure Monitor
-------- Previously updated : 04/18/2019------
-# Interpret the Azure AD audit logs schema in Azure Monitor (preview)
-
-This article describes the Azure Active Directory (Azure AD) audit log schema in Azure Monitor. Each individual log entry is stored as text and formatted as a JSON blob, as shown in the following two examples:
-
-```json
-{
- "records": [
- {
- "time": "2018-03-17T00:14:31.2585575Z",
- "operationName": "Change password (self-service)",
- "operationVersion": "1.0",
- "category": "Audit",
- "tenantId": "bf85dc9d-cb43-44a4-80c4-469e8c58249e",
- "resultType": "Success",
- "resultSignature": "-1",
- "resultDescription": "None",
- "durationMs": "-1",
- "correlationId": "60d5e89a-b890-413f-9e25-a047734afe9f",
- "identity": "sreens@wingtiptoysonline.com",
- "Level": "Informational",
- "location": "WUS",
- "properties": {
- "identityType": "UPN",
- "operationType": "Update",
- "additionalDetails": "None",
- "additionalTargets": "",
- "targetUpdatedProperties": "",
- "targetResourceType": "UPN__TenantContextID__PUID__ObjectID__ObjectClass",
- "targetResourceName": "sreens@wingtiptoysonline.com__bf85dc9d-cb43-44a4-80c4-469e8c58249e__1003BFFD9FEB17DB__7a408bdd-7d97-4574-8511-dd747b56465d__User",
- "auditEventCategory": "UserManagement"
- }
- }
- ]
-}
-```
-
-```json
-{
- "records": [
- {
- "time": "2018-03-18T19:47:43.0368859Z",
- "operationName": "Update service principal.",
- "operationVersion": "1.0",
- "category": "Audit",
- "tenantId": "bf85dc9d-cb43-44a4-80c4-469e8c58249e",
- "resultType": "Success",
- "resultSignature": "-1",
- "durationMs": "-1",
- "callerIpAddress": "<null>",
- "correlationId": "14916c7a-5a7d-44e8-9b06-74b49efb08ee",
- "identity": "NA",
- "Level": "Informational",
- "properties": {
- "identityType": "NA",
- "operationType": "Update",
- "additionalDetails": {},
- "additionalTargets": "",
- "targetUpdatedProperties": [
- {
- "Name": "Included Updated Properties",
- "OldValue": null,
- "NewValue": ""
- },
- {
- "Name": "TargetId.ServicePrincipalNames",
- "OldValue": null,
- "NewValue": "http://adapplicationregistry.onmicrosoft.com/salesforce.com/primary;cd3ed3de-93ee-400b-8b19-b61ef44a0f29"
- }
- ],
- "targetResourceType": "Other__ObjectID__ObjectClass__Name__AppId__SPN",
- "targetResourceName": "ServicePrincipal_ea70a262-4da3-440a-b396-9734ddfd9df2__ea70a262-4da3-440a-b396-9734ddfd9df2__ServicePrincipal__Salesforce__cd3ed3de-93ee-400b-8b19-b61ef44a0f29__http://adapplicationregistry.onmicrosoft.com/salesforce.com/primary;cd3ed3de-93ee-400b-8b19-b61ef44a0f29",
- "auditEventCategory": "ApplicationManagement"
- }
- }
- ]
-}
-```
-
-```json
-{
- "records": [
- {
- "time": "2018-12-10T00:03:46.6161822Z",
- "resourceId": "/tenants/7918d4b5-0442-4a97-be2d-36f9f9962ece/providers/Microsoft.aadiam",
- "operationName": "Update policy",
- "operationVersion": "1.0",
- "category": "AuditLogs",
- "tenantId": "7918d4b5-0442-4a97-be2d-36f9f9962ece",
- "resultSignature": "None",
- "durationMs": 0,
- "callerIpAddress": "<null>",
- "correlationId": "192298c1-0994-4dd6-b05a-a6c5984c31cb",
- "identity": "MS-PIM",
- "level": "Informational",
- "properties": {
- "id": "Directory_VNXV4_28148892",
- "category": "Policy",
- "correlationId": "192298c1-0994-4dd6-b05a-a6c5984c31cb",
- "result": 0,
- "resultReason": "",
- "activityDisplayName": "Update policy",
- "activityDateTime": "2018-12-10T00:03:46.6161822+00:00",
- "loggedByService": "Core Directory",
- "operationType": "Update",
- "initiatedBy": {},
- "targetResources": [
- {
- "id": "5e7a8ae7-165d-44a4-a4f4-6141f8c8ef40",
- "displayName": "Default Policy",
- "type": "Policy",
- "modifiedProperties": []
- }
- ],
- "additionalDetails": []
- }
- }
- ]
-}
-
-```
-
-## Field and property descriptions
-
-| Field name | Description |
-||-|
-| time | The date and time (UTC). |
-| operationName | The name of the operation. |
-| operationVersion | The REST API version that's requested by the client. |
-| category | Currently, *Audit* is the only supported value. |
-| tenantId | The tenant GUID that's associated with the logs. |
-| resultType | The result of the operation. The result can be *Success* or *Failure*. |
-| resultSignature | This field is unmapped, and you can safely ignore it. |
-| resultDescription | An additional description of the result, where available. |
-| durationMs | This field is unmapped, and you can safely ignore it. |
-| callerIpAddress | The IP address of the client that made the request. |
-| correlationId | An optional GUID that's passed by the client. It can help correlate client-side operations with server-side operations and it's useful when you're tracking logs that span services. |
-| identity | The identity from the token that was presented when you made the request. The identity can be a user account, system account, or service principal. |
-| level | The message type. For audit logs, the level is always *Informational*. |
-| location | The location of the datacenter. |
-| properties | Lists the supported properties that are related to an audit log. For more information, see the next table. |
-
-<br>
-
-| Property name | Description |
-||-|
-| AuditEventCategory | The type of audit event. It can be *User Management*, *Application Management*, or another type.|
-| Identity Type | The type can be *Application* or *User*. |
-| Operation Type | The type can be *Add*, *Update*, *Delete*. or *Other*. |
-| Target Resource Type | Specifies the target resource type that the operation was performed on. The type can be *Application*, *User*, *Role*, *Policy* |
-| Target Resource Name | The name of the target resource. It can be an application name, a role name, a user principal name, or a service principal name. |
-| additionalTargets | Lists any additional properties for specific operations. For example, for an update operation, the old values and the new values are listed under *targetUpdatedProperties*. |
-
-## Next steps
-
-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)
-* [Azure diagnostics logs](../../azure-monitor/essentials/platform-logs-overview.md)
-* [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)
active-directory Groups Concept https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-concept.md
Previously updated : 04/27/2021 Last updated : 05/05/2021
If you do not want members of the group to have standing access to the role, you
If a group is assigned a role, any IT admin who can manage group membership could also indirectly manage the membership of that role. For example, assume that a group Contoso_User_Administrators is assigned to User account admin role. An Exchange admin who can modify group membership could add themselves to the Contoso_User_Administrators group and in that way become a User account admin. As you can see, an admin could elevate their privilege in a way you did not intend.
-Azure AD allows you to protect a group assigned to a role by using a new property called isAssignableToRole for groups. Only cloud groups that had the isAssignableToRole property set to ΓÇÿtrueΓÇÖ at creation time can be assigned to a role. This property is immutable; once a group is created with this property set to ΓÇÿtrueΓÇÖ, it canΓÇÖt be changed. You can't set the property on an existing group.
-We designed how groups are assigned to roles to prevent that sort of potential breach from happening:
+Azure AD allows you to protect a group assigned to a role by using a new property called isAssignableToRole for groups. Only cloud groups that had the isAssignableToRole property set to ΓÇÿtrueΓÇÖ at creation time can be assigned to a role. This property is immutable; once a group is created with this property set to ΓÇÿtrueΓÇÖ, it canΓÇÖt be changed. You can't set the property on an existing group. We designed how groups are assigned to roles to help prevent potential breaches from happening:
- Only Global admins and Privileged role admins can create a role-assignable group (with the "isAssignableToRole" property enabled). - It can't be an Azure AD dynamic group; that is, it must have a membership type of "Assigned." Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.
The following scenarios are not supported right now:
- Use the new [Exchange Admin Center](https://admin.exchange.microsoft.com/) for role assignments via group membership. The old Exchange Admin Center doesnΓÇÖt support this feature yet. Exchange PowerShell cmdlets will work as expected. - Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You can [migrate to the unified sensitivity labeling platform](/azure/information-protection/configure-policy-migrate-labels) and then use the Office 365 Security & Compliance center to use group assignments to manage roles. - [Apps Admin Center](https://config.office.com/) doesn't support this feature yet. Assign users directly to Office Apps Administrator role.-- [M365 Compliance Center](https://compliance.microsoft.com/) doesn't support this feature yet. Assign users directly to appropriate Azure AD roles to use this portal.
+- [Microsoft 365 Compliance Center](https://compliance.microsoft.com/) doesn't support this feature yet. Assign users directly to appropriate Azure AD roles to use this portal.
We are fixing these issues.
active-directory Academy Attendance Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/academy-attendance-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Academy Attendance | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Academy Attendance | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Academy Attendance.
In this tutorial, you'll learn how to integrate Academy Attendance with Azure Active Directory (Azure AD). When you integrate Academy Attendance with Azure AD, you can:
-* Control in Azure AD who has access to Academy Attendance.
-* Enable your users to be automatically signed-in to Academy Attendance with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Academy Attendance.
+- Enable your users to be automatically signed-in to Academy Attendance with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Academy Attendance single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Academy Attendance single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Academy Attendance supports **SP** initiated SSO
-
-* Academy Attendance supports **Just In Time** user provisioning
+- Academy Attendance supports **SP** initiated SSO
+- Academy Attendance supports **Just In Time** user provisioning
## Adding Academy Attendance from the gallery
To configure the integration of Academy Attendance into Azure AD, you need to ad
1. In the **Add from the gallery** section, type **Academy Attendance** in the search box. 1. Select **Academy Attendance** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Academy Attendance Configure and test Azure AD SSO with Academy Attendance using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Academy Attendance.
Configure and test Azure AD SSO with Academy Attendance using a test user called
To configure and test Azure AD SSO with Academy Attendance, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Academy Attendance SSO](#configure-academy-attendance-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Academy Attendance test user](#create-academy-attendance-test-user)** - to have a counterpart of B.Simon in Academy Attendance that is linked to the Azure AD representation of user.
+ 1. **[Create Academy Attendance test user](#create-academy-attendance-test-user)** - to have a counterpart of B.Simon in Academy Attendance that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- 1. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.aattendance.com/sso/saml2/login?idp=<IDP_NAME>`
+ 1. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.aattendance.com/sso/saml2/login?idp=<IDP_NAME>`
- 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.aattendance.com/sso/saml2/metadata?idp=<IDP_NAME>`
+ 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.aattendance.com/sso/saml2/metadata?idp=<IDP_NAME>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Academy Attendance Client support team](mailto:support@yournextconcepts.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Academy Attendance Client support team](mailto:support@yournextconcepts.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Your Academy Attendance application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, Academy Attendance application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | Name | Source Attribute|
- | | |
- | role | user.assignedroles |
+ | Name | Source Attribute |
+ | - | |
+ | role | user.assignedroles |
- > [!NOTE]
- > Academy Attendance supports two roles for users: **Lecturer** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) doc which explains how to create custom roles in Azure AD.
+ > [!NOTE]
+ > Academy Attendance supports two roles for users: **Lecturer** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) doc which explains how to create custom roles in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Academy Attendance** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **Academy Attendance** side, you need to send the
In this section, a user called Britta Simon is created in Academy Attendance. Academy Attendance supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Academy Attendance, a new one is created after authentication.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Academy Attendance Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Academy Attendance Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Academy Attendance Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Academy Attendance tile in the My Apps, this will redirect to Academy Attendance Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Academy Attendance Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Academy Attendance tile in the My Apps, this will redirect to Academy Attendance Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Alibaba Cloud Service Role Based Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!Note] > If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
-1. Alibaba Cloud Service (Role-based SSO) require roles to be configured in Azure AD. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+1. Alibaba Cloud Service (Role-based SSO) require roles to be configured in Azure AD. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
active-directory Amazon Web Service Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/amazon-web-service-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
| SessionDuration | "provide a value between 900 seconds (15 minutes) to 43200 seconds (12 hours)" | `https://aws.amazon.com/SAML/Attributes` | > [!NOTE]
- > AWS expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview)
+ > AWS expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui)
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** (Step 3) dialog box, select **Add a certificate**.
active-directory Andromedascm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/andromedascm-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Andromeda | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Andromeda | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Andromeda.
Last updated 12/28/2020 + # Tutorial: Azure Active Directory integration with Andromeda In this tutorial, you learn how to integrate Andromeda with Azure Active Directory (Azure AD). Integrating Andromeda with Azure AD provides you with the following benefits:
-* You can control in Azure AD who has access to Andromeda.
-* You can enable your users to be automatically signed-in to Andromeda (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
+- You can control in Azure AD who has access to Andromeda.
+- You can enable your users to be automatically signed-in to Andromeda (Single Sign-On) with their Azure AD accounts.
+- You can manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Andromeda, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Andromeda single sign-on enabled subscription
+- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
+- Andromeda single sign-on enabled subscription
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Andromeda supports **SP and IDP** initiated SSO
-* Andromeda supports **Just In Time** user provisioning
+- Andromeda supports **SP and IDP** initiated SSO
+- Andromeda supports **Just In Time** user provisioning
## Adding Andromeda from the gallery
To configure the integration of Andromeda into Azure AD, you need to add Androme
1. In the **Add from the gallery** section, type **Andromeda** in the search box. 1. Select **Andromeda** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Andromeda Configure and test Azure AD SSO with Andromeda using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Andromeda. To configure and test Azure AD SSO with Andromeda, perform the following steps: - 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
2. **[Configure Andromeda SSO](#configure-andromeda-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Andromeda test user](#create-andromeda-test-user)** - to have a counterpart of Britta Simon in Andromeda that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create Andromeda test user](#create-andromeda-test-user)** - to have a counterpart of Britta Simon in Andromeda that is linked to the Azure AD representation of user.
+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<tenantURL>.ngcxpress.com/`
-
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<tenantURL>.ngcxpress.com/SAMLConsumer.aspx`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<tenantURL>.ngcxpress.com/`
-5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<tenantURL>.ngcxpress.com/SAMLConsumer.aspx`
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<tenantURL>.ngcxpress.com/SAMLLogon.aspx`
+ ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- > [!NOTE]
- > These values are not real. You will update the value with the actual Identifier, Reply URL, and Sign-On URL which is explained later in the tutorial.
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<tenantURL>.ngcxpress.com/SAMLLogon.aspx`
-6. Andromeda application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
+ > [!NOTE]
+ > These values are not real. You will update the value with the actual Identifier, Reply URL, and Sign-On URL which is explained later in the tutorial.
- ![Screenshot shows User attributes such as givenname user.givenname and emailaddress user.mail.](common/edit-attribute.png)
+1. Andromeda application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
- > [!Important]
- > Clear out the NameSpace definitions while setting these up.
+ ![Screenshot shows User attributes such as givenname user.givenname and emailaddress user.mail.](common/edit-attribute.png)
-7. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:
+ > [!Important]
+ > Clear out the NameSpace definitions while setting these up.
- | Name | Source Attribute|
- | | --|
- | role | App specific role |
- | type | App Type |
- | company | CompanyName |
+1. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:
- > [!NOTE]
- > Andromeda expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | - | -- |
+ | role | App specific role |
+ | type | App Type |
+ | company | CompanyName |
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ > [!NOTE]
+ > Andromeda expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
- ![Screenshot shows User claims with options to Add new claim and save.](common/new-save-attribute.png)
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- ![Screenshot shows Manage user claims where you can enter values described I this step.](common/new-attribute-details.png)
+ ![Screenshot shows User claims with options to Add new claim and save.](common/new-save-attribute.png)
- b. In the **Name** textbox, type the attribute name shown for that row.
+ ![Screenshot shows Manage user claims where you can enter values described I this step.](common/new-attribute-details.png)
- c. Leave the **Namespace** blank.
+ b. In the **Name** textbox, type the attribute name shown for that row.
- d. Select Source as **Attribute**.
+ c. Leave the **Namespace** blank.
- e. From the **Source attribute** list, type the attribute value shown for that row.
+ d. Select Source as **Attribute**.
- f. Click **Ok**
+ e. From the **Source attribute** list, type the attribute value shown for that row.
- g. Click **Save**.
+ f. Click **Ok**
-8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+ g. Click **Save**.
- ![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-9. On the **Set up Andromeda** section, copy the appropriate URL(s) as per your requirement.
+ ![The Certificate download link](common/certificatebase64.png)
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Andromeda** section, copy the appropriate URL(s) as per your requirement.
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. On the top of the menubar click **Admin** and navigate to **Administration**.
- ![Andromeda admin](./media/andromedascm-tutorial/tutorial_andromedascm_admin.png)
+ ![Andromeda admin](./media/andromedascm-tutorial/tutorial_andromedascm_admin.png)
3. On the left side of tool bar under **Interfaces** section, click **SAML Configuration**.
- ![Andromeda saml](./media/andromedascm-tutorial/tutorial_andromedascm_saml.png)
+ ![Andromeda saml](./media/andromedascm-tutorial/tutorial_andromedascm_saml.png)
4. On the **SAML Configuration** section page, perform the following steps:
- ![Andromeda config](./media/andromedascm-tutorial/tutorial_andromedascm_config.png)
+ ![Andromeda config](./media/andromedascm-tutorial/tutorial_andromedascm_config.png)
- a. Check **Enable SSO with SAML**.
+ a. Check **Enable SSO with SAML**.
- b. Under **Andromeda Information** section, copy the **SP Identity** value and paste it into the **Identifier** textbox of **Basic SAML Configuration** section.
+ b. Under **Andromeda Information** section, copy the **SP Identity** value and paste it into the **Identifier** textbox of **Basic SAML Configuration** section.
- c. Copy the **Consumer URL** value and paste it into the **Reply URL** textbox of **Basic SAML Configuration** section.
+ c. Copy the **Consumer URL** value and paste it into the **Reply URL** textbox of **Basic SAML Configuration** section.
- d. Copy the **Logon URL** value and paste it into the **Sign-on URL** textbox of **Basic SAML Configuration** section.
+ d. Copy the **Logon URL** value and paste it into the **Sign-on URL** textbox of **Basic SAML Configuration** section.
- e. Under **SAML Identity Provider** section, type your IDP Name.
+ e. Under **SAML Identity Provider** section, type your IDP Name.
- f. In the **Single Sign On End Point** textbox, paste the value of **Login URL** which, you have copied from the Azure portal.
+ f. In the **Single Sign On End Point** textbox, paste the value of **Login URL** which, you have copied from the Azure portal.
- g. Open the downloaded **Base64 encoded certificate** from Azure portal in notepad, paste it into the **X 509 Certificate** textbox.
-
- h. Map the following attributes with the respective value to facilitate SSO login from Azure AD. The **User ID** attribute is required for logging in. For provisioning, **Email**, **Company**, **UserType**, and **Role** are required. In this section, we define attributes mapping (name and values) which correlate to those defined within Azure portal
+ g. Open the downloaded **Base64 encoded certificate** from Azure portal in notepad, paste it into the **X 509 Certificate** textbox.
- ![Andromeda attbmap](./media/andromedascm-tutorial/tutorial_andromedascm_attbmap.png)
+ h. Map the following attributes with the respective value to facilitate SSO login from Azure AD. The **User ID** attribute is required for logging in. For provisioning, **Email**, **Company**, **UserType**, and **Role** are required. In this section, we define attributes mapping (name and values) which correlate to those defined within Azure portal
- i. Click **Save**.
+ ![Andromeda attbmap](./media/andromedascm-tutorial/tutorial_andromedascm_attbmap.png)
+ i. Click **Save**.
### Create Andromeda test user In this section, a user called Britta Simon is created in Andromeda. Andromeda supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Andromeda, a new one is created after authentication. If you need to create a user manually, contact [Andromeda Client support team](https://www.ngcsoftware.com/support/).
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Andromeda Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Andromeda Sign on URL where you can initiate the login flow.
-* Go to Andromeda Sign-on URL directly and initiate the login flow from there.
+- Go to Andromeda Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Andromeda for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Andromeda for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Andromeda tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Andromeda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
active-directory Appinux Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appinux-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Appinux | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Appinux | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Appinux.
In this tutorial, you'll learn how to integrate Appinux with Azure Active Directory (Azure AD). When you integrate Appinux with Azure AD, you can:
-* Control in Azure AD who has access to Appinux.
-* Enable your users to be automatically signed-in to Appinux with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
+- Control in Azure AD who has access to Appinux.
+- Enable your users to be automatically signed-in to Appinux with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Appinux single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Appinux single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Appinux supports **SP** initiated SSO
+- Appinux supports **SP** initiated SSO
-* Appinux supports **Just In Time** user provisioning
+- Appinux supports **Just In Time** user provisioning
## Adding Appinux from the gallery
To configure the integration of Appinux into Azure AD, you need to add Appinux f
1. In the **Add from the gallery** section, type **Appinux** in the search box. 1. Select **Appinux** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Appinux Configure and test Azure AD SSO with Appinux using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Appinux.
Configure and test Azure AD SSO with Appinux using a test user called **B.Simon*
To configure and test Azure AD SSO with Appinux, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Appinux SSO](#configure-appinux-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Appinux test user](#create-appinux-test-user)** - to have a counterpart of B.Simon in Appinux that is linked to the Azure AD representation of user.
+ 1. **[Create Appinux test user](#create-appinux-test-user)** - to have a counterpart of B.Simon in Appinux that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<Appinux_SUBDOMAIN>.appinux.com`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<Appinux_SUBDOMAIN>.appinux.com`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<Appinux_SUBDOMAIN>.appinux.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`
+ b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<Appinux_SUBDOMAIN>.appinux.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Appinux Client support team](https://support.appinux.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Appinux Client support team](https://support.appinux.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Appinux application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, Appinux application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | **Name** | **Namespace** | **Source Attribute**|
- | || |
- | `givenname` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.givenname` |
- | `surname` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.surname` |
- | `emailaddress` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.mail` |
- | `name` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.userprincipalname` |
- | `UserType` | `http://bcv.appinux.com/claims` | `Provide the value as per your organization` |
- | `Tag` | `http://appinux.com/Tag` | `Provide the value as per your organization` |
- | `Role` | `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` | `user.assignedroles` |
- | `email` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email` | `user.mail` |
- | `wanshort` | `http://appinux.com/windowsaccountname2` | `extractmailprefix([userprincipalname])` |
- | `nameidentifier` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.employeeid` |
+ | **Name** | **Namespace** | **Source Attribute** |
+ | - | -- | -- |
+ | `givenname` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.givenname` |
+ | `surname` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.surname` |
+ | `emailaddress` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.mail` |
+ | `name` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.userprincipalname` |
+ | `UserType` | `http://bcv.appinux.com/claims` | `Provide the value as per your organization` |
+ | `Tag` | `http://appinux.com/Tag` | `Provide the value as per your organization` |
+ | `Role` | `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` | `user.assignedroles` |
+ | `email` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email` | `user.mail` |
+ | `wanshort` | `http://appinux.com/windowsaccountname2` | `extractmailprefix([userprincipalname])` |
+ | `nameidentifier` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.employeeid` |
- > [!NOTE]
- > Appinux expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > [!NOTE]
+ > Appinux expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Appinux** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, a user called Britta Simon is created in Appinux. Appinux suppo
> [!Note] > If you need to create a user manually, contact [Appinux support team](https://support.appinux.com).
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Appinux Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Appinux Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Appinux Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Appinux tile in the My Apps, this will redirect to Appinux Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Appinux Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Appinux tile in the My Apps, this will redirect to Appinux Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Appneta Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appneta-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AppNeta Performance Manager | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with AppNeta Performance Manager | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and AppNeta Performance Manager.
In this tutorial, you'll learn how to integrate AppNeta Performance Manager with Azure Active Directory (Azure AD). When you integrate AppNeta Performance Manager with Azure AD, you can:
-* Control in Azure AD who has access to AppNeta Performance Manager.
-* Enable your users to be automatically signed-in to AppNeta Performance Manager with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
+- Control in Azure AD who has access to AppNeta Performance Manager.
+- Enable your users to be automatically signed-in to AppNeta Performance Manager with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* AppNeta Performance Manager single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- AppNeta Performance Manager single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* AppNeta Performance Manager supports **SP** initiated SSO
+- AppNeta Performance Manager supports **SP** initiated SSO
-* AppNeta Performance Manager supports **Just In Time** user provisioning
+- AppNeta Performance Manager supports **Just In Time** user provisioning
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant. - ## Adding AppNeta Performance Manager from the gallery To configure the integration of AppNeta Performance Manager into Azure AD, you need to add AppNeta Performance Manager from the gallery to your list of managed SaaS apps.
To configure the integration of AppNeta Performance Manager into Azure AD, you n
1. In the **Add from the gallery** section, type **AppNeta Performance Manager** in the search box. 1. Select **AppNeta Performance Manager** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for AppNeta Performance Manager Configure and test Azure AD SSO with AppNeta Performance Manager using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AppNeta Performance Manager.
Configure and test Azure AD SSO with AppNeta Performance Manager using a test us
To configure and test Azure AD SSO with AppNeta Performance Manager, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure AppNeta Performance Manager SSO](#configure-appneta-performance-manager-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create AppNeta Performance Manager test user](#create-appneta-performance-manager-test-user)** - to have a counterpart of B.Simon in AppNeta Performance Manager that is linked to the Azure AD representation of user.
+ 1. **[Create AppNeta Performance Manager test user](#create-appneta-performance-manager-test-user)** - to have a counterpart of B.Simon in AppNeta Performance Manager that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.pm.appneta.com`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<subdomain>.pm.appneta.com`
- > [!NOTE]
- > The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [AppNeta Performance Manager Client support team](mailto:support@appneta.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [AppNeta Performance Manager Client support team](mailto:support@appneta.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. AppNeta Performance Manager application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, AppNeta Performance Manager application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | Name | Source Attribute|
- | --| -|
- | firstName| user.givenname|
- | lastName| user.surname|
- | email| user.userprincipalname|
- | name| user.userprincipalname|
- | groups | user.assignedroles |
- | phone| user.telephonenumber |
- | title| user.jobtitle|
- | | |
+ | Name | Source Attribute |
+ | | - |
+ | firstName | user.givenname |
+ | lastName | user.surname |
+ | email | user.userprincipalname |
+ | name | user.userprincipalname |
+ | groups | user.assignedroles |
+ | phone | user.telephonenumber |
+ | title | user.jobtitle |
+ | | |
- > [!NOTE]
- > **groups** refers to the security group in Appneta which is mapped to a **Role** in Azure AD. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) doc which explains how to create custom roles in Azure AD.
+ > [!NOTE]
+ > **groups** refers to the security group in Appneta which is mapped to a **Role** in Azure AD. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) doc which explains how to create custom roles in Azure AD.
- 1. Click **Add new claim** to open the **Manage user claims** dialog.
+ 1. Click **Add new claim** to open the **Manage user claims** dialog.
- 1. In the **Name** textbox, type the attribute name shown for that row.
+ 1. In the **Name** textbox, type the attribute name shown for that row.
- 1. Leave the **Namespace** blank.
+ 1. Leave the **Namespace** blank.
- 1. Select Source as **Attribute**.
+ 1. Select Source as **Attribute**.
- 1. From the **Source attribute** list, type the attribute value shown for that row.
+ 1. From the **Source attribute** list, type the attribute value shown for that row.
- 1. Click **Ok**
+ 1. Click **Ok**
- 1. Click **Save**.
+ 1. Click **Save**.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up AppNeta Performance Manager** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you have setup the roles as explained in the above, you can select it from the **Select a role** dropdown. 1. In the **Add Assignment** dialog, click the **Assign** button.+ ## Configure AppNeta Performance Manager SSO To configure single sign-on on **AppNeta Performance Manager** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [AppNeta Performance Manager support team](mailto:support@appneta.com). They set this setting to have the SAML SSO connection set properly on both sides.
In this section, a user called Britta Simon is created in AppNeta Performance Ma
> [!Note] > If you need to create a user manually, contact [AppNeta Performance Manager support team](mailto:support@appneta.com).
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to AppNeta Performance Manager Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to AppNeta Performance Manager Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to AppNeta Performance Manager Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the AppNeta Performance Manager tile in the My Apps, this will redirect to AppNeta Performance Manager Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to AppNeta Performance Manager Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the AppNeta Performance Manager tile in the My Apps, this will redirect to AppNeta Performance Manager Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Apptio Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/apptio-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Apptio | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Apptio | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Apptio.
In this tutorial, you'll learn how to integrate Apptio with Azure Active Directory (Azure AD). When you integrate Apptio with Azure AD, you can:
-* Control in Azure AD who has access to Apptio.
-* Enable your users to be automatically signed-in to Apptio with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Apptio.
+- Enable your users to be automatically signed-in to Apptio with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Apptio single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Apptio single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Apptio supports **IDP** initiated SSO
+- Apptio supports **IDP** initiated SSO
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Apptio using a test user called **B.Simon**
To configure and test Azure AD SSO with Apptio, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Apptio SSO](#configure-apptio-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Apptio test user](#create-apptio-test-user)** - to have a counterpart of B.Simon in Apptio that is linked to the Azure AD representation of user.
+ 1. **[Create Apptio test user](#create-apptio-test-user)** - to have a counterpart of B.Simon in Apptio that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Identifier** text box, type a URL:
- `urn:federation:apptio`
+ In the **Identifier** text box, type a URL:
+ `urn:federation:apptio`
-1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Apptio** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **Apptio** side, you need to send the downloaded
In this section, you create a user called B.Simon in Apptio. Work with [Apptio support team](https://www.apptio.com/resources/customer-support/) to add the users in the Apptio platform. Users must be created and activated before you use single sign-on.
-## Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on Test this application in Azure portal and you should be automatically signed in to the Apptio for which you set up the SSO
-
-* You can use Microsoft My Apps. When you click the Apptio tile in the My Apps, you should be automatically signed in to the Apptio for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Click on Test this application in Azure portal and you should be automatically signed in to the Apptio for which you set up the SSO
+- You can use Microsoft My Apps. When you click the Apptio tile in the My Apps, you should be automatically signed in to the Apptio for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Arc Facilities Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arc-facilities-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
d. Click **Save**. > [!NOTE]
- > ARC Facilities expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > ARC Facilities expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
active-directory Arc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arc-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Arc Publishing - SSO | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Arc Publishing - SSO | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Arc Publishing - SSO.
In this tutorial, you'll learn how to integrate Arc Publishing - SSO with Azure Active Directory (Azure AD). When you integrate Arc Publishing - SSO with Azure AD, you can:
-* Control in Azure AD who has access to Arc Publishing - SSO.
-* Enable your users to be automatically signed-in to Arc Publishing - SSO with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Arc Publishing - SSO.
+- Enable your users to be automatically signed-in to Arc Publishing - SSO with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Arc Publishing - SSO single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Arc Publishing - SSO single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Arc Publishing - SSO supports **SP and IDP** initiated SSO
-* Arc Publishing - SSO supports **Just In Time** user provisioning
-
+- Arc Publishing - SSO supports **SP and IDP** initiated SSO
+- Arc Publishing - SSO supports **Just In Time** user provisioning
## Adding Arc Publishing - SSO from the gallery
To configure the integration of Arc Publishing - SSO into Azure AD, you need to
1. In the **Add from the gallery** section, type **Arc Publishing - SSO** in the search box. 1. Select **Arc Publishing - SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Arc Publishing - SSO Configure and test Azure AD SSO with Arc Publishing - SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Arc Publishing - SSO.
Configure and test Azure AD SSO with Arc Publishing - SSO using a test user call
To configure and test Azure AD SSO with Arc Publishing - SSO, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Arc Publishing - SSO SSO](#configure-arc-publishingsso-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Arc Publishing - SSO test user](#create-arc-publishingsso-test-user)** - to have a counterpart of B.Simon in Arc Publishing - SSO that is linked to the Azure AD representation of user.
+ 1. **[Create Arc Publishing - SSO test user](#create-arc-publishingsso-test-user)** - to have a counterpart of B.Simon in Arc Publishing - SSO that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://www.okta.com/saml2/service-provider/<Unique ID>`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://www.okta.com/saml2/service-provider/<Unique ID>`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Arc Publishing - SSO Client support team](mailto:inf@washpost.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Arc Publishing - SSO Client support team](mailto:inf@washpost.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Arc Publishing - SSO application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
-1. In addition to above, Arc Publishing - SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+1. In addition to above, Arc Publishing - SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+ | Name | Source Attribute |
+ | | |
+ | firstName | user.givenname |
+ | lastName | user.surname |
+ | email | user.mail |
+ | groups | user.assignedroles |
- | Name | Source Attribute|
- | | |
- | firstName | user.givenname |
- | lastName | user.surname |
- | email | user.mail |
- | groups | user.assignedroles |
+ > [!NOTE]
+ > Here the **groups** attribute is mapped with **user.assignedroles**. These are custom roles created in Azure AD to map the group names back in application. You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) on how to create custom roles in Azure AD.
- > [!NOTE]
- > Here the **groups** attribute is mapped with **user.assignedroles**. These are custom roles created in Azure AD to map the group names back in application. You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to create custom roles in Azure AD.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
-
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Arc Publishing - SSO** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, a user called Britta Simon is created in Arc Publishing - SSO.
> [!Note] > If you need to create a user manually, contact [Arc Publishing - SSO support team](mailto:inf@washpost.com).
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Arc Publishing - SSO Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Arc Publishing - SSO Sign on URL where you can initiate the login flow.
-* Go to Arc Publishing - SSO Sign-on URL directly and initiate the login flow from there.
+- Go to Arc Publishing - SSO Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Arc Publishing - SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Arc Publishing - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Aws Multi Accounts Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/aws-multi-accounts-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Amazon Web Services to connect multiple accounts | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Amazon Web Services to connect multiple accounts | Microsoft Docs"
description: Learn how to configure single sign-on between Azure AD and Amazon Web Services (legacy tutorial).
This integration provides the following benefits:
![Diagram of Azure AD integration with AWS.](./media/aws-multi-accounts-tutorial/amazonwebservice.png) > [!NOTE]
-> We recommend that you *not* connect one AWS app to all your AWS accounts. Instead, we recommend that you use [Azure AD SSO integration with AWS](./amazon-web-service-tutorial.md) to configure multiple instances of your AWS account to multiple instances of AWS apps in Azure AD.
+> We recommend that you _not_ connect one AWS app to all your AWS accounts. Instead, we recommend that you use [Azure AD SSO integration with AWS](./amazon-web-service-tutorial.md) to configure multiple instances of your AWS account to multiple instances of AWS apps in Azure AD.
-We recommend that you *not* connect one AWS app to all your AWS accounts, for the following reasons:
+We recommend that you _not_ connect one AWS app to all your AWS accounts, for the following reasons:
-* Use this approach only if you have a small number of AWS accounts and roles, because this model isn't scalable as the number of AWS accounts and the roles within them increase. The approach doesn't use AWS role-import functionality with Azure AD user provisioning, so you have to manually add, update, or delete the roles.
+- Use this approach only if you have a small number of AWS accounts and roles, because this model isn't scalable as the number of AWS accounts and the roles within them increase. The approach doesn't use AWS role-import functionality with Azure AD user provisioning, so you have to manually add, update, or delete the roles.
-* You have to use the Microsoft Graph Explorer approach to patch all the roles to the app. We donΓÇÖt recommend using the manifest file approach.
+- You have to use the Microsoft Graph Explorer approach to patch all the roles to the app. We donΓÇÖt recommend using the manifest file approach.
-* Customers report that after they've added ~1,200 app roles for a single AWS app, any further operation on the app starts throwing the errors related to size. There is a hard size limit to the application object.
+- Customers report that after they've added ~1,200 app roles for a single AWS app, any further operation on the app starts throwing the errors related to size. There is a hard size limit to the application object.
-* You have to manually update the roles as they get added in any of the accounts. This is unfortunately a *replace* approach, not an *append* approach. Also, if your account numbers are growing, this becomes an *n* &times; *n* relationship with accounts and roles.
+- You have to manually update the roles as they get added in any of the accounts. This is unfortunately a _replace_ approach, not an _append_ approach. Also, if your account numbers are growing, this becomes an _n_ &times; _n_ relationship with accounts and roles.
-* All the AWS accounts use the same federation metadata XML file. At the time of certificate rollover, updating the certificate on all the AWS accounts at the same time can be a massive exercise.
+- All the AWS accounts use the same federation metadata XML file. At the time of certificate rollover, updating the certificate on all the AWS accounts at the same time can be a massive exercise.
## Prerequisites To configure Azure AD integration with AWS, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD subscription, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
-* An AWS SSO-enabled subscription.
+- An Azure AD subscription. If you don't have an Azure AD subscription, you can get a [one-month trial](https://azure.microsoft.com/pricing/free-trial/).
+- An AWS SSO-enabled subscription.
> [!NOTE] > We do not recommend that you test the steps in this tutorial in a production environment unless it is necessary.
To configure the integration of AWS into Azure AD, you add AWS from the gallery
1. Go to the **Properties** pane, and then copy the value that's displayed in the **Object ID** box.
- ![Screenshot of the Object ID box on the Properties pane.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-properties.png)
+ ![Screenshot of the Object ID box on the Properties pane.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-properties.png)
## Configure and test Azure AD SSO
In this section, you enable Azure AD SSO in the Azure portal and configure SSO i
1. In the Azure portal, on the left pane of the **Amazon Web Services (AWS)** application integration page, select **Single sign-on**.
- ![Screenshot of the "Single sign-on" command.](common/select-sso.png)
+ ![Screenshot of the "Single sign-on" command.](common/select-sso.png)
1. On the **Select a single sign-on method** pane, select **SAML/WS-Fed** mode to enable single sign-on.
- ![Screenshot of the "Select a single sign-on method" pane.](common/select-saml-option.png)
+ ![Screenshot of the "Select a single sign-on method" pane.](common/select-saml-option.png)
-1. On the **Set up Single Sign-On with SAML** pane, select the **Edit** button (pencil icon).
+1. On the **Set up Single Sign-On with SAML** pane, select the **Edit** button (pencil icon).
- ![Screenshot of the Edit button on the "Set up Single Sign-On with SAML" pane.](common/edit-urls.png)
+ ![Screenshot of the Edit button on the "Set up Single Sign-On with SAML" pane.](common/edit-urls.png)
1. The **Basic SAML Configuration** pane opens. Skip this section, because the app is preintegrated with Azure. Select **Save**.
- The AWS application expects the SAML assertions in a specific format. You can manage the values of these attributes from the **User Attributes & Claims** section on the **Application integration** page.
-
+ The AWS application expects the SAML assertions in a specific format. You can manage the values of these attributes from the **User Attributes & Claims** section on the **Application integration** page.
+ 1. On the **Set up Single Sign-On with SAML** page, select the **Edit** button.
- ![Screenshot of the Edit button on the "User Attributes" pane.](common/edit-attribute.png)
+ ![Screenshot of the Edit button on the "User Attributes" pane.](common/edit-attribute.png)
1. In the **User Claims** section of the **User Attributes** pane, configure the SAML token attribute by using the values in the following table:
- | Name | Source attribute | Namespace |
- | | | |
- | RoleSessionName | user.userprincipalname | `https://aws.amazon.com/SAML/Attributes` |
- | Role | user.assignedroles | `https://aws.amazon.com/SAML/Attributes`|
- | SessionDuration | "provide a value from 900 seconds (15 minutes) to 43200 seconds (12 hours)" | `https://aws.amazon.com/SAML/Attributes` |
-
+ | Name | Source attribute | Namespace |
+ | | | - |
+ | RoleSessionName | user.userprincipalname | `https://aws.amazon.com/SAML/Attributes` |
+ | Role | user.assignedroles | `https://aws.amazon.com/SAML/Attributes` |
+ | SessionDuration | "provide a value from 900 seconds (15 minutes) to 43200 seconds (12 hours)" | `https://aws.amazon.com/SAML/Attributes` |
+ a. Select **Add new claim** and then, on the **Manage user claims** pane, do the following: ![Screenshot of "Add new claim" and "Save" buttons on the "User claims" pane.](common/new-save-attribute.png) ![Screenshot of the "Manage user claims" pane.](common/new-attribute-details.png)
- b. In the **Name** box, enter the attribute name.
+ b. In the **Name** box, enter the attribute name.
c. In the **Namespace** box, enter the namespace value.
In this section, you enable Azure AD SSO in the Azure portal and configure SSO i
f. Select **Ok**, and then select **Save**.
- >[!NOTE]
- >For more information about roles in Azure AD, see [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > [!NOTE]
+ > For more information about roles in Azure AD, see [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the federation metadata XML file, and then save it to your computer.
In this section, you enable Azure AD SSO in the Azure portal and configure SSO i
1. On the **AWS services** pane, under **Security, Identity & Compliance**, select **IAM (Identity & Access Management)**.
- ![Screenshot of the "Identity and Access Management" link on the "AWS Services" pane.][12]
+ ![Screenshot of the "Identity and Access Management" link on the "AWS Services" pane.][12]
1. On the left pane, select **Identity Providers**, and then select **Create Provider**.
- ![Screenshot of the "Create Provider" button.][13]
+ ![Screenshot of the "Create Provider" button.][13]
1. On the **Configure Provider** pane, do the following:
- ![Screenshot of the "Configure Provider" pane.][14]
+ ![Screenshot of the "Configure Provider" pane.][14]
- a. In the **Provider Type** drop-down list, select **SAML**.
+ a. In the **Provider Type** drop-down list, select **SAML**.
- b. In the **Provider Name** box, enter a provider name (for example. *WAAD*).
+ b. In the **Provider Name** box, enter a provider name (for example. _WAAD_).
- c. Next to the **Metadata Document** box, select **Choose File** to upload your downloaded federation metadata XML file to the Azure portal.
+ c. Next to the **Metadata Document** box, select **Choose File** to upload your downloaded federation metadata XML file to the Azure portal.
- d. Select **Next Step**.
+ d. Select **Next Step**.
1. On the **Verify Provider Information** pane, select **Create**.
- ![Screenshot of the "Verify Provider Information" pane.][15]
+ ![Screenshot of the "Verify Provider Information" pane.][15]
1. On the left pane, select **Roles**, and then select **Create role**.
- ![Screenshot of the "Create role" button on the Roles pane.][16]
+ ![Screenshot of the "Create role" button on the Roles pane.][16]
- > [!NOTE]
- > The combined length of the role Amazon Resource Name (ARN) and the SAML provider ARN for a role that's being imported must be 240 or fewer characters.
+ > [!NOTE]
+ > The combined length of the role Amazon Resource Name (ARN) and the SAML provider ARN for a role that's being imported must be 240 or fewer characters.
-1. On the **Create role** page, do the following:
+1. On the **Create role** page, do the following:
- ![Screenshot of the "SAML 2.0 federation" trusted entity button on the "Create role" page.][19]
+ ![Screenshot of the "SAML 2.0 federation" trusted entity button on the "Create role" page.][19]
- a. Under **Select type of trusted entity**, select **SAML 2.0 federation**.
+ a. Under **Select type of trusted entity**, select **SAML 2.0 federation**.
- b. Under **Choose a SAML 2.0 provider**, select the SAML provider that you created previously (for example, *WAAD*)
+ b. Under **Choose a SAML 2.0 provider**, select the SAML provider that you created previously (for example, _WAAD_)
- c. Select **Allow programmatic and AWS Management Console access**.
+ c. Select **Allow programmatic and AWS Management Console access**.
- d. Select **Next: Permissions**.
+ d. Select **Next: Permissions**.
1. In the search box, enter **Administrator Access**, select the **AdministratorAccess** check box, and then select **Next: Tags**.
- ![Screenshot of the "Policy name" list with the AdministratorAccess policy selected.](./media/aws-multi-accounts-tutorial/administrator-access.png)
+ ![Screenshot of the "Policy name" list with the AdministratorAccess policy selected.](./media/aws-multi-accounts-tutorial/administrator-access.png)
1. On the **Add tags (optional)** pane, do the following:
- ![Screenshot of the "Add tags (optional)" pane.](./media/aws-multi-accounts-tutorial/config2.png)
+ ![Screenshot of the "Add tags (optional)" pane.](./media/aws-multi-accounts-tutorial/config2.png)
- a. In the **Key** box, enter the key name (for example, *Azureadtest*).
+ a. In the **Key** box, enter the key name (for example, _Azureadtest_).
- b. In the **Value (optional)** box, enter the key value in the following format: `<accountname-aws-admin>`. The account name should be in all lowercase letters.
+ b. In the **Value (optional)** box, enter the key value in the following format: `<accountname-aws-admin>`. The account name should be in all lowercase letters.
- c. Select **Next: Review**.
+ c. Select **Next: Review**.
1. On the **Review** pane, do the following:
- ![Screenshot of the Review pane, with the "Role name" and "Role description" boxes highlighted.][34]
+ ![Screenshot of the Review pane, with the "Role name" and "Role description" boxes highlighted.][34]
- a. In the **Role name** box, enter the value in the following format: `<accountname-aws-admin>`.
+ a. In the **Role name** box, enter the value in the following format: `<accountname-aws-admin>`.
- b. In the **Role description** box, enter the value that you used for the role name.
+ b. In the **Role description** box, enter the value that you used for the role name.
- c. Select **Create role**.
+ c. Select **Create role**.
- d. Create as many roles as you need, and map them to the identity provider.
+ d. Create as many roles as you need, and map them to the identity provider.
- > [!NOTE]
- > Similarly, you can create other roles, such as *accountname-finance-admin*, *accountname-read-only-user*, *accountname-devops-user*, or *accountname-tpm-user*, each with a different policy attached to it. You can change these role policies later, according to the requirements for each AWS account. It's a good idea to keep the same policies for each role across the AWS accounts.
+ > [!NOTE]
+ > Similarly, you can create other roles, such as _accountname-finance-admin_, _accountname-read-only-user_, _accountname-devops-user_, or _accountname-tpm-user_, each with a different policy attached to it. You can change these role policies later, according to the requirements for each AWS account. It's a good idea to keep the same policies for each role across the AWS accounts.
1. Be sure to note the account ID for the AWS account either from the Amazon Elastic Compute Cloud (Amazon EC2) properties pane or the IAM dashboard, as shown in the following screenshot:
- ![Screenshot showing where the account ID is displayed on the "Identity and Access Management" pane.](./media/aws-multi-accounts-tutorial/aws-accountid.png)
+ ![Screenshot showing where the account ID is displayed on the "Identity and Access Management" pane.](./media/aws-multi-accounts-tutorial/aws-accountid.png)
1. Sign in to the Azure portal, and then go to **Groups**. 1. Create new groups with the same name as that of the IAM roles you created earlier, and then note the value in the **Object Id** box of each of these new groups.
- ![Screenshot of the account details for a new group.](./media/aws-multi-accounts-tutorial/copy-objectids.png)
+ ![Screenshot of the account details for a new group.](./media/aws-multi-accounts-tutorial/copy-objectids.png)
1. Sign out of the current AWS account, and then sign in to another account where you want to configure SSO with Azure AD. 1. After you've created all the roles in the accounts, they're displayed in the **Roles** list for those accounts.
- ![Screenshot of the roles list, showing each role's name, description, and trusted entities.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-listofroles.png)
+ ![Screenshot of the roles list, showing each role's name, description, and trusted entities.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-listofroles.png)
You next need to capture all the role ARNs and trusted entities for all roles across all accounts. You'll need to map them manually with the Azure AD application. To do so: 1. Select each role to copy its role ARN and trusted entity values. You'll need them for all the roles that you'll create in Azure AD.
- ![Screenshot of the Summary pane for the role ARNs and trusted entities.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-role-summary.png)
+ ![Screenshot of the Summary pane for the role ARNs and trusted entities.](./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-role-summary.png)
1. Repeat the preceding step for all the roles in all the accounts, and then store them in a text file in the following format: `<Role ARN>,<Trusted entities>`. 1. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer), and then do the following:
- a. Sign in to the Microsoft Graph Explorer site with the Global Admin or Co-admin credentials for your tenant.
+ a. Sign in to the Microsoft Graph Explorer site with the Global Admin or Co-admin credentials for your tenant.
+
+ b. You need sufficient permissions to create the roles. Select **modify permissions**.
+
+ ![Screenshot of the "modify permissions" link on the Microsoft Graph Explorer Authentication pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new9.png)
- b. You need sufficient permissions to create the roles. Select **modify permissions**.
+ c. In the permissions list, if you don't already have the permissions that are shown in the following screenshot, select each one, and then select **Modify Permissions**.
- ![Screenshot of the "modify permissions" link on the Microsoft Graph Explorer Authentication pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new9.png)
+ ![Screenshot of the Microsoft Graph Explorer permissions list, with the appropriate permissions highlighted.](./media/aws-multi-accounts-tutorial/graph-explorer-new10.png)
- c. In the permissions list, if you don't already have the permissions that are shown in the following screenshot, select each one, and then select **Modify Permissions**.
+ d. Sign in to Graph Explorer again, and accept the site usage conditions.
- ![Screenshot of the Microsoft Graph Explorer permissions list, with the appropriate permissions highlighted.](./media/aws-multi-accounts-tutorial/graph-explorer-new10.png)
+ e. At the top of the pane, select **GET** for the method, select **beta** for the version, and then, in the query box, enter either of the following:
- d. Sign in to Graph Explorer again, and accept the site usage conditions.
+ - To fetch all the service principals from your tenant, use `https://graph.microsoft.com/beta/servicePrincipals`.
+ - If you're using multiple directories, use `https://graph.microsoft.com/beta/contoso.com/servicePrincipals`, which contains your primary domain.
- e. At the top of the pane, select **GET** for the method, select **beta** for the version, and then, in the query box, enter either of the following:
-
- * To fetch all the service principals from your tenant, use `https://graph.microsoft.com/beta/servicePrincipals`.
- * If you're using multiple directories, use `https://graph.microsoft.com/beta/contoso.com/servicePrincipals`, which contains your primary domain.
+ ![Screenshot of the Microsoft Graph Explorer query "Request Body" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new1.png)
- ![Screenshot of the Microsoft Graph Explorer query "Request Body" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new1.png)
+ f. From the list of service principals, get the one you need to modify.
- f. From the list of service principals, get the one you need to modify.
-
- You can also search the application for all the listed service principals by selecting Ctrl+F. To get a specific service principal, include in the query the service principal object ID, which you copied earlier from the Azure AD Properties pane, as shown here:
+ You can also search the application for all the listed service principals by selecting Ctrl+F. To get a specific service principal, include in the query the service principal object ID, which you copied earlier from the Azure AD Properties pane, as shown here:
- `https://graph.microsoft.com/beta/servicePrincipals/<objectID>`.
+ `https://graph.microsoft.com/beta/servicePrincipals/<objectID>`.
- ![Screenshot showing a service principal query that includes the object ID.](./media/aws-multi-accounts-tutorial/graph-explorer-new2.png)
+ ![Screenshot showing a service principal query that includes the object ID.](./media/aws-multi-accounts-tutorial/graph-explorer-new2.png)
- g. Extract the appRoles property from the service principal object.
+ g. Extract the appRoles property from the service principal object.
- ![Screenshot of the code for extracting the appRoles property from the service principal object.](./media/aws-multi-accounts-tutorial/graph-explorer-new3.png)
+ ![Screenshot of the code for extracting the appRoles property from the service principal object.](./media/aws-multi-accounts-tutorial/graph-explorer-new3.png)
- h. You now need to generate new roles for your application.
+ h. You now need to generate new roles for your application.
- i. The following JSON code is an example of an appRoles object. Create a similar object to add the roles you want for your application.
+ i. The following JSON code is an example of an appRoles object. Create a similar object to add the roles you want for your application.
- ```
- {
- "appRoles": [
- {
- "allowedMemberTypes": [
- "User"
- ],
- "description": "msiam_access",
- "displayName": "msiam_access",
- "id": "7dfd756e-8c27-4472-b2b7-38c17fc5de5e",
- "isEnabled": true,
- "origin": "Application",
- "value": null
- },
- {
- "allowedMemberTypes": [
- "User"
- ],
- "description": "Admin,WAAD",
- "displayName": "Admin,WAAD",
- "id": "4aacf5a4-f38b-4861-b909-bae023e88dde",
- "isEnabled": true,
- "origin": "ServicePrincipal",
- "value": "arn:aws:iam::12345:role/Admin,arn:aws:iam::12345:saml-provider/WAAD"
- },
- {
- "allowedMemberTypes": [
- "User"
- ],
- "description": "Auditors,WAAD",
- "displayName": "Auditors,WAAD",
- "id": "bcad6926-67ec-445a-80f8-578032504c09",
- "isEnabled": true,
- "origin": "ServicePrincipal",
- "value": "arn:aws:iam::12345:role/Auditors,arn:aws:iam::12345:saml-provider/WAAD"
- } ]
- }
- ```
+ ```
+ {
+ "appRoles": [
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "msiam_access",
+ "displayName": "msiam_access",
+ "id": "7dfd756e-8c27-4472-b2b7-38c17fc5de5e",
+ "isEnabled": true,
+ "origin": "Application",
+ "value": null
+ },
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "Admin,WAAD",
+ "displayName": "Admin,WAAD",
+ "id": "4aacf5a4-f38b-4861-b909-bae023e88dde",
+ "isEnabled": true,
+ "origin": "ServicePrincipal",
+ "value": "arn:aws:iam::12345:role/Admin,arn:aws:iam::12345:saml-provider/WAAD"
+ },
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "Auditors,WAAD",
+ "displayName": "Auditors,WAAD",
+ "id": "bcad6926-67ec-445a-80f8-578032504c09",
+ "isEnabled": true,
+ "origin": "ServicePrincipal",
+ "value": "arn:aws:iam::12345:role/Auditors,arn:aws:iam::12345:saml-provider/WAAD"
+ } ]
+ }
+ ```
- > [!Note]
- > You can add new roles only after you've added *msiam_access* for the patch operation. You can also add as many roles as you want, depending on your organization's needs. Azure AD sends the *value* of these roles as the claim value in the SAML response.
+ > [!Note]
+ > You can add new roles only after you've added _msiam_access_ for the patch operation. You can also add as many roles as you want, depending on your organization's needs. Azure AD sends the _value_ of these roles as the claim value in the SAML response.
- j. In Microsoft Graph Explorer, change the method from **GET** to **PATCH**. Patch the service principal object with the roles you want by updating the appRoles property, like the one shown in the preceding example. Select **Run Query** to execute the patch operation. A success message confirms the creation of the role for your AWS application.
+ j. In Microsoft Graph Explorer, change the method from **GET** to **PATCH**. Patch the service principal object with the roles you want by updating the appRoles property, like the one shown in the preceding example. Select **Run Query** to execute the patch operation. A success message confirms the creation of the role for your AWS application.
- ![Screenshot of the Microsoft Graph Explorer pane, with the method changed to PATCH.](./media/aws-multi-accounts-tutorial/graph-explorer-new11.png)
+ ![Screenshot of the Microsoft Graph Explorer pane, with the method changed to PATCH.](./media/aws-multi-accounts-tutorial/graph-explorer-new11.png)
1. After the service principal is patched with more roles, you can assign users and groups to their respective roles. You do this in the Azure portal by going to the AWS application and then selecting the **Users and Groups** tab at the top.
You next need to capture all the role ARNs and trusted entities for all roles ac
1. After you've created the groups, select the group and assign it to the application.
- ![Screenshot of the "Users and groups" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new5.png)
+ ![Screenshot of the "Users and groups" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new5.png)
- > [!Note]
- > Nested groups are not supported when you assign groups.
+ > [!Note]
+ > Nested groups are not supported when you assign groups.
1. To assign the role to the group, select the role, and then select **Assign**.
- ![Screenshot of the "Add Assignment" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new6.png)
+ ![Screenshot of the "Add Assignment" pane.](./media/aws-multi-accounts-tutorial/graph-explorer-new6.png)
- > [!Note]
- > After you've assigned the roles, you can view them by refreshing your Azure portal session.
+ > [!Note]
+ > After you've assigned the roles, you can view them by refreshing your Azure portal session.
### Test SSO
active-directory Catchpoint Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/catchpoint-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Catchpoint'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Catchpoint"
description: Learn how to configure single sign-on between Azure Active Directory and Catchpoint.
In this tutorial, you learn how to integrate Catchpoint with Azure Active Directory (Azure AD). When you integrate Catchpoint with Azure AD, you can:
-* Control user access to Catchpoint from Azure AD.
-* Enable automatic Catchpoint sign-in for users with Azure AD accounts.
-* Manage your accounts in one central location: the Azure portal.
+- Control user access to Catchpoint from Azure AD.
+- Enable automatic Catchpoint sign-in for users with Azure AD accounts.
+- Manage your accounts in one central location: the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* A Catchpoint subscription with single sign-on (SSO) enabled.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- A Catchpoint subscription with single sign-on (SSO) enabled.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Catchpoint supports SP-initiated and IDP-initiated SSO.
-* Catchpoint supports just-in-time (JIT) user provisioning.
+- Catchpoint supports SP-initiated and IDP-initiated SSO.
+- Catchpoint supports just-in-time (JIT) user provisioning.
## Add Catchpoint from the gallery
To configure the integration of Catchpoint into Azure AD, add Catchpoint to your
## Configure and test Azure AD SSO for Catchpoint
-For SSO to work, you need to link an Azure AD user with a user in Catchpoint. For this tutorial, we'll configure a test user called **B.Simon**.
+For SSO to work, you need to link an Azure AD user with a user in Catchpoint. For this tutorial, we'll configure a test user called **B.Simon**.
Complete the following sections: 1. [Configure Azure AD SSO](#configure-azure-ad-sso), to enable this feature for your users.
- * [Create an Azure AD test user](#create-an-azure-ad-test-user), to test Azure AD single sign-on with B.Simon.
- * [Assign the Azure AD test user](#assign-the-azure-ad-test-user), to enable B.Simon to use Azure AD single sign-on.
+ - [Create an Azure AD test user](#create-an-azure-ad-test-user), to test Azure AD single sign-on with B.Simon.
+ - [Assign the Azure AD test user](#assign-the-azure-ad-test-user), to enable B.Simon to use Azure AD single sign-on.
1. [Configure Catchpoint SSO](#configure-catchpoint-sso), to configure the single sign-on settings on the application side.
- * [Create Catchpoint test user](#create-a-catchpoint-test-user), to allow linking of the B.Simon Azure AD test account to a similar user account in Catchpoint.
+ - [Create Catchpoint test user](#create-a-catchpoint-test-user), to allow linking of the B.Simon Azure AD test account to a similar user account in Catchpoint.
1. [Test SSO](#test-sso), to verify that the configuration works. ## Configure Azure AD SSO
Follow these steps in the Azure portal to enable Azure AD SSO:
![Edit Basic SAML Configuration](common/edit-urls.png) 1. Configure the initiated mode for Catchpoint:+ - For **IDP**-initiated mode, enter the values for the following fields: - For **Identifier**: `https://portal.catchpoint.com/SAML2` - For **Reply URL**: `https://portal.catchpoint.com/ui/Entry/SingleSignOn.aspx`
Follow these steps in the Azure portal to enable Azure AD SSO:
1. The Catchpoint application expects the SAML assertions in a specific format. Add custom attribute mappings to your configuration of SAML token attributes. The following table contains the list of default attributes:
- | Name | Source attribute|
- | | |
- | Givenname | user.givenneame |
- | Surname | user.surname |
- | Emailaddress | user.mail |
- | Name | user.userprincipalname |
- | Unique User Identifier | user.userprincipalname |
+ | Name | Source attribute |
+ | - | - |
+ | Givenname | user.givenneame |
+ | Surname | user.surname |
+ | Emailaddress | user.mail |
+ | Name | user.userprincipalname |
+ | Unique User Identifier | user.userprincipalname |
- ![User Attributes & Claims list screenshot](common/default-attributes.png)
+ ![User Attributes & Claims list screenshot](common/default-attributes.png)
1. Also, the Catchpoint application expects another attribute to be passed in a SAML response. See the following table. This attribute is also pre-populated, but you can review and update it to fit your requirements.
- | Name | Source attribute|
- | | |
- | namespace | user.assignedrole |
+ | Name | Source attribute |
+ | | -- |
+ | namespace | user.assignedrole |
- > [!NOTE]
- > The `namespace` claim needs to be mapped with the account name. This account name should be set up with a role in Azure AD to be passed back in SAML response. For more information about roles in Azure AD, see [Configure the role claim issued in the SAML token for enterprise applications](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > [!NOTE]
+ > The `namespace` claim needs to be mapped with the account name. This account name should be set up with a role in Azure AD to be passed back in SAML response. For more information about roles in Azure AD, see [Configure the role claim issued in the SAML token for enterprise applications](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. Go to the **Set Up Single Sign-On with SAML** page. In the **SAML Signing Certificate** section, find **Certificate (Base64)**. Select **Download** to save the certificate to your computer.
+1. Go to the **Set Up Single Sign-On with SAML** page. In the **SAML Signing Certificate** section, find **Certificate (Base64)**. Select **Download** to save the certificate to your computer.
- ![The certificate download link](common/certificatebase64.png)
+ ![The certificate download link](common/certificatebase64.png)
1. In the **Set up Catchpoint** section, copy the URLs that you need in a later step.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you use the Azure portal to create an Azure AD test user called
1. From the left pane in the Azure portal, select **Azure Active Directory** > **Users** > **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, enter `B.Simon@contoso.com`. 1. Select the **Show password** check box. Note the displayed password value. 1. Select **Create**.
In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. Select the **Settings** icon and then **SSO Identity Provider**.
- ![Catchpoint settings screenshot with SSO Identity Provider selected](./media/catchpoint-tutorial/configuration1.png)
+ ![Catchpoint settings screenshot with SSO Identity Provider selected](./media/catchpoint-tutorial/configuration1.png)
1. On the **Single Sign On** page, enter the following fields: ![Catchpoint Single Sign On page screenshot](./media/catchpoint-tutorial/configuration2.png)
- Field | Value
- -- | --
- **Namespace** | A valid namespace value.
- **Identity Provider Issuer** | The `Azure AD Identifier` value from the Azure portal.
- **Single Sign On Url** | The `Login URL` value from the Azure portal.
- **Certificate** | The contents of the downloaded `Certificate (Base64)` file from the Azure portal. Use Notepad to view and copy.
+ | Field | Value |
+ | - | |
+ | **Namespace** | A valid namespace value. |
+ | **Identity Provider Issuer** | The `Azure AD Identifier` value from the Azure portal. |
+ | **Single Sign On Url** | The `Login URL` value from the Azure portal. |
+ | **Certificate** | The contents of the downloaded `Certificate (Base64)` file from the Azure portal. Use Notepad to view and copy. |
You might also upload the **Federation Metadata XML** by selecting the **Upload Metadata** option.
Catchpoint supports just-in-time user provisioning, which is enabled by default.
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Catchpoint Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Catchpoint Sign on URL where you can initiate the login flow.
-* Go to Catchpoint Sign-on URL directly and initiate the login flow from there.
+- Go to Catchpoint Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Catchpoint for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Catchpoint for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Catchpoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Catchpoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - > [!NOTE] > When you're signed in to the Catchpoint application through the login page, after providing **Catchpoint Credentials**, enter the valid **Namespace** value in the **Company Credentials(SSO)** field and select **Login**.
->
+>
> ![Catchpoint configuration](./media/catchpoint-tutorial/loginimage.png) ## Next steps
active-directory Certent Equity Management Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/certent-equity-management-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Certent Equity Management | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Certent Equity Management | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Certent Equity Management.
In this tutorial, you'll learn how to integrate Certent Equity Management with Azure Active Directory (Azure AD). When you integrate Certent Equity Management with Azure AD, you can:
-* Control in Azure AD who has access to Certent Equity Management.
-* Enable your users to be automatically signed-in to Certent Equity Management with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Certent Equity Management.
+- Enable your users to be automatically signed-in to Certent Equity Management with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Certent Equity Management single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Certent Equity Management single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Certent Equity Management supports **IDP** initiated SSO
+- Certent Equity Management supports **IDP** initiated SSO
## Adding Certent Equity Management from the gallery
To configure the integration of Certent Equity Management into Azure AD, you nee
1. In the **Add from the gallery** section, type **Certent Equity Management** in the search box. 1. Select **Certent Equity Management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Certent Equity Management Configure and test Azure AD SSO with Certent Equity Management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Certent Equity Management.
Configure and test Azure AD SSO with Certent Equity Management using a test user
To configure and test Azure AD SSO with Certent Equity Management, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Certent Equity Management SSO](#configure-certent-equity-management-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Certent Equity Management test user](#create-certent-equity-management-test-user)** - to have a counterpart of B.Simon in Certent Equity Management that is linked to the Azure AD representation of user.
+ 1. **[Create Certent Equity Management test user](#create-certent-equity-management-test-user)** - to have a counterpart of B.Simon in Certent Equity Management that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL. These values are not real. Update these values with the actual Identifier and Reply URL. Contact Certent Integration Analyst assigned by Customer Success Manager to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. These values are not real. Update these values with the actual Identifier and Reply URL. Contact Certent Integration Analyst assigned by Customer Success Manager to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Certent Equity Management application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Certent Equity Management application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
- | Name | Source Attribute|
- | | |
- | COMPANY | user.companyname |
- | USER | user.userprincipalname |
- | ROLE | user.assignedroles |
+ | Name | Source Attribute |
+ | - | - |
+ | COMPANY | user.companyname |
+ | USER | user.userprincipalname |
+ | ROLE | user.assignedroles |
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure **Role** in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure **Role** in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Certent Equity Management** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **Certent Equity Management** side, you need to s
In this section, you create a user called Britta Simon in Certent Equity Management. Work with Certent Integration Analyst assigned by Customer Success Manager to add the users in the Certent Equity Management platform. Users must be created and activated before you use single sign-on.
-## Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on Test this application in Azure portal and you should be automatically signed in to the Certent Equity Management for which you set up the SSO
-
-* You can use Microsoft My Apps. When you click the Certent Equity Management tile in the My Apps, you should be automatically signed in to the Certent Equity Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Click on Test this application in Azure portal and you should be automatically signed in to the Certent Equity Management for which you set up the SSO
+- You can use Microsoft My Apps. When you click the Certent Equity Management tile in the My Apps, you should be automatically signed in to the Certent Equity Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Colortokens Ztna Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/colortokens-ztna-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ColorTokens ZTNA | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with ColorTokens ZTNA | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and ColorTokens ZTNA.
In this tutorial, you'll learn how to integrate ColorTokens ZTNA with Azure Active Directory (Azure AD). When you integrate ColorTokens ZTNA with Azure AD, you can:
-* Control in Azure AD who has access to ColorTokens ZTNA.
-* Enable your users to be automatically signed-in to ColorTokens ZTNA with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to ColorTokens ZTNA.
+- Enable your users to be automatically signed-in to ColorTokens ZTNA with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* ColorTokens ZTNA single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- ColorTokens ZTNA single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ColorTokens ZTNA supports **SP** initiated SSO
+- ColorTokens ZTNA supports **SP** initiated SSO
## Adding ColorTokens ZTNA from the gallery
Configure and test Azure AD SSO with ColorTokens ZTNA using a test user called *
To configure and test Azure AD SSO with ColorTokens ZTNA, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure ColorTokens ZTNA SSO](#configure-colortokens-ztna-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create ColorTokens ZTNA test user](#create-colortokens-ztna-test-user)** - to have a counterpart of B.Simon in ColorTokens ZTNA that is linked to the Azure AD representation of user.
+ 1. **[Create ColorTokens ZTNA test user](#create-colortokens-ztna-test-user)** - to have a counterpart of B.Simon in ColorTokens ZTNA that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<tenantname>.spectrum.colortokens.com`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<tenantname>.spectrum.colortokens.com`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [ColorTokens ZTNA Client support team](mailto:support@colortokens.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [ColorTokens ZTNA Client support team](mailto:support@colortokens.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. ColorTokens ZTNA application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, ColorTokens ZTNA application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
- | Name | Source Attribute|
- | - | |
- | department | user.userprincipalname |
- | Group | user.groups |
+ | Name | Source Attribute |
+ | - | - |
+ | department | user.userprincipalname |
+ | Group | user.groups |
- > [!NOTE]
- > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
+ > [!NOTE]
+ > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to create roles in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up ColorTokens ZTNA** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **ColorTokens ZTNA** side, you need to send the d
In this section, you create a user called Britta Simon in ColorTokens ZTNA. Work with [ColorTokens ZTNA support team](mailto:support@colortokens.com) to add the users in the ColorTokens ZTNA platform. Users must be created and activated before you use single sign-on.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to ColorTokens ZTNA Sign-on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to ColorTokens ZTNA Sign-on URL where you can initiate the login flow.
-* Go to ColorTokens ZTNA Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you click the ColorTokens ZTNA tile in the My Apps, this will redirect to ColorTokens ZTNA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to ColorTokens ZTNA Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the ColorTokens ZTNA tile in the My Apps, this will redirect to ColorTokens ZTNA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Count Me In Operations Dashboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/count-me-in-operations-dashboard-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Count Me In - Operations Dashboard | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Count Me In - Operations Dashboard | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Count Me In - Operations Dashboard.
Last updated 11/30/2020 - # Tutorial: Azure Active Directory single sign-on (SSO) integration with Count Me In - Operations Dashboard In this tutorial, you'll learn how to integrate Count Me In - Operations Dashboard with Azure Active Directory (Azure AD). When you integrate Count Me In - Operations Dashboard with Azure AD, you can:
-* Control in Azure AD who has access to Count Me In - Operations Dashboard.
-* Enable your users to be automatically signed-in to Count Me In - Operations Dashboard with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Count Me In - Operations Dashboard.
+- Enable your users to be automatically signed-in to Count Me In - Operations Dashboard with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Count Me In - Operations Dashboard single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Count Me In - Operations Dashboard single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Count Me In - Operations Dashboard supports **SP** initiated SSO
+- Count Me In - Operations Dashboard supports **SP** initiated SSO
## Adding Count Me In - Operations Dashboard from the gallery
Configure and test Azure AD SSO with Count Me In - Operations Dashboard using a
To configure and test Azure AD SSO with Count Me In - Operations Dashboard, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Count Me In-Operations Dashboard SSO](#configure-count-me-in-operations-dashboard-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Count Me In-Operations Dashboard test user](#create-count-me-in-operations-dashboard-test-user)** - to have a counterpart of B.Simon in Count Me In - Operations Dashboard that is linked to the Azure AD representation of user.
+ 1. **[Create Count Me In-Operations Dashboard test user](#create-count-me-in-operations-dashboard-test-user)** - to have a counterpart of B.Simon in Count Me In - Operations Dashboard that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://api-us.localz.io/user/v1/saml/initsso?projectId=<PROJECT_ID>`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://api-us.localz.io/user/v1/saml/initsso?projectId=<PROJECT_ID>`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `api-us.localz.io/<PROJECT_ID>`
+ b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `api-us.localz.io/<PROJECT_ID>`
- c. In the **Reply URL** text box, type a URL using the following pattern:
- `https://api-us.localz.io/user/v1/saml/initsso?projectId=<PROJECT_ID>`
+ c. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://api-us.localz.io/user/v1/saml/initsso?projectId=<PROJECT_ID>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Count Me In - Operations Dashboard Client support team](mailto:support@localz.co) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Count Me In - Operations Dashboard Client support team](mailto:support@localz.co) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Count Me In - Operations Dashboard application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Count Me In - Operations Dashboard application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute|
- | -- | |
- | assigned roles | user.assignedroles |
- > [!NOTE]
- > Count Me In - Operations Dashboard expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | -- | |
+ | assigned roles | user.assignedroles |
+
+ > [!NOTE]
+ > Count Me In - Operations Dashboard expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Count Me In - Operations Dashboard** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **Count Me In - Operations Dashboard** side, you
In this section, you create a user called Britta Simon in Count Me In - Operations Dashboard. Work with [Count Me In - Operations Dashboard support team](mailto:support@localz.co) to add the users in the Count Me In - Operations Dashboard platform. Users must be created and activated before you use single sign-on.
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Count Me In - Operations Dashboard Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Count Me In - Operations Dashboard Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Count Me In - Operations Dashboard Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Count Me In - Operations Dashboard tile in the My Apps, this will redirect to Count Me In - Operations Dashboard Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Count Me In - Operations Dashboard Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Count Me In - Operations Dashboard tile in the My Apps, this will redirect to Count Me In - Operations Dashboard Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Dome9arc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dome9arc-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Dome9 Arc | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Dome9 Arc | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Check Point CloudGuard Dome9 Arc.
In this tutorial, you'll learn how to integrate Check Point CloudGuard Dome9 Arc with Azure Active Directory (Azure AD). When you integrate Check Point CloudGuard Dome9 Arc with Azure AD, you can:
-* Control in Azure AD who has access to Check Point CloudGuard Dome9 Arc.
-* Enable your users to be automatically signed-in to Check Point CloudGuard Dome9 Arc with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Check Point CloudGuard Dome9 Arc.
+- Enable your users to be automatically signed-in to Check Point CloudGuard Dome9 Arc with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Check Point CloudGuard Dome9 Arc single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Check Point CloudGuard Dome9 Arc single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Check Point CloudGuard Dome9 Arc supports **SP and IDP** initiated SSO
+- Check Point CloudGuard Dome9 Arc supports **SP and IDP** initiated SSO
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Check Point CloudGuard Dome9 Arc using a te
To configure and test Azure AD SSO with Check Point CloudGuard Dome9 Arc, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Check Point CloudGuard Dome9 Arc SSO](#configure-check-point-cloudguard-dome9-arc-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Check Point CloudGuard Dome9 Arc test user](#create-check-point-cloudguard-dome9-arc-test-user)** - to have a counterpart of B.Simon in Check Point CloudGuard Dome9 Arc that is linked to the Azure AD representation of user.
+ 1. **[Create Check Point CloudGuard Dome9 Arc test user](#create-check-point-cloudguard-dome9-arc-test-user)** - to have a counterpart of B.Simon in Check Point CloudGuard Dome9 Arc that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- In the **Reply URL** text box, type a URL using the following pattern:
- `https://secure.dome9.com/sso/saml/<yourcompanyname>`
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://secure.dome9.com/sso/saml/<yourcompanyname>`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://secure.dome9.com/sso/saml/<yourcompanyname>`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://secure.dome9.com/sso/saml/<yourcompanyname>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the `<company name>` value from the **Configure Check Point CloudGuard Dome9 Arc SSO** section, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the `<company name>` value from the **Configure Check Point CloudGuard Dome9 Arc SSO** section, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Check Point CloudGuard Dome9 Arc application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, Check Point CloudGuard Dome9 Arc application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
-
- | Name | Source Attribute|
- | | |
- | memberof | user.assignedroles |
- >[!NOTE]
- >Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
+ | Name | Source Attribute |
+ | -- | |
+ | memberof | user.assignedroles |
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+ > [!NOTE]
+ > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to create roles in Azure AD.
- ![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Check Point CloudGuard Dome9 Arc** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Check Point CloudGuard Dome9 Arc, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Setup Check Point CloudGuard Dome9 Arc** will direct you to the Check Point CloudGuard Dome9 Arc application. From there, provide the admin credentials to sign into Check Point CloudGuard Dome9 Arc. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup configuration](common/setup-sso.png)
+ ![Setup configuration](common/setup-sso.png)
3. If you want to setup Check Point CloudGuard Dome9 Arc manually, open a new web browser window and sign into your Check Point CloudGuard Dome9 Arc company site as an administrator and perform the following steps:
-2. Click on the **Profile Settings** on the right top corner and then click **Account Settings**.
+4. Click on the **Profile Settings** on the right top corner and then click **Account Settings**.
- ![Screenshot that shows the "Profile Settings" menu with "Account Settings" selected.](./media/dome9arc-tutorial/configure1.png)
+ ![Screenshot that shows the "Profile Settings" menu with "Account Settings" selected.](./media/dome9arc-tutorial/configure1.png)
-3. Navigate to **SSO** and then click **ENABLE**.
+5. Navigate to **SSO** and then click **ENABLE**.
- ![Screenshot that shows the "S S O" tab and "Enable" selected.](./media/dome9arc-tutorial/configure2.png)
+ ![Screenshot that shows the "S S O" tab and "Enable" selected.](./media/dome9arc-tutorial/configure2.png)
-4. In the SSO Configuration section, perform the following steps:
+6. In the SSO Configuration section, perform the following steps:
- ![Check Point CloudGuard Dome9 Arc Configuration](./media/dome9arc-tutorial/configure3.png)
+ ![Check Point CloudGuard Dome9 Arc Configuration](./media/dome9arc-tutorial/configure3.png)
- a. Enter company name in the **Account ID** textbox. This value is to be used in the **Reply** and **Sign on** URL mentioned in **Basic SAML Configuration** section of Azure portal.
+ a. Enter company name in the **Account ID** textbox. This value is to be used in the **Reply** and **Sign on** URL mentioned in **Basic SAML Configuration** section of Azure portal.
- b. In the **Issuer** textbox, paste the value of **Azure AD Identifier**, which you have copied form the Azure portal.
+ b. In the **Issuer** textbox, paste the value of **Azure AD Identifier**, which you have copied form the Azure portal.
- c. In the **Idp endpoint url** textbox, paste the value of **Login URL**, which you have copied form the Azure portal.
+ c. In the **Idp endpoint url** textbox, paste the value of **Login URL**, which you have copied form the Azure portal.
- d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **X.509 certificate** textbox.
+ d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **X.509 certificate** textbox.
- e. Click **Save**.
+ e. Click **Save**.
### Create Check Point CloudGuard Dome9 Arc test user To enable Azure AD users to sign in to Check Point CloudGuard Dome9 Arc, they must be provisioned into application. Check Point CloudGuard Dome9 Arc supports just-in-time provisioning but for that to work properly, user have to select particular **Role** and assign the same to the user.
- >[!Note]
- >For **Role** creation and other details contact [Check Point CloudGuard Dome9 Arc Client support team](mailto:Dome9@checkpoint.com).
+> [!Note]
+> For **Role** creation and other details contact [Check Point CloudGuard Dome9 Arc Client support team](mailto:Dome9@checkpoint.com).
**To provision a user account manually, perform the following steps:**
To enable Azure AD users to sign in to Check Point CloudGuard Dome9 Arc, they mu
2. Click on the **Users & Roles** and then click **Users**.
- ![Screenshot that shows "Users & Roles" with the "Users" action selected.](./media/dome9arc-tutorial/user1.png)
+ ![Screenshot that shows "Users & Roles" with the "Users" action selected.](./media/dome9arc-tutorial/user1.png)
3. Click **ADD USER**.
- ![Screenshot that shows "Users & Roles" with the "ADD USER" button selected.](./media/dome9arc-tutorial/user2.png)
+ ![Screenshot that shows "Users & Roles" with the "ADD USER" button selected.](./media/dome9arc-tutorial/user2.png)
4. In the **Create User** section, perform the following steps:
- ![Add Employee](./media/dome9arc-tutorial/user3.png)
+ ![Add Employee](./media/dome9arc-tutorial/user3.png)
- a. In the **Email** textbox, type the email of user like B.Simon@contoso.com.
+ a. In the **Email** textbox, type the email of user like B.Simon@contoso.com.
- b. In the **First Name** textbox, type first name of the user like B.
+ b. In the **First Name** textbox, type first name of the user like B.
- c. In the **Last Name** textbox, type last name of the user like Simon.
+ c. In the **Last Name** textbox, type last name of the user like Simon.
- d. Make **SSO User** as **On**.
+ d. Make **SSO User** as **On**.
- e. Click **CREATE**.
+ e. Click **CREATE**.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Check Point CloudGuard Dome9 Arc Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Check Point CloudGuard Dome9 Arc Sign on URL where you can initiate the login flow.
-* Go to Check Point CloudGuard Dome9 Arc Sign-on URL directly and initiate the login flow from there.
+- Go to Check Point CloudGuard Dome9 Arc Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Check Point CloudGuard Dome9 Arc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure Check Point CloudGuard Dome9 Arc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Dotcom Monitor Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dotcom-monitor-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Dotcom-Monitor | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Dotcom-Monitor | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Dotcom-Monitor.
In this tutorial, you'll learn how to integrate Dotcom-Monitor with Azure Active Directory (Azure AD). When you integrate Dotcom-Monitor with Azure AD, you can:
-* Control in Azure AD who has access to Dotcom-Monitor.
-* Enable your users to be automatically signed-in to Dotcom-Monitor with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Dotcom-Monitor.
+- Enable your users to be automatically signed-in to Dotcom-Monitor with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Dotcom-Monitor single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Dotcom-Monitor single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Dotcom-Monitor supports **SP** initiated SSO
+- Dotcom-Monitor supports **SP** initiated SSO
-* Dotcom-Monitor supports **Just In Time** user provisioning
+- Dotcom-Monitor supports **Just In Time** user provisioning
## Adding Dotcom-Monitor from the gallery
Configure and test Azure AD SSO with Dotcom-Monitor using a test user called **B
To configure and test Azure AD SSO with Dotcom-Monitor, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Dotcom Monitor SSO](#configure-dotcom-monitor-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Dotcom Monitor test user](#create-dotcom-monitor-test-user)** - to have a counterpart of B.Simon in Dotcom-Monitor that is linked to the Azure AD representation of user.
+ 1. **[Create Dotcom Monitor test user](#create-dotcom-monitor-test-user)** - to have a counterpart of B.Simon in Dotcom-Monitor that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://userauth.dotcom-monitor.com/Login.ashx?cidp=<CUSTOM_GUID>`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://userauth.dotcom-monitor.com/Login.ashx?cidp=<CUSTOM_GUID>`
- > [!NOTE]
- > The value is not real. Update the value with the actual Sign-On URL. Contact [Dotcom-Monitor Client support team](mailto:vadimm@dana-net.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Sign-On URL. Contact [Dotcom-Monitor Client support team](mailto:vadimm@dana-net.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Dotcom-Monitor application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Dotcom-Monitor application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
- | Name | Source Attribute|
- | | |
- | Roles | user.assignedroles |
+ | Name | Source Attribute |
+ | -- | |
+ | Roles | user.assignedroles |
- > [!NOTE]
- > You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to create custom roles in Azure AD.
+ > [!NOTE]
+ > You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) on how to create custom roles in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Dotcom-Monitor** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, a user called B.Simon is created in Dotcom-Monitor. Dotcom-Moni
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Dotcom-Monitor Sign-on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Dotcom-Monitor Sign-on URL where you can initiate the login flow.
-* Go to Dotcom-Monitor Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you click the Dotcom-Monitor tile in the My Apps, this will redirect to Dotcom-Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Dotcom-Monitor Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Dotcom-Monitor tile in the My Apps, this will redirect to Dotcom-Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Heybuddy Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/heybuddy-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with HeyBuddy | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with HeyBuddy | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and HeyBuddy.
In this tutorial, you'll learn how to integrate HeyBuddy with Azure Active Directory (Azure AD). When you integrate HeyBuddy with Azure AD, you can:
-* Control in Azure AD who has access to HeyBuddy.
-* Enable your users to be automatically signed-in to HeyBuddy with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
+- Control in Azure AD who has access to HeyBuddy.
+- Enable your users to be automatically signed-in to HeyBuddy with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* HeyBuddy single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- HeyBuddy single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* HeyBuddy supports **SP** initiated SSO
-* HeyBuddy supports **Just In Time** user provisioning
+- HeyBuddy supports **SP** initiated SSO
+- HeyBuddy supports **Just In Time** user provisioning
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant. - ## Adding HeyBuddy from the gallery To configure the integration of HeyBuddy into Azure AD, you need to add HeyBuddy from the gallery to your list of managed SaaS apps.
To configure the integration of HeyBuddy into Azure AD, you need to add HeyBuddy
1. In the **Add from the gallery** section, type **HeyBuddy** in the search box. 1. Select **HeyBuddy** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for HeyBuddy Configure and test Azure AD SSO with HeyBuddy using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HeyBuddy.
Configure and test Azure AD SSO with HeyBuddy using a test user called **B.Simon
To configure and test Azure AD SSO with HeyBuddy, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure HeyBuddy SSO](#configure-heybuddy-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create HeyBuddy test user](#create-heybuddy-test-user)** - to have a counterpart of B.Simon in HeyBuddy that is linked to the Azure AD representation of user.
+ 1. **[Create HeyBuddy test user](#create-heybuddy-test-user)** - to have a counterpart of B.Simon in HeyBuddy that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://api.heybuddy.com/auth/<ENTITY ID>`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://api.heybuddy.com/auth/<ENTITY ID>`
- > [!NOTE]
- > The value is not real. Update the value with the actual Sign-On URL. The `Entity ID` in the Sign on url is auto generated for each organization. Contact [HeyBuddy Client support team](mailto:support@heybuddy.com) to get these values.
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Sign-On URL. The `Entity ID` in the Sign on url is auto generated for each organization. Contact [HeyBuddy Client support team](mailto:support@heybuddy.com) to get these values.
1. HeyBuddy application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, EZOfficeInventory application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | Name | Source Attribute|
- | -- | |
- | Roles | user.assignedroles |
- | | |
-
- > [!NOTE]
- > Please refer to this [link](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to configure and setup the roles for the application.
+ | Name | Source Attribute |
+ | -- | |
+ | Roles | user.assignedroles |
+ | | |
+
+ > [!NOTE]
+ > Please refer to this [link](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) on how to configure and setup the roles for the application.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, a user called Britta Simon is created in HeyBuddy. HeyBuddy sup
> [!Note] > If you need to create a user manually, contact [HeyBuddy support team](mailto:support@heybuddy.com).
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to HeyBuddy Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to HeyBuddy Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to HeyBuddy Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the HeyBuddy tile in the My Apps, this will redirect to HeyBuddy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to HeyBuddy Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the HeyBuddy tile in the My Apps, this will redirect to HeyBuddy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Kumolus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kumolus-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Kumolus | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Kumolus | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Kumolus.
In this tutorial, you'll learn how to integrate Kumolus with Azure Active Directory (Azure AD). When you integrate Kumolus with Azure AD, you can:
-* Control in Azure AD who has access to Kumolus.
-* Enable your users to be automatically signed-in to Kumolus with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Kumolus.
+- Enable your users to be automatically signed-in to Kumolus with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Kumolus single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Kumolus single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Kumolus supports **SP and IDP** initiated SSO
-* Kumolus supports **Just In Time** user provisioning
+- Kumolus supports **SP and IDP** initiated SSO
+- Kumolus supports **Just In Time** user provisioning
## Adding Kumolus from the gallery
To configure the integration of Kumolus into Azure AD, you need to add Kumolus f
1. In the **Add from the gallery** section, type **Kumolus** in the search box. 1. Select **Kumolus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Kumolus Configure and test Azure AD SSO with Kumolus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kumolus.
Configure and test Azure AD SSO with Kumolus using a test user called **B.Simon*
To configure and test Azure AD SSO with Kumolus, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Kumolus SSO](#configure-kumolus-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Kumolus test user](#create-kumolus-test-user)** - to have a counterpart of B.Simon in Kumolus that is linked to the Azure AD representation of user.
+ 1. **[Create Kumolus test user](#create-kumolus-test-user)** - to have a counterpart of B.Simon in Kumolus that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.kumolus.net/sso/metadata`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.kumolus.net/sso/metadata`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.kumolus.net/sso/acs`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.kumolus.net/sso/acs`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.kumolus.net/`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.kumolus.net/`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Kumolus Client support team](mailto:kumoas@kumolus.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Kumolus Client support team](mailto:kumoas@kumolus.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Kumolus application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Kumolus application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute |
- | | |
- | E-Mail Address | user.mail |
- | role | user.assignedroles |
- > [!NOTE]
- > Kumolus expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | -- | |
+ | E-Mail Address | user.mail |
+ | role | user.assignedroles |
+
+ > [!NOTE]
+ > Kumolus expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up Kumolus** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **Kumolus** side, you need to send the downloaded
In this section, a user called B.Simon is created in Kumolus. Kumolus supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Kumolus, a new one is created when you attempt to access Kumolus.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Kumolus Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Kumolus Sign on URL where you can initiate the login flow.
-* Go to Kumolus Sign-on URL directly and initiate the login flow from there.
+- Go to Kumolus Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Kumolus for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Kumolus for which you set up the SSO
You can also use Microsoft Access Panel to test the application in any mode. When you click the Kumolus tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Kumolus for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
active-directory Mapbox Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mapbox-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
| | | > [!NOTE]
- > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
active-directory Meraki Dashboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/meraki-dashboard-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Meraki Dashboard | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Meraki Dashboard | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Meraki Dashboard.
In this tutorial, you'll learn how to integrate Meraki Dashboard with Azure Active Directory (Azure AD). When you integrate Meraki Dashboard with Azure AD, you can:
-* Control in Azure AD who has access to Meraki Dashboard.
-* Enable your users to be automatically signed-in to Meraki Dashboard with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Meraki Dashboard.
+- Enable your users to be automatically signed-in to Meraki Dashboard with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Meraki Dashboard single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Meraki Dashboard single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Meraki Dashboard supports **IDP** initiated SSO
+- Meraki Dashboard supports **IDP** initiated SSO
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Meraki Dashboard using a test user called *
To configure and test Azure AD SSO with Meraki Dashboard, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Meraki Dashboard SSO](#configure-meraki-dashboard-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Meraki Dashboard test user](#create-meraki-dashboard-test-user)** - to have a counterpart of B.Simon in Meraki Dashboard that is linked to the Azure AD representation of user.
+ 1. **[Create Meraki Dashboard test user](#create-meraki-dashboard-test-user)** - to have a counterpart of B.Simon in Meraki Dashboard that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, perform the following steps:
-
- In the **Reply URL** textbox, type a URL using the following pattern:
- `https://n27.meraki.com/saml/login/m9ZEgb/< UNIQUE ID >`
- > [!NOTE]
- > The Reply URL value is not real. Update this value with the actual Reply URL value, which is explained later in the tutorial.
+ In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://n27.meraki.com/saml/login/m9ZEgb/< UNIQUE ID >`
+
+ > [!NOTE]
+ > The Reply URL value is not real. Update this value with the actual Reply URL value, which is explained later in the tutorial.
1. Click the **Save** button. 1. Meraki Dashboard application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Meraki Dashboard application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute|
- | | |
- | `https://dashboard.meraki.com/saml/attributes/username` | user.userprincipalname |
- | `https://dashboard.meraki.com/saml/attributes/role` | user.assignedroles |
- > [!NOTE]
- > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | - | - |
+ | `https://dashboard.meraki.com/saml/attributes/username` | user.userprincipalname |
+ | `https://dashboard.meraki.com/saml/attributes/role` | user.assignedroles |
+
+ > [!NOTE]
+ > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
- ![Edit SAML Signing Certificate](common/edit-certificate.png)
+ ![Edit SAML Signing Certificate](common/edit-certificate.png)
1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer. This value needs to be converted to include colons in order for the Meraki dashboard to understand it . For example, if the thumbprint from Azure is `C2569F50A4AAEDBB8E` it will need to be changed to `C2:56:9F:50:A4:AA:ED:BB:8E` to use it later in Meraki Dashboard.
- ![Copy Thumbprint value](common/copy-thumbprint.png)
+ ![Copy Thumbprint value](common/copy-thumbprint.png)
1. On the **Set up Meraki Dashboard** section, copy the Logout URL value and save it on your computer.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
- ![user role](./media/meraki-dashboard-tutorial/user-role.png)
+ ![user role](./media/meraki-dashboard-tutorial/user-role.png)
- > [!NOTE]
- > **Select a role** option will be disabled and default role is USER for selected user.
+ > [!NOTE]
+ > **Select a role** option will be disabled and default role is USER for selected user.
1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Meraki Dashboard, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Set up Meraki Dashboard** will direct you to the Meraki Dashboard application. From there, provide the admin credentials to sign into Meraki Dashboard. The browser extension will automatically configure the application for you and automate steps 3-7.
- ![Setup configuration](common/setup-sso.png)
+ ![Setup configuration](common/setup-sso.png)
3. If you want to setup Meraki Dashboard manually, in a different web browser window, sign in to your Meraki Dashboard company site as an administrator.
-1. Navigate to **Organization** -> **Settings**.
+4. Navigate to **Organization** -> **Settings**.
- ![Meraki Dashboard Settings tab](./media/meraki-dashboard-tutorial/configure-1.png)
+ ![Meraki Dashboard Settings tab](./media/meraki-dashboard-tutorial/configure-1.png)
-1. Under Authentication, change **SAML SSO** to **SAML SSO enabled**.
+5. Under Authentication, change **SAML SSO** to **SAML SSO enabled**.
- ![Meraki Dashboard Authentication](./media/meraki-dashboard-tutorial/configure-2.png)
+ ![Meraki Dashboard Authentication](./media/meraki-dashboard-tutorial/configure-2.png)
-1. Click **Add a SAML IdP**.
+6. Click **Add a SAML IdP**.
- ![Meraki Dashboard Add a SAML IdP](./media/meraki-dashboard-tutorial/configure-3.png)
+ ![Meraki Dashboard Add a SAML IdP](./media/meraki-dashboard-tutorial/configure-3.png)
-1. Paste the converted **Thumbprint** Value, which you have copied from the Azure portal and converted in specified format as mentioned in step 9 of previous section into **X.590 cert SHA1 fingerprint** textbox. Then click **Save**. After saving, the Consumer URL will show up. Copy Consumer URL value and paste this into **Reply URL** textbox in the **Basic SAML Configuration Section** in the Azure portal.
+7. Paste the converted **Thumbprint** Value, which you have copied from the Azure portal and converted in specified format as mentioned in step 9 of previous section into **X.590 cert SHA1 fingerprint** textbox. Then click **Save**. After saving, the Consumer URL will show up. Copy Consumer URL value and paste this into **Reply URL** textbox in the **Basic SAML Configuration Section** in the Azure portal.
- ![Meraki Dashboard Configuration](./media/meraki-dashboard-tutorial/configure-4.png)
+ ![Meraki Dashboard Configuration](./media/meraki-dashboard-tutorial/configure-4.png)
### Create Meraki Dashboard test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Navigate to **Organization** -> **Administrators**.
- ![Meraki Dashboard Administrators](./media/meraki-dashboard-tutorial/user-1.png)
+ ![Meraki Dashboard Administrators](./media/meraki-dashboard-tutorial/user-1.png)
1. In the SAML administrator roles section, click the **Add SAML role** button.
- ![Meraki Dashboard Add SAML role button](./media/meraki-dashboard-tutorial/user-2.png)
+ ![Meraki Dashboard Add SAML role button](./media/meraki-dashboard-tutorial/user-2.png)
1. Enter the Role **meraki_full_admin**, mark **Organization access** as **Full** and click **Create role**. Repeat the process for **meraki_readonly_admin**, this time mark **Organization access** as **Read-only** box.
-
- ![Meraki Dashboard create user](./media/meraki-dashboard-tutorial/user-3.png)
-## Test SSO
+ ![Meraki Dashboard create user](./media/meraki-dashboard-tutorial/user-3.png)
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on Test this application in Azure portal and you should be automatically signed in to the Meraki Dashboard for which you set up the SSO
+In this section, you test your Azure AD single sign-on configuration with following options.
-* You can use Microsoft My Apps. When you click the Meraki Dashboard tile in the My Apps, you should be automatically signed in to the Meraki Dashboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Click on Test this application in Azure portal and you should be automatically signed in to the Meraki Dashboard for which you set up the SSO
+- You can use Microsoft My Apps. When you click the Meraki Dashboard tile in the My Apps, you should be automatically signed in to the Meraki Dashboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Netskope Cloud Security Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netskope-cloud-security-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Netskope Administrator Console | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Netskope Administrator Console | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Netskope Administrator Console.
In this tutorial, you'll learn how to integrate Netskope Administrator Console with Azure Active Directory (Azure AD). When you integrate Netskope Administrator Console with Azure AD, you can:
-* Control in Azure AD who has access to Netskope Administrator Console.
-* Enable your users to be automatically signed-in to Netskope Administrator Console with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Netskope Administrator Console.
+- Enable your users to be automatically signed-in to Netskope Administrator Console with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Netskope Administrator Console single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Netskope Administrator Console single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Netskope Administrator Console supports **SP and IDP** initiated SSO.
+- Netskope Administrator Console supports **SP and IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Netskope Administrator Console using a test
To configure and test Azure AD SSO with Netskope Administrator Console, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Netskope Administrator Console SSO](#configure-netskope-administrator-console-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Netskope Administrator Console test user](#create-netskope-administrator-console-test-user)** - to have a counterpart of B.Simon in Netskope Administrator Console that is linked to the Azure AD representation of user.
+ 1. **[Create Netskope Administrator Console test user](#create-netskope-administrator-console-test-user)** - to have a counterpart of B.Simon in Netskope Administrator Console that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- In the **Reply URL** text box, type a URL using the following pattern:
- `https://<tenant_host_name>/saml/acs`
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<tenant_host_name>/saml/acs`
- > [!NOTE]
- > The value is not real. Update the value with the actual Reply URL. You will get the value explained later in the tutorial.
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Reply URL. You will get the value explained later in the tutorial.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<tenantname>.goskope.com`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<tenantname>.goskope.com`
- > [!NOTE]
- > The Sign-on URL values is not real. Update Sign-on URL value with the actual Sign-on URL. Contact [Netskope Administrator Console Client support team](mailto:support@netskope.com) to get Sign-on URL value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > The Sign-on URL values is not real. Update Sign-on URL value with the actual Sign-on URL. Contact [Netskope Administrator Console Client support team](mailto:support@netskope.com) to get Sign-on URL value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Netskope Administrator Console application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Netskope Administrator Console application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
- | Name | Source Attribute|
- | | |
- | admin-role | user.assignedroles |
+ | Name | Source Attribute |
+ | - | |
+ | admin-role | user.assignedroles |
- > [!NOTE]
- > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
+ > [!NOTE]
+ > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to create roles in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Netskope Administrator Console** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the **Settings** tab from the left navigation pane.
- ![Screenshot shows Setting selected in the navigation pane.](./media/netskope-cloud-security-tutorial/configure-settings.png)
+ ![Screenshot shows Setting selected in the navigation pane.](./media/netskope-cloud-security-tutorial/configure-settings.png)
1. Click **Administration** tab.
- ![Screenshot shows Administration selected from Settings.](./media/netskope-cloud-security-tutorial/administration.png)
+ ![Screenshot shows Administration selected from Settings.](./media/netskope-cloud-security-tutorial/administration.png)
1. Click **SSO** tab.
- ![Screenshot shows S S O selected in Administration.](./media/netskope-cloud-security-tutorial/tab.png)
+ ![Screenshot shows S S O selected in Administration.](./media/netskope-cloud-security-tutorial/tab.png)
1. On the **Network Settings** section, perform the following steps:
-
- ![Screenshot shows Network Settings where you can enter the values described.](./media/netskope-cloud-security-tutorial/network.png)
- a. Copy **Assertion Consumer Service URL** value and paste it into the **Reply URL** textbox in the **Basic SAML Configuration** section in the Azure portal.
+ ![Screenshot shows Network Settings where you can enter the values described.](./media/netskope-cloud-security-tutorial/network.png)
- b. Copy **Service Provider Entity ID** value and paste it into the **Identifier** textbox in the **Basic SAML Configuration** section in the Azure portal.
+ a. Copy **Assertion Consumer Service URL** value and paste it into the **Reply URL** textbox in the **Basic SAML Configuration** section in the Azure portal.
+
+ b. Copy **Service Provider Entity ID** value and paste it into the **Identifier** textbox in the **Basic SAML Configuration** section in the Azure portal.
1. Click on the **EDIT SETTINGS** under the **SSO/SLO Settings** section.
- ![Screenshot shows S S O / S L O Settings where you can select EDIT SETTINGS.](./media/netskope-cloud-security-tutorial/settings.png)
+ ![Screenshot shows S S O / S L O Settings where you can select EDIT SETTINGS.](./media/netskope-cloud-security-tutorial/settings.png)
1. On the **Settings** popup window, perform the following steps;
- ![Screenshot shows the Settings dialog box where you can enter the values described.](./media/netskope-cloud-security-tutorial/configuration.png)
+ ![Screenshot shows the Settings dialog box where you can enter the values described.](./media/netskope-cloud-security-tutorial/configuration.png)
- a. Select **Enable SSO**.
+ a. Select **Enable SSO**.
- b. In the **IDP URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
+ b. In the **IDP URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
- c. In the **IDP ENTITY ID** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
+ c. In the **IDP ENTITY ID** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
- d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IDP CERTIFICATE** textbox.
+ d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **IDP CERTIFICATE** textbox.
- e. Select **Enable SSO**.
+ e. Select **Enable SSO**.
- f. In the **IDP SLO URL** textbox, paste the **Logout URL** value, which you have copied from the Azure portal.
+ f. In the **IDP SLO URL** textbox, paste the **Logout URL** value, which you have copied from the Azure portal.
- g. Click **SUBMIT**.
+ g. Click **SUBMIT**.
### Create Netskope Administrator Console test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the **Settings** tab from the left navigation pane.
- ![Screenshot shows Settings selected.](./media/netskope-cloud-security-tutorial/configure-settings.png)
+ ![Screenshot shows Settings selected.](./media/netskope-cloud-security-tutorial/configure-settings.png)
1. Click **Active Platform** tab.
- ![Screenshot shows Active Platform selected from Settings.](./media/netskope-cloud-security-tutorial/user-1.png)
+ ![Screenshot shows Active Platform selected from Settings.](./media/netskope-cloud-security-tutorial/user-1.png)
1. Click **Users** tab.
- ![Screenshot shows Users selected from Active Platform.](./media/netskope-cloud-security-tutorial/add-user.png)
+ ![Screenshot shows Users selected from Active Platform.](./media/netskope-cloud-security-tutorial/add-user.png)
1. Click **ADD USERS**.
- ![Screenshot shows the Users dialog box where you can select ADD USERS.](./media/netskope-cloud-security-tutorial/user-add.png)
+ ![Screenshot shows the Users dialog box where you can select ADD USERS.](./media/netskope-cloud-security-tutorial/user-add.png)
1. Enter the email address of the user you want to add and click **ADD**.
- ![Screenshot shows Add Users where you can enter a list of users.](./media/netskope-cloud-security-tutorial/add-user-popup.png)
+ ![Screenshot shows Add Users where you can enter a list of users.](./media/netskope-cloud-security-tutorial/add-user-popup.png)
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Netskope Administrator Console Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Netskope Administrator Console Sign on URL where you can initiate the login flow.
-* Go to Netskope Administrator Console Sign-on URL directly and initiate the login flow from there.
+- Go to Netskope Administrator Console Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope Administrator Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
active-directory Printerlogic Saas Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/printerlogic-saas-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with PrinterLogic | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with PrinterLogic | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and PrinterLogic.
In this tutorial, you'll learn how to integrate PrinterLogic with Azure Active Directory (Azure AD). When you integrate PrinterLogic with Azure AD, you can:
-* Control in Azure AD who has access to PrinterLogic.
-* Enable your users to be automatically signed-in to PrinterLogic with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to PrinterLogic.
+- Enable your users to be automatically signed-in to PrinterLogic with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* PrinterLogic single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- PrinterLogic single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* PrinterLogic supports **SP and IDP** initiated SSO.
-* PrinterLogic supports **Just In Time** user provisioning.
+- PrinterLogic supports **SP and IDP** initiated SSO.
+- PrinterLogic supports **Just In Time** user provisioning.
## Add PrinterLogic from the gallery
Configure and test Azure AD SSO with PrinterLogic using a test user called **B.S
To configure and test Azure AD SSO with PrinterLogic, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure PrinterLogic SSO](#configure-printerlogic-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create PrinterLogic test user](#create-printerlogic-test-user)** - to have a counterpart of B.Simon in PrinterLogic that is linked to the Azure AD representation of user.
+ 1. **[Create PrinterLogic test user](#create-printerlogic-test-user)** - to have a counterpart of B.Simon in PrinterLogic that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://gw.app.printercloud.com/<my_instance>/authn/idp/azuread/saml2/metadata`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://gw.app.printercloud.com/<my_instance>/authn/idp/azuread/saml2/metadata`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://gw.app.printercloud.com/<my_instance>/authn/idp/azuread/saml2/acs`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://gw.app.printercloud.com/<my_instance>/authn/idp/azuread/saml2/acs`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://www.<my_instance>printercloud.com`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://www.<my_instance>printercloud.com`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [PrinterLogic Client support team](mailto:support@printerlogic.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [PrinterLogic Client support team](mailto:support@printerlogic.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. PrinterLogic application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![image](common/edit-attribute.png)
1. In addition to above, PrinterLogic application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | Name | Source Attribute |
- | | |
- | Role | user.assignedroles |
+ | Name | Source Attribute |
+ | - | |
+ | Role | user.assignedroles |
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up PrinterLogic** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **PrinterLogic** side, you need to send the downl
In this section, a user called Britta Simon is created in PrinterLogic. PrinterLogic supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in PrinterLogic, a new one is created after authentication.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to PrinterLogic Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to PrinterLogic Sign on URL where you can initiate the login flow.
-* Go to PrinterLogic Sign-on URL directly and initiate the login flow from there.
+- Go to PrinterLogic Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the PrinterLogic for which you set up the SSO.
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the PrinterLogic for which you set up the SSO.
You can also use Microsoft My Apps to test the application in any mode. When you click the PrinterLogic tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PrinterLogic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
active-directory Prodpad Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/prodpad-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ProdPad | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with ProdPad | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and ProdPad.
Last updated 12/18/2020 - # Tutorial: Azure Active Directory single sign-on (SSO) integration with ProdPad In this tutorial, you'll learn how to integrate ProdPad with Azure Active Directory (Azure AD). When you integrate ProdPad with Azure AD, you can:
-* Control in Azure AD who has access to ProdPad.
-* Enable your users to be automatically signed-in to ProdPad with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to ProdPad.
+- Enable your users to be automatically signed-in to ProdPad with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* ProdPad single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- ProdPad single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ProdPad supports **SP and IDP** initiated SSO
-* ProdPad supports **Just In Time** user provisioning
+- ProdPad supports **SP and IDP** initiated SSO
+- ProdPad supports **Just In Time** user provisioning
## Adding ProdPad from the gallery
To configure the integration of ProdPad into Azure AD, you need to add ProdPad f
1. In the **Add from the gallery** section, type **ProdPad** in the search box. 1. Select **ProdPad** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for ProdPad Configure and test Azure AD SSO with ProdPad using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ProdPad.
Configure and test Azure AD SSO with ProdPad using a test user called **B.Simon*
To configure and test Azure AD SSO with ProdPad, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure ProdPad SSO](#configure-prodpad-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create ProdPad test user](#create-prodpad-test-user)** - to have a counterpart of B.Simon in ProdPad that is linked to the Azure AD representation of user.
+ 1. **[Create ProdPad test user](#create-prodpad-test-user)** - to have a counterpart of B.Simon in ProdPad that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type the URL:
- `https://app.prodpad.com/login`
+ In the **Sign-on URL** text box, type the URL:
+ `https://app.prodpad.com/login`
1. Click **Save**. 1. ProdPad application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, ProdPad application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute|
- | - | |
- | User.FirstName | user.givenname |
- | User.LastName | user.surname |
- | User.ProdpadRole | user.assignedroles |
- > [!NOTE]
- > ProdPad expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | - | |
+ | User.FirstName | user.givenname |
+ | User.LastName | user.surname |
+ | User.ProdpadRole | user.assignedroles |
+
+ > [!NOTE]
+ > ProdPad expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up ProdPad** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **ProdPad** side, you need to send the downloaded
In this section, a user called Britta Simon is created in ProdPad. ProdPad supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ProdPad, a new one is created after authentication.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to ProdPad Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to ProdPad Sign on URL where you can initiate the login flow.
-* Go to ProdPad Sign-on URL directly and initiate the login flow from there.
+- Go to ProdPad Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the ProdPad for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the ProdPad for which you set up the SSO
You can also use Microsoft Access Panel to test the application in any mode. When you click the ProdPad tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ProdPad for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure ProdPad you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Servicechannel Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicechannel-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ServiceChannel | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with ServiceChannel | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and ServiceChannel.
In this tutorial, you'll learn how to integrate ServiceChannel with Azure Active Directory (Azure AD). When you integrate ServiceChannel with Azure AD, you can:
-* Control in Azure AD who has access to ServiceChannel.
-* Enable your users to be automatically signed-in to ServiceChannel with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to ServiceChannel.
+- Enable your users to be automatically signed-in to ServiceChannel with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* ServiceChannel single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- ServiceChannel single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ServiceChannel supports **IDP** initiated SSO
-* ServiceChannel supports **Just In Time** user provisioning
+- ServiceChannel supports **IDP** initiated SSO
+- ServiceChannel supports **Just In Time** user provisioning
## Adding ServiceChannel from the gallery
Configure and test Azure AD SSO with ServiceChannel using a test user called **B
To configure and test Azure AD SSO with ServiceChannel, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure ServiceChannel SSO](#configure-servicechannel-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create ServiceChannel test user](#create-servicechannel-test-user)** - to have a counterpart of B.Simon in ServiceChannel that is linked to the Azure AD representation of user.
+ 1. **[Create ServiceChannel test user](#create-servicechannel-test-user)** - to have a counterpart of B.Simon in ServiceChannel that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
- a. In the **Identifier** text box, type the value as:
- `http://adfs.<domain>.com/adfs/service/trust`
+ a. In the **Identifier** text box, type the value as:
+ `http://adfs.<domain>.com/adfs/service/trust`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<customer domain>.servicechannel.com/saml/acs`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<customer domain>.servicechannel.com/saml/acs`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use the unique value of string in the Identifier. Contact [ServiceChannel Client support team](https://servicechannel.zendesk.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use the unique value of string in the Identifier. Contact [ServiceChannel Client support team](https://servicechannel.zendesk.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview). You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
+1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui). You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up ServiceChannel** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
Application supports Just in time user provisioning and after authentication use
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on Test this application in Azure portal and you should be automatically signed in to the ServiceChannel for which you set up the SSO
-
-* You can use Microsoft My Apps. When you click the ServiceChannel tile in the My Apps, you should be automatically signed in to the ServiceChannel for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Click on Test this application in Azure portal and you should be automatically signed in to the ServiceChannel for which you set up the SSO
+- You can use Microsoft My Apps. When you click the ServiceChannel tile in the My Apps, you should be automatically signed in to the ServiceChannel for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Shmoopforschools Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shmoopforschools-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Shmoop For Schools | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Shmoop For Schools | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Shmoop For Schools.
In this tutorial, you'll learn how to integrate Shmoop For Schools with Azure Active Directory (Azure AD). When you integrate Shmoop For Schools with Azure AD, you can:
-* Control in Azure AD who has access to Shmoop For Schools.
-* Enable your users to be automatically signed-in to Shmoop For Schools with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Shmoop For Schools.
+- Enable your users to be automatically signed-in to Shmoop For Schools with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Shmoop For Schools single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Shmoop For Schools single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Shmoop For Schools supports **SP** initiated SSO
-* Shmoop For Schools supports **Just In Time** user provisioning
+- Shmoop For Schools supports **SP** initiated SSO
+- Shmoop For Schools supports **Just In Time** user provisioning
## Adding Shmoop For Schools from the gallery
Configure and test Azure AD SSO with Shmoop For Schools using a test user called
To configure and test Azure AD SSO with Shmoop For Schools, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
2. **[Configure Shmoop For Schools SSO](#configure-shmoop-for-schools-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Shmoop For Schools test user](#create-shmoop-for-schools-test-user)** - to have a counterpart of B.Simon in Shmoop For Schools that is linked to the Azure AD representation of user.
+ 1. **[Create Shmoop For Schools test user](#create-shmoop-for-schools-test-user)** - to have a counterpart of B.Simon in Shmoop For Schools that is linked to the Azure AD representation of user.
3. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://schools.shmoop.com/public-api/saml2/start/<uniqueid>`
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://schools.shmoop.com/public-api/saml2/start/<uniqueid>`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://schools.shmoop.com/<uniqueid>`
+ b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://schools.shmoop.com/<uniqueid>`
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Shmoop For Schools Client support team](mailto:support@shmoop.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Shmoop For Schools Client support team](mailto:support@shmoop.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Shmoop For Schools application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, Shmoop For Schools application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
- | Name | Source Attribute|
- | | |
- | role | user.assignedroles |
+ | Name | Source Attribute |
+ | - | |
+ | role | user.assignedroles |
- > [!NOTE]
- > Shmoop for School supports two roles for users: **Teacher** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ > [!NOTE]
+ > Shmoop for School supports two roles for users: **Teacher** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
In this section, a user called B.Simon is created in Shmoop For Schools. Shmoop
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Shmoop For Schools Sign-on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Shmoop For Schools Sign-on URL where you can initiate the login flow.
-* Go to Shmoop For Schools Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you click the Shmoop For Schools tile in the My Apps, this will redirect to Shmoop For Schools Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Shmoop For Schools Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Shmoop For Schools tile in the My Apps, this will redirect to Shmoop For Schools Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Teamzskill Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/teamzskill-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with TeamzSkill | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with TeamzSkill | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and TeamzSkill.
In this tutorial, you'll learn how to integrate TeamzSkill with Azure Active Directory (Azure AD). When you integrate TeamzSkill with Azure AD, you can:
-* Control in Azure AD who has access to TeamzSkill.
-* Enable your users to be automatically signed-in to TeamzSkill with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to TeamzSkill.
+- Enable your users to be automatically signed-in to TeamzSkill with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* TeamzSkill single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- TeamzSkill single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* TeamzSkill supports **SP and IDP** initiated SSO
-* TeamzSkill supports **Just In Time** user provisioning
+- TeamzSkill supports **SP and IDP** initiated SSO
+- TeamzSkill supports **Just In Time** user provisioning
## Adding TeamzSkill from the gallery
To configure the integration of TeamzSkill into Azure AD, you need to add TeamzS
1. In the **Add from the gallery** section, type **TeamzSkill** in the search box. 1. Select **TeamzSkill** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for TeamzSkill Configure and test Azure AD SSO with TeamzSkill using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TeamzSkill.
Configure and test Azure AD SSO with TeamzSkill using a test user called **B.Sim
To configure and test Azure AD SSO with TeamzSkill, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure TeamzSkill SSO](#configure-teamzskill-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create TeamzSkill test user](#create-teamzskill-test-user)** - to have a counterpart of B.Simon in TeamzSkill that is linked to the Azure AD representation of user.
+ 1. **[Create TeamzSkill test user](#create-teamzskill-test-user)** - to have a counterpart of B.Simon in TeamzSkill that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_SUBDOMAIN>.teamzskill.com/login/callback`
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [TeamzSkill Client support team](mailto:support@teamzskill.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [TeamzSkill Client support team](mailto:support@teamzskill.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. TeamzSkill application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, TeamzSkill application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute|
- | | |
- | Firstname | user.givenname |
- | Lastname | user.surname |
- | jobtitle | user.jobtitle |
- | department | user.department |
- | employeeid | user.employeeid |
- | postalcode | user.postalcode |
- | country | user.country |
- | role | user.assignedroles |
- > [!NOTE]
- > TeamzSkill expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+ | Name | Source Attribute |
+ | - | |
+ | Firstname | user.givenname |
+ | Lastname | user.surname |
+ | jobtitle | user.jobtitle |
+ | department | user.department |
+ | employeeid | user.employeeid |
+ | postalcode | user.postalcode |
+ | country | user.country |
+ | role | user.assignedroles |
+
+ > [!NOTE]
+ > TeamzSkill expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/metadataxml.png)
1. On the **Set up TeamzSkill** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. click on user Profile Icon, then select **Company settings**.
- ![Company settings in Teamzskill](./media/teamzskill-tutorial/settings.png)
+ ![Company settings in Teamzskill](./media/teamzskill-tutorial/settings.png)
1. Perform the following steps in **Settings** page.
- ![settings in Teamzskill](./media/teamzskill-tutorial/metadata.png)
+ ![settings in Teamzskill](./media/teamzskill-tutorial/metadata.png)
- a. Navigate to **Company > Single Sign-On**, then select the **Metadata Upload** tab.
+ a. Navigate to **Company > Single Sign-On**, then select the **Metadata Upload** tab.
- b. Paste the **Federation Metadata XML** Value, which you have copied from the Azure portal into **XML Metadata** field.
-
- c. Then click **Save**.
+ b. Paste the **Federation Metadata XML** Value, which you have copied from the Azure portal into **XML Metadata** field.
+
+ c. Then click **Save**.
### Create TeamzSkill test user In this section, a user called B.Simon is created in TeamzSkill. TeamzSkill supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in TeamzSkill, a new one is created when you attempt to access TeamzSkill.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to TeamzSkill Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to TeamzSkill Sign on URL where you can initiate the login flow.
-* Go to TeamzSkill Sign-on URL directly and initiate the login flow from there.
+- Go to TeamzSkill Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the TeamzSkill for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the TeamzSkill for which you set up the SSO
You can also use Microsoft Access Panel to test the application in any mode. When you click the TeamzSkill tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TeamzSkill for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure TeamzSkill you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Tickitlms Learn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tickitlms-learn-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with TickitLMS Learn | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with TickitLMS Learn | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and TickitLMS Learn.
In this tutorial, you'll learn how to integrate TickitLMS Learn with Azure Active Directory (Azure AD). When you integrate TickitLMS Learn with Azure AD, you can:
-* Control in Azure AD who has access to TickitLMS Learn.
-* Enable your users to be automatically signed-in to TickitLMS Learn with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to TickitLMS Learn.
+- Enable your users to be automatically signed-in to TickitLMS Learn with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* TickitLMS Learn single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- TickitLMS Learn single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* TickitLMS Learn supports **SP and IDP** initiated SSO
+- TickitLMS Learn supports **SP and IDP** initiated SSO
## Adding TickitLMS Learn from the gallery
To configure the integration of TickitLMS Learn into Azure AD, you need to add T
1. In the **Add from the gallery** section, type **TickitLMS Learn** in the search box. 1. Select **TickitLMS Learn** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for TickitLMS Learn Configure and test Azure AD SSO with TickitLMS Learn using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TickitLMS Learn.
Configure and test Azure AD SSO with TickitLMS Learn using a test user called **
To configure and test Azure AD SSO with TickitLMS Learn, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure TickitLMS Learn SSO](#configure-tickitlms-learn-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create TickitLMS Learn test user](#create-tickitlms-learn-test-user)** - to have a counterpart of B.Simon in TickitLMS Learn that is linked to the Azure AD representation of user.
+ 1. **[Create TickitLMS Learn test user](#create-tickitlms-learn-test-user)** - to have a counterpart of B.Simon in TickitLMS Learn that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type the URL:
- `https:/learn.tickitlms.com/sso/login`
+ In the **Sign-on URL** text box, type the URL:
+ `https:/learn.tickitlms.com/sso/login`
1. Click **Save**. 1. TickitLMS Learn application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![image](common/default-attributes.png)
1. In addition to above, TickitLMS Learn application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
-
- | Name | Source Attribute|
- | - | |
- | samlaccount | user.samlaccount |
- | employeeid | user.employeeid |
- | role | user.role |
- | department | user.department |
- | reportsto | user.reportsto |
-
- > [!NOTE]
- > TickitLMS Learn expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
+
+ | Name | Source Attribute |
+ | -- | - |
+ | samlaccount | user.samlaccount |
+ | employeeid | user.employeeid |
+ | role | user.role |
+ | department | user.department |
+ | reportsto | user.reportsto |
+
+ > [!NOTE]
+ > TickitLMS Learn expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
To configure single sign-on on **TickitLMS Learn** side, you need to send the **
In this section, you create a user called Britta Simon in TickitLMS Learn. Work with [TickitLMS Learn support team](mailto:support@tickitlms.com) to add the users in the TickitLMS Learn platform. Users must be created and activated before you use single sign-on.
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to TickitLMS Learn Sign on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to TickitLMS Learn Sign on URL where you can initiate the login flow.
-* Go to TickitLMS Learn Sign-on URL directly and initiate the login flow from there.
+- Go to TickitLMS Learn Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the TickitLMS Learn for which you set up the SSO
+- Click on **Test this application** in Azure portal and you should be automatically signed in to the TickitLMS Learn for which you set up the SSO
You can also use Microsoft My Apps to test the application in any mode. When you click the TickitLMS Learn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TickitLMS Learn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure TickitLMS Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zscaler Beta Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-beta-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Zscaler Beta | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Zscaler Beta | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler Beta.
Last updated 12/18/2020 + # Tutorial: Azure Active Directory integration with Zscaler Beta In this tutorial, you learn how to integrate Zscaler Beta with Azure Active Directory (Azure AD). When you integrate Zscaler Beta with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler Beta.
-* Allow your users to be automatically signed in to Zscaler Beta with their Azure AD accounts. This access control is called single sign-on (SSO).
-* Manage your accounts in one central location by using the Azure portal.
+- Control in Azure AD who has access to Zscaler Beta.
+- Allow your users to be automatically signed in to Zscaler Beta with their Azure AD accounts. This access control is called single sign-on (SSO).
+- Manage your accounts in one central location by using the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler Beta, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* A Zscaler Beta subscription that uses single sign-on.
+- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+- A Zscaler Beta subscription that uses single sign-on.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler Beta supports **SP** initiated SSO.
-* Zscaler Beta supports **Just In Time** user provisioning.
+- Zscaler Beta supports **SP** initiated SSO.
+- Zscaler Beta supports **Just In Time** user provisioning.
## Adding Zscaler Beta from the gallery
Configure and test Azure AD SSO with Zscaler Beta using a test user called **B.S
To configure and test Azure AD SSO with Zscaler Beta, perform the following steps: - 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Zscaler Beta SSO](#configure-zscaler-beta-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Zscaler Beta test user](#create-zscaler-beta-test-user)** - to have a counterpart of B.Simon in Zscaler Beta that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler Beta test user](#create-zscaler-beta-test-user)** - to have a counterpart of B.Simon in Zscaler Beta that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign on URL** box, enter the URL used by your users to sign in to your Zscaler Beta Beta application.
+ In the **Sign on URL** box, enter the URL used by your users to sign in to your Zscaler Beta Beta application.
+
+ > [!NOTE]
+ > The value isn't real. Update the value with the actual Sign on URL value. To get the value, contact the [Zscaler Beta client support team](https://www.zscaler.com/company/contact).
- > [!NOTE]
- > The value isn't real. Update the value with the actual Sign on URL value. To get the value, contact the [Zscaler Beta client support team](https://www.zscaler.com/company/contact).
+1. The Zscaler Beta application expects the SAML assertions in a specific format. You must add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Select **Edit** to open the **User Attributes** dialog box.
-5. The Zscaler Beta application expects the SAML assertions in a specific format. You must add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Select **Edit** to open the **User Attributes** dialog box.
+ ![User Attributes dialog box](common/edit-attribute.png)
- ![User Attributes dialog box](common/edit-attribute.png)
+1. The Zscaler Beta application expects a few more attributes to be passed back in SAML response. In the **User claims** section in the **User Attributes** dialog box, follow these steps to add the SAML token attribute, as shown in the following table.
-6. The Zscaler Beta application expects a few more attributes to be passed back in SAML response. In the **User claims** section in the **User Attributes** dialog box, follow these steps to add the SAML token attribute, as shown in the following table.
-
- | Name | Source attribute |
- | | |
- | memberOf | user.assignedroles |
+ | Name | Source attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
- a. Select **Add new claim** to open the **Manage user claims** dialog box.
+ a. Select **Add new claim** to open the **Manage user claims** dialog box.
- b. In the **Name** box, enter the attribute name shown for that row.
+ b. In the **Name** box, enter the attribute name shown for that row.
- c. Leave the **Namespace** box blank.
+ c. Leave the **Namespace** box blank.
- d. For **Source**, select **Attribute**.
+ d. For **Source**, select **Attribute**.
- e. From the **Source attribute** list, enter the attribute value shown for that row.
+ e. From the **Source attribute** list, enter the attribute value shown for that row.
- f. Select **OK**.
+ f. Select **OK**.
- g. Select **Save**.
+ g. Select **Save**.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Certificate (Base64)**. Save it on your computer.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Certificate (Base64)**. Save it on your computer.
- ![Certificate download link](common/certificatebase64.png)
+ ![Certificate download link](common/certificatebase64.png)
-8. In the **Set up Zscaler Beta** section, copy the URLs you need for your requirements:
+1. In the **Set up Zscaler Beta** section, copy the URLs you need for your requirements:
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Zscaler Beta, install **My Apps Secure Sign-in browser extension** by selecting **Install the extension**.
- ![My Apps extension](common/install-myappssecure-extension.png)
+ ![My Apps extension](common/install-myappssecure-extension.png)
2. After you add the extension to the browser, selecting **Set up Zscaler Beta** directs you to the Zscaler Beta application. From there, provide the admin credentials to sign in to Zscaler Beta. The browser extension automatically configures the application for you and automates steps 3 through 6.
- ![Setup configuration](common/setup-sso.png)
+ ![Setup configuration](common/setup-sso.png)
3. To set up Zscaler Beta manually, open a new web browser window. Sign in to your Zscaler Beta company site as an administrator, and follow these steps. 4. Go to **Administration** > **Authentication** > **Authentication Settings**, and follow these steps.
-
- ![Administration](./media/zscaler-beta-tutorial/ic800206.png "Administration")
- a. Under **Authentication Type**, select **SAML**.
+ ![Administration](./media/zscaler-beta-tutorial/ic800206.png "Administration")
+
+ a. Under **Authentication Type**, select **SAML**.
+
+ b. Select **Configure SAML**.
- b. Select **Configure SAML**.
+5. In the **Edit SAML** window, follow these steps:
+ ![Manage Users & Authentication](./media/zscaler-beta-tutorial/ic800208.png "Manage Users & Authentication")
-5. In the **Edit SAML** window, follow these steps:
-
- ![Manage Users & Authentication](./media/zscaler-beta-tutorial/ic800208.png "Manage Users & Authentication")
-
- a. In the **SAML Portal URL** box, paste in the **Login URL** that you copied from the Azure portal.
+ a. In the **SAML Portal URL** box, paste in the **Login URL** that you copied from the Azure portal.
- b. In the **Login Name Attribute** box, enter **NameID**.
+ b. In the **Login Name Attribute** box, enter **NameID**.
- c. In the **Public SSL Certificate** box, select **Upload** to upload the Azure SAML signing certificate that you downloaded from the Azure portal.
+ c. In the **Public SSL Certificate** box, select **Upload** to upload the Azure SAML signing certificate that you downloaded from the Azure portal.
- d. Toggle **Enable SAML Auto-Provisioning**.
+ d. Toggle **Enable SAML Auto-Provisioning**.
- e. In the **User Display Name Attribute** box, enter **displayName** if you want to enable SAML autoprovisioning for displayName attributes.
+ e. In the **User Display Name Attribute** box, enter **displayName** if you want to enable SAML autoprovisioning for displayName attributes.
- f. In the **Group Name Attribute** box, enter **memberOf** if you want to enable SAML autoprovisioning for memberOf attributes.
+ f. In the **Group Name Attribute** box, enter **memberOf** if you want to enable SAML autoprovisioning for memberOf attributes.
- g. In the **Department Name Attribute** box, enter **department** if you want to enable SAML autoprovisioning for department attributes.
+ g. In the **Department Name Attribute** box, enter **department** if you want to enable SAML autoprovisioning for department attributes.
- h. Select **Save**.
+ h. Select **Save**.
6. On the **Configure User Authentication** dialog page, follow these steps:
- ![Activation menu and Activate button](./media/zscaler-beta-tutorial/ic800207.png)
+ ![Activation menu and Activate button](./media/zscaler-beta-tutorial/ic800207.png)
- a. Hover over the **Activation** menu at the bottom left.
+ a. Hover over the **Activation** menu at the bottom left.
- b. Select **Activate**.
+ b. Select **Activate**.
## Configure proxy settings+ To configure the proxy settings in Internet Explorer, follow these steps. 1. Start **Internet Explorer**.
-2. Select **Internet options** from the **Tools** menu to open the **Internet Options** dialog box.
-
- ![Internet Options dialog box](./media/zscaler-beta-tutorial/ic769492.png "Internet Options")
+2. Select **Internet options** from the **Tools** menu to open the **Internet Options** dialog box.
+
+ ![Internet Options dialog box](./media/zscaler-beta-tutorial/ic769492.png "Internet Options")
+
+3. Select the **Connections** tab.
-3. Select the **Connections** tab.
-
- ![Connections tab](./media/zscaler-beta-tutorial/ic769493.png "Connections")
+ ![Connections tab](./media/zscaler-beta-tutorial/ic769493.png "Connections")
4. Select **LAN settings** to open the **Local Area Network (LAN) Settings** dialog box.
-5. In the **Proxy server** section, follow these steps:
-
- ![Proxy server section](./media/zscaler-beta-tutorial/ic769494.png "Proxy server")
+5. In the **Proxy server** section, follow these steps:
- a. Select the **Use a proxy server for your LAN** check box.
+ ![Proxy server section](./media/zscaler-beta-tutorial/ic769494.png "Proxy server")
- b. In the **Address** box, enter **gateway.Zscaler Beta.net**.
+ a. Select the **Use a proxy server for your LAN** check box.
- c. In the **Port** box, enter **80**.
+ b. In the **Address** box, enter **gateway.Zscaler Beta.net**.
- d. Select the **Bypass proxy server for local addresses** check box.
+ c. In the **Port** box, enter **80**.
- e. Select **OK** to close the **Local Area Network (LAN) Settings** dialog box.
+ d. Select the **Bypass proxy server for local addresses** check box.
+
+ e. Select **OK** to close the **Local Area Network (LAN) Settings** dialog box.
6. Select **OK** to close the **Internet Options** dialog box.
To configure the proxy settings in Internet Explorer, follow these steps.
In this section, the user Britta Simon is created in Zscaler Beta. Zscaler Beta supports **just-in-time user provisioning**, which is enabled by default. There's nothing for you to do in this section. If a user doesn't already exist in Zscaler Beta, a new one is created after authentication.
->[!Note]
->To create a user manually, contact the [Zscaler Beta support team](https://www.zscaler.com/company/contact).
-
-## Test SSO
+> [!Note]
+> To create a user manually, contact the [Zscaler Beta support team](https://www.zscaler.com/company/contact).
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler Beta Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Zscaler Beta Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler Beta Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Zscaler Beta Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler Internet Access Administrator Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-internet-access-administrator-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Zscaler Internet Access Administrator | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Zscaler Internet Access Administrator | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler Internet Access Administrator.
Last updated 02/25/2021 + # Tutorial: Azure Active Directory integration with Zscaler Internet Access Administrator In this tutorial, you'll learn how to integrate Zscaler Internet Access Administrator with Azure Active Directory (Azure AD). When you integrate Zscaler Internet Access Administrator with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler Internet Access Administrator.
-* Enable your users to be automatically signed-in to Zscaler Internet Access Administrator with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Zscaler Internet Access Administrator.
+- Enable your users to be automatically signed-in to Zscaler Internet Access Administrator with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Zscaler Internet Access Administrator single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Zscaler Internet Access Administrator single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To get started, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler Internet Access Administrator supports **IDP** initiated SSO.
+- Zscaler Internet Access Administrator supports **IDP** initiated SSO.
## Add Zscaler Internet Access Administrator from the gallery
Configure and test Azure AD SSO with Zscaler Internet Access Administrator using
To configure and test Azure AD SSO with Zscaler Internet Access Administrator, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
2. **[Configure Zscaler Internet Access Administrator SSO](#configure-zscaler-internet-access-administrator-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Zscaler Internet Access Administrator test user](#create-zscaler-internet-access-administrator-test-user)** - to have a counterpart of Britta Simon in Zscaler Internet Access Administrator that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler Internet Access Administrator test user](#create-zscaler-internet-access-administrator-test-user)** - to have a counterpart of Britta Simon in Zscaler Internet Access Administrator that is linked to the Azure AD representation of user.
3. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Identifier** text box, type one of the following URLs as per your requirement:
+ a. In the **Identifier** text box, type one of the following URLs as per your requirement:
- | Identifier |
- ||
- | `https://admin.zscaler.net` |
- | `https://admin.zscalerone.net` |
- | `https://admin.zscalertwo.net` |
- | `https://admin.zscalerthree.net` |
- | `https://admin.zscloud.net` |
- | `https://admin.zscalerbeta.net` |
+ | Identifier |
+ | -- |
+ | `https://admin.zscaler.net` |
+ | `https://admin.zscalerone.net` |
+ | `https://admin.zscalertwo.net` |
+ | `https://admin.zscalerthree.net` |
+ | `https://admin.zscloud.net` |
+ | `https://admin.zscalerbeta.net` |
- b. In the **Reply URL** text box, type one of the following URLs as per your requirement:
+ b. In the **Reply URL** text box, type one of the following URLs as per your requirement:
- | Reply URL |
- |--|
- | `https://admin.zscaler.net/adminsso.do` |
- | `https://admin.zscalerone.net/adminsso.do` |
- | `https://admin.zscalertwo.net/adminsso.do` |
- | `https://admin.zscalerthree.net/adminsso.do` |
- | `https://admin.zscloud.net/adminsso.do` |
- | `https://admin.zscalerbeta.net/adminsso.do` |
+ | Reply URL |
+ | -- |
+ | `https://admin.zscaler.net/adminsso.do` |
+ | `https://admin.zscalerone.net/adminsso.do` |
+ | `https://admin.zscalertwo.net/adminsso.do` |
+ | `https://admin.zscalerthree.net/adminsso.do` |
+ | `https://admin.zscloud.net/adminsso.do` |
+ | `https://admin.zscalerbeta.net/adminsso.do` |
-5. Zscaler Internet Access Administrator application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. On the **Set up Single Sign-On with SAML page**, click **Edit** button to open **User Attributes & Claims** dialog.
+1. Zscaler Internet Access Administrator application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. On the **Set up Single Sign-On with SAML page**, click **Edit** button to open **User Attributes & Claims** dialog.
- ![The Attribute link](./media/zscaler-internet-access-administrator-tutorial/attributes.png)
+ ![The Attribute link](./media/zscaler-internet-access-administrator-tutorial/attributes.png)
-6. In the **User Claims** section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps:
+1. In the **User Claims** section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps:
- | Name | Source Attribute |
- | | |
- | Role | user.assignedroles |
+ | Name | Source Attribute |
+ | - | |
+ | Role | user.assignedroles |
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- b. From the **Source attribute** list, select the attribute value.
+ b. From the **Source attribute** list, select the attribute value.
- c. Click **Ok**.
+ c. Click **Ok**.
- d. Click **Save**.
+ d. Click **Save**.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
-8. On the **Set up Zscaler Internet Access Administrator** section, copy the appropriate URL(s) as per your requirement.
+1. On the **Set up Zscaler Internet Access Administrator** section, copy the appropriate URL(s) as per your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Go to **Administration > Administrator Management** and perform the following steps and click Save:
- ![Screenshot shows Administrator Management with options to Enable SAML Authentication, upload S S L Certificate and specify an Issuer.](./media/zscaler-internet-access-administrator-tutorial/management.png "Administration")
+ ![Screenshot shows Administrator Management with options to Enable SAML Authentication, upload S S L Certificate and specify an Issuer.](./media/zscaler-internet-access-administrator-tutorial/management.png "Administration")
- a. Check **Enable SAML Authentication**.
+ a. Check **Enable SAML Authentication**.
- b. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ b. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- c. Optionally, for additional security, add the **Issuer** details to verify the Issuer of the SAML response.
+ c. Optionally, for additional security, add the **Issuer** details to verify the Issuer of the SAML response.
3. On the Admin UI, perform the following steps:
- ![Screenshot shows the Admin U I where you can perform the steps.](./media/zscaler-internet-access-administrator-tutorial/activation.png)
+ ![Screenshot shows the Admin U I where you can perform the steps.](./media/zscaler-internet-access-administrator-tutorial/activation.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
### Create Zscaler Internet Access Administrator test user
https://help.zscaler.com/zia/adding-admins
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on Test this application in Azure portal and you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO
+- Click on Test this application in Azure portal and you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Zscaler Internet Access Administrator tile in the My Apps, you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- You can use Microsoft My Apps. When you click the Zscaler Internet Access Administrator tile in the My Apps, you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler One Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-one-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Zscaler One | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Zscaler One | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler One.
Last updated 12/18/2020 + # Tutorial: Azure Active Directory integration with Zscaler One In this tutorial, you learn how to integrate Zscaler One with Azure Active Directory (Azure AD). Integrating Zscaler One with Azure AD provides you with the following benefits:
-* You can control in Azure AD who has access to Zscaler One.
-* You can enable your users to be automatically signed-in to Zscaler One (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
+- You can control in Azure AD who has access to Zscaler One.
+- You can enable your users to be automatically signed-in to Zscaler One (Single Sign-On) with their Azure AD accounts.
+- You can manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler One, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Zscaler One single sign-on enabled subscription
+- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
+- Zscaler One single sign-on enabled subscription
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler One supports **SP** initiated SSO
+- Zscaler One supports **SP** initiated SSO
-* Zscaler One supports **Just In Time** user provisioning
+- Zscaler One supports **Just In Time** user provisioning
## Adding Zscaler One from the gallery
Configure and test Azure AD SSO with Zscaler One using a test user called **B.Si
To configure and test Azure AD SSO with Zscaler One, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
2. **[Configure Zscaler One SSO](#configure-zscaler-one-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Zscaler One test user](#create-zscaler-one-test-user)** - to have a counterpart of Britta Simon in Zscaler One that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create Zscaler One test user](#create-zscaler-one-test-user)** - to have a counterpart of Britta Simon in Zscaler One that is linked to the Azure AD representation of user.
+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
### Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-4. On the **Basic SAML Configuration** section, perform the following steps:
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your Zscaler One application.
- In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your Zscaler One application.
+ > [!NOTE]
+ > You update the value with the actual Sign-On URL. Contact [Zscaler One Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- > [!NOTE]
- > You update the value with the actual Sign-On URL. Contact [Zscaler One Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+1. Your Zscaler One application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
-5. Your Zscaler One application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+1. In addition to above, Zscaler One application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
-6. In addition to above, Zscaler One application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
-
- | Name | Source Attribute |
- | | |
- | memberOf | user.assignedroles |
+ | Name | Source Attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- b. In the **Name** textbox, type the attribute name shown for that row.
+ b. In the **Name** textbox, type the attribute name shown for that row.
- c. Leave the **Namespace** blank.
+ c. Leave the **Namespace** blank.
- d. Select Source as **Attribute**.
+ d. Select Source as **Attribute**.
- e. From the **Source attribute** list, type the attribute value shown for that row.
-
- f. Click **Save**.
+ e. From the **Source attribute** list, type the attribute value shown for that row.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ f. Click **Save**.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
- ![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-8. On the **Set up Zscaler One** section, copy the appropriate URL(s) as per your requirement.
+ ![The Certificate download link](common/certificatebase64.png)
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Zscaler One** section, copy the appropriate URL(s) as per your requirement.
-### Create an Azure AD test user
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon. 1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Zscaler One, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Setup Zscaler One** will direct you to the Zscaler One application. From there, provide the admin credentials to sign into Zscaler One. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup sso](common/setup-sso.png)
+ ![Setup sso](common/setup-sso.png)
3. If you want to setup Zscaler One manually, open a new web browser window and sign into your Zscaler One company site as an administrator and perform the following steps: 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
-
- ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-one-tutorial/ic800206.png "Administration")
- a. Under Authentication Type, choose **SAML**.
+ ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-one-tutorial/ic800206.png "Administration")
+
+ a. Under Authentication Type, choose **SAML**.
- b. Click **Configure SAML**.
+ b. Click **Configure SAML**.
5. On the **Edit SAML** window, perform the following steps: and click Save.
-
- ![Manage Users & Authentication](./media/zscaler-one-tutorial/ic800208.png "Manage Users & Authentication")
-
- a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- b. In the **Login Name Attribute** textbox, enter **NameID**.
+ ![Manage Users & Authentication](./media/zscaler-one-tutorial/ic800208.png "Manage Users & Authentication")
- c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- d. Toggle the **Enable SAML Auto-Provisioning**.
+ b. In the **Login Name Attribute** textbox, enter **NameID**.
- e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
+ c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+ d. Toggle the **Enable SAML Auto-Provisioning**.
- g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+ e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
- h. Click **Save**.
+ f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+
+ g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+
+ h. Click **Save**.
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-one-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-one-tutorial/ic800207.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
## Configuring proxy settings+ ### To configure the proxy settings in Internet Explorer 1. Start **Internet Explorer**.
-2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
+2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
- ![Internet Options](./media/zscaler-one-tutorial/ic769492.png "Internet Options")
+ ![Internet Options](./media/zscaler-one-tutorial/ic769492.png "Internet Options")
-3. Click the **Connections** tab.
+3. Click the **Connections** tab.
- ![Connections](./media/zscaler-one-tutorial/ic769493.png "Connections")
+ ![Connections](./media/zscaler-one-tutorial/ic769493.png "Connections")
4. Click **LAN settings** to open the **LAN Settings** dialog.
-5. In the Proxy server section, perform the following steps:
-
- ![Proxy server](./media/zscaler-one-tutorial/ic769494.png "Proxy server")
+5. In the Proxy server section, perform the following steps:
- a. Select **Use a proxy server for your LAN**.
+ ![Proxy server](./media/zscaler-one-tutorial/ic769494.png "Proxy server")
- b. In the Address textbox, type **gateway.Zscaler One.net**.
+ a. Select **Use a proxy server for your LAN**.
- c. In the Port textbox, type **80**.
+ b. In the Address textbox, type **gateway.Zscaler One.net**.
- d. Select **Bypass proxy server for local addresses**.
+ c. In the Port textbox, type **80**.
- e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+ d. Select **Bypass proxy server for local addresses**.
-7. Click **OK** to close the **Internet Options** dialog.
+ e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+
+6. Click **OK** to close the **Internet Options** dialog.
### Create Zscaler One test user In this section, a user called Britta Simon is created in Zscaler One. Zscaler One supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler One, a new one is created after authentication.
->[!Note]
->If you need to create a user manually, contact [Zscaler One support team](https://www.zscaler.com/company/contact).
-
-### Test SSO
+> [!Note]
+> If you need to create a user manually, contact [Zscaler One support team](https://www.zscaler.com/company/contact).
-In this section, you test your Azure AD single sign-on configuration with following options.
+### Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler One Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Zscaler One Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler One Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Zscaler One tile in the My Apps, this will redirect to Zscaler One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Zscaler One Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Zscaler One tile in the My Apps, this will redirect to Zscaler One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler Three Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-three-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Zscaler Three | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Zscaler Three | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler Three.
In this tutorial, you'll learn how to integrate Zscaler Three with Azure Active Directory (Azure AD). When you integrate Zscaler Three with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler Three.
-* Enable your users to be automatically signed-in to Zscaler Three with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
+- Control in Azure AD who has access to Zscaler Three.
+- Enable your users to be automatically signed-in to Zscaler Three with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Zscaler Three single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Zscaler Three single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Zscaler Three supports **SP** initiated SSO
+- Zscaler Three supports **SP** initiated SSO
-* Zscaler Three supports **Just In Time** user provisioning
+- Zscaler Three supports **Just In Time** user provisioning
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Zscaler Three using a test user called **B.
To configure and test Azure AD SSO with Zscaler Three, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Zscaler Three SSO](#configure-zscaler-three-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Zscaler Three test user](#create-zscaler-three-test-user)** - to have a counterpart of B.Simon in Zscaler Three that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler Three test user](#create-zscaler-three-test-user)** - to have a counterpart of B.Simon in Zscaler Three that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** text box, type a URL:
- `https://login.zscalerthree.net/sfc_sso`
+ In the **Sign-on URL** text box, type a URL:
+ `https://login.zscalerthree.net/sfc_sso`
1. Your Zscaler Three application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
-6. In addition to above, Zscaler Three application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+1. In addition to above, Zscaler Three application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
- | Name | Source Attribute |
- | | |
- | memberOf | user.assignedroles |
+ | Name | Source Attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Zscaler Three** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the applications list, select **Zscaler Three**. 1. In the **Users and groups** dialog, select the user like **Britta Simon** from the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-three-tutorial/tutorial_zscalerthree_users.png)
+ ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-three-tutorial/tutorial_zscalerthree_users.png)
1. From the **Select Role** dialog choose the appropriate user role in the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-three-tutorial/tutorial_zscalerthree_roles.png)
+ ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-three-tutorial/tutorial_zscalerthree_roles.png)
1. In the **Add Assignment** dialog select the **Assign** button.
- ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-three-tutorial/tutorial_zscalerthree_assign.png)
+ ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-three-tutorial/tutorial_zscalerthree_assign.png)
## Configure Zscaler Three SSO 1. To automate the configuration within Zscaler Three, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Setup Zscaler Three** will direct you to the Zscaler Three application. From there, provide the admin credentials to sign into Zscaler Three. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup](common/setup-sso.png)
+ ![Setup](common/setup-sso.png)
3. If you want to setup Zscaler Three manually, open a new web browser window and sign into your Zscaler Three company site as an administrator and perform the following steps: 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
- ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-three-tutorial/ic800206.png "Administration")
+ ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-three-tutorial/ic800206.png "Administration")
- a. Under Authentication Type, choose **SAML**.
+ a. Under Authentication Type, choose **SAML**.
- b. Click **Configure SAML**.
+ b. Click **Configure SAML**.
-5. On the **Edit SAML** window, perform the following steps: and click Save.
+5. On the **Edit SAML** window, perform the following steps: and click Save.
- ![Manage Users & Authentication](./media/zscaler-three-tutorial/ic800208.png "Manage Users & Authentication")
+ ![Manage Users & Authentication](./media/zscaler-three-tutorial/ic800208.png "Manage Users & Authentication")
- a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
+ a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- b. In the **Login Name Attribute** textbox, enter **NameID**.
+ b. In the **Login Name Attribute** textbox, enter **NameID**.
- c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- d. Toggle the **Enable SAML Auto-Provisioning**.
+ d. Toggle the **Enable SAML Auto-Provisioning**.
- e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
+ e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
- f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+ f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
- g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+ g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
- h. Click **Save**.
+ h. Click **Save**.
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-three-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-three-tutorial/ic800207.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
## Configuring proxy settings+ ### To configure the proxy settings in Internet Explorer 1. Start **Internet Explorer**.
-2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
+2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
- ![Internet Options](./media/zscaler-three-tutorial/ic769492.png "Internet Options")
+ ![Internet Options](./media/zscaler-three-tutorial/ic769492.png "Internet Options")
-3. Click the **Connections** tab.
+3. Click the **Connections** tab.
- ![Connections](./media/zscaler-three-tutorial/ic769493.png "Connections")
+ ![Connections](./media/zscaler-three-tutorial/ic769493.png "Connections")
4. Click **LAN settings** to open the **LAN Settings** dialog.
-5. In the Proxy server section, perform the following steps:
+5. In the Proxy server section, perform the following steps:
- ![Proxy server](./media/zscaler-three-tutorial/ic769494.png "Proxy server")
+ ![Proxy server](./media/zscaler-three-tutorial/ic769494.png "Proxy server")
- a. Select **Use a proxy server for your LAN**.
+ a. Select **Use a proxy server for your LAN**.
- b. In the Address textbox, type **gateway.Zscaler Three.net**.
+ b. In the Address textbox, type **gateway.Zscaler Three.net**.
- c. In the Port textbox, type **80**.
+ c. In the Port textbox, type **80**.
- d. Select **Bypass proxy server for local addresses**.
+ d. Select **Bypass proxy server for local addresses**.
- e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+ e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
6. Click **OK** to close the **Internet Options** dialog.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, a user called B.Simon is created in Zscaler Three. Zscaler Three supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler Three, a new one is created when you attempt to access Zscaler Three.
->[!Note]
->If you need to create a user manually, contact [Zscaler Three support team](https://www.zscaler.com/company/contact).
-
-## Test SSO
+> [!Note]
+> If you need to create a user manually, contact [Zscaler Three support team](https://www.zscaler.com/company/contact).
-In this section, you test your Azure AD single sign-on configuration with following options.
+## Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler Three Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Zscaler Three Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler Three Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Zscaler Three tile in the My Apps, this will redirect to Zscaler Three Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Zscaler Three Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Zscaler Three tile in the My Apps, this will redirect to Zscaler Three Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Zscaler | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Zscaler | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler.
In this tutorial, you'll learn how to integrate Zscaler with Azure Active Directory (Azure AD). When you integrate Zscaler with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler.
-* Enable your users to be automatically signed-in to Zscaler with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Zscaler.
+- Enable your users to be automatically signed-in to Zscaler with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Zscaler single sign-on (SSO) enabled subscription.
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- Zscaler single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Zscaler supports **SP** initiated SSO
-* Zscaler supports **Just In Time** user provisioning
+- Zscaler supports **SP** initiated SSO
+- Zscaler supports **Just In Time** user provisioning
## Adding Zscaler from the gallery
Configure and test Azure AD SSO with Zscaler using a test user called **B.Simon*
To configure and test Azure AD SSO with Zscaler, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Zscaler SSO](#configure-zscaler-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Zscaler test user](#create-zscaler-test-user)** - to have a counterpart of B.Simon in Zscaler that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler test user](#create-zscaler-test-user)** - to have a counterpart of B.Simon in Zscaler that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<companyname>.zscaler.net`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<companyname>.zscaler.net`
- > [!NOTE]
- > The value is not real. Update the value with the actual Sign-On URL. Contact [Zscaler Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Sign-On URL. Contact [Zscaler Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Your Zscaler application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
1. In addition to above, Zscaler application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
- | Name | Source Attribute |
- | | |
- | memberOf | user.assignedroles |
+ | Name | Source Attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- b. In the **Name** textbox, type the attribute name shown for that row.
+ b. In the **Name** textbox, type the attribute name shown for that row.
- c. Leave the **Namespace** blank.
+ c. Leave the **Namespace** blank.
- d. Select Source as **Attribute**.
+ d. Select Source as **Attribute**.
- e. From the **Source attribute** list, type the attribute value shown for that row.
+ e. From the **Source attribute** list, type the attribute value shown for that row.
- f. Click **Save**.
+ f. Click **Save**.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
1. On the **Set up Zscaler** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Zscaler, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
1. After adding extension to the browser, click on **Setup Zscaler** will direct you to the Zscaler application. From there, provide the admin credentials to sign into Zscaler. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup SSO](common/setup-sso.png)
+ ![Setup SSO](common/setup-sso.png)
1. If you want to setup Zscaler manually, open a new web browser window and sign into your Zscaler company site as an administrator and perform the following steps: 1. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
- ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-tutorial/ic800206.png "Administration")
+ ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-tutorial/ic800206.png "Administration")
- a. Under Authentication Type, choose **SAML**.
+ a. Under Authentication Type, choose **SAML**.
- b. Click **Configure SAML**.
+ b. Click **Configure SAML**.
-1. On the **Edit SAML** window, perform the following steps: and click Save.
+1. On the **Edit SAML** window, perform the following steps: and click Save.
- ![Manage Users & Authentication](./media/zscaler-tutorial/ic800208.png "Manage Users & Authentication")
+ ![Manage Users & Authentication](./media/zscaler-tutorial/ic800208.png "Manage Users & Authentication")
- a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
+ a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- b. In the **Login Name Attribute** textbox, enter **NameID**.
+ b. In the **Login Name Attribute** textbox, enter **NameID**.
- c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- d. Toggle the **Enable SAML Auto-Provisioning**.
+ d. Toggle the **Enable SAML Auto-Provisioning**.
- e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
+ e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
- f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+ f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
- g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+ g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
- h. Click **Save**.
+ h. Click **Save**.
1. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-tutorial/ic800207.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
## Configuring proxy settings
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
- ![Internet Options](./media/zscaler-tutorial/ic769492.png "Internet Options")
+ ![Internet Options](./media/zscaler-tutorial/ic769492.png "Internet Options")
1. Click the **Connections** tab.
- ![Connections](./media/zscaler-tutorial/ic769493.png "Connections")
+ ![Connections](./media/zscaler-tutorial/ic769493.png "Connections")
1. Click **LAN settings** to open the **LAN Settings** dialog.
-1. In the Proxy server section, perform the following steps:
+1. In the Proxy server section, perform the following steps:
- ![Proxy server](./media/zscaler-tutorial/ic769494.png "Proxy server")
+ ![Proxy server](./media/zscaler-tutorial/ic769494.png "Proxy server")
- a. Select **Use a proxy server for your LAN**.
+ a. Select **Use a proxy server for your LAN**.
- b. In the Address textbox, type **gateway.zscaler.net**.
+ b. In the Address textbox, type **gateway.zscaler.net**.
- c. In the Port textbox, type **80**.
+ c. In the Port textbox, type **80**.
- d. Select **Bypass proxy server for local addresses**.
+ d. Select **Bypass proxy server for local addresses**.
- e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+ e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
1. Click **OK** to close the **Internet Options** dialog.
In this section, a user called Britta Simon is created in Zscaler. Zscaler suppo
> [!Note] > If you need to create a user manually, contact [Zscaler support team](https://www.zscaler.com/company/contact).
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler Sign-on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler Sign-on URL where you can initiate the login flow.
-* Go to Zscaler Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you click the Zscaler tile in the My Apps, this will redirect to Zscaler Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Zscaler Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Zscaler tile in the My Apps, this will redirect to Zscaler Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler Two Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-two-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Zscaler Two | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Zscaler Two | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler Two.
Last updated 04/06/2021 + # Tutorial: Azure Active Directory integration with Zscaler Two In this tutorial, you'll learn how to integrate Zscaler Two with Azure Active Directory (Azure AD). When you integrate Zscaler Two with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler Two.
-* Enable your users to be automatically signed-in to Zscaler Two with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Zscaler Two.
+- Enable your users to be automatically signed-in to Zscaler Two with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler Two, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* Zscaler Two single sign-on enabled subscription.
+- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+- Zscaler Two single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler Two supports **SP** initiated SSO.
+- Zscaler Two supports **SP** initiated SSO.
-* Zscaler Two supports **Just In Time** user provisioning.
+- Zscaler Two supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD SSO with Zscaler Two using a test user called **B.Si
To configure and test Azure AD SSO with Zscaler Two, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Zscaler Two SSO](#configure-zscaler-two-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Zscaler Two test user](#create-zscaler-two-test-user)** - to have a counterpart of B.Simon in Zscaler Two that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler Two test user](#create-zscaler-two-test-user)** - to have a counterpart of B.Simon in Zscaler Two that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your ZScaler Two application.
+ In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your ZScaler Two application.
+
+ > [!NOTE]
+ > You update the value with the actual Sign-On URL. Contact [Zscaler Two Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- > [!NOTE]
- > You update the value with the actual Sign-On URL. Contact [Zscaler Two Client support team](https://www.zscaler.com/company/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+1. Your Zscaler Two application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
-5. Your Zscaler Two application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+1. In addition to above, Zscaler Two application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
-6. In addition to above, Zscaler Two application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
-
- | Name | Source Attribute |
- | | |
- | memberOf | user.assignedroles |
+ | Name | Source Attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
+ ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
- ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png)
+ ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png)
- b. In the **Name** textbox, type the attribute name shown for that row.
+ b. In the **Name** textbox, type the attribute name shown for that row.
- c. Leave the **Namespace** blank.
+ c. Leave the **Namespace** blank.
- d. Select Source as **Attribute**.
+ d. Select Source as **Attribute**.
- e. From the **Source attribute** list, type the attribute value shown for that row.
-
- f. Click **Save**.
+ e. From the **Source attribute** list, type the attribute value shown for that row.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ f. Click **Save**.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
- ![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-8. On the **Set up Zscaler Two** section, copy the appropriate URL(s) as per your requirement.
+ ![The Certificate download link](common/certificatebase64.png)
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Zscaler Two** section, copy the appropriate URL(s) as per your requirement.
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. To automate the configuration within Zscaler Two, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Setup Zscaler Two** will direct you to the Zscaler Two application. From there, provide the admin credentials to sign into Zscaler Two. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup sso](common/setup-sso.png)
+ ![Setup sso](common/setup-sso.png)
3. If you want to setup Zscaler Two manually, open a new web browser window and sign into your Zscaler Two company site as an administrator and perform the following steps: 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
-
- ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-two-tutorial/administrator.png "Administration")
- a. Under Authentication Type, choose **SAML**.
+ ![Screenshot shows the Zscaler One site with steps as described.](./media/zscaler-two-tutorial/administrator.png "Administration")
+
+ a. Under Authentication Type, choose **SAML**.
- b. Click **Configure SAML**.
+ b. Click **Configure SAML**.
5. On the **Edit SAML** window, perform the following steps: and click Save.
-
- ![Manage Users & Authentication](./media/zscaler-two-tutorial/authentication.png "Manage Users & Authentication")
-
- a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- b. In the **Login Name Attribute** textbox, enter **NameID**.
+ ![Manage Users & Authentication](./media/zscaler-two-tutorial/authentication.png "Manage Users & Authentication")
+
+ a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
+
+ b. In the **Login Name Attribute** textbox, enter **NameID**.
- c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- d. Toggle the **Enable SAML Auto-Provisioning**.
+ d. Toggle the **Enable SAML Auto-Provisioning**.
- e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
+ e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
- f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+ f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
- g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+ g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
- h. Click **Save**.
+ h. Click **Save**.
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-two-tutorial/activation.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-two-tutorial/activation.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
## Configuring proxy settings
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Start **Internet Explorer**.
-2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
-
- ![Internet Options](./media/zscaler-two-tutorial/internet.png "Internet Options")
+2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
-3. Click the **Connections** tab.
-
- ![Connections](./media/zscaler-two-tutorial/ic769493.png "Connections")
+ ![Internet Options](./media/zscaler-two-tutorial/internet.png "Internet Options")
+
+3. Click the **Connections** tab.
+
+ ![Connections](./media/zscaler-two-tutorial/ic769493.png "Connections")
4. Click **LAN settings** to open the **LAN Settings** dialog.
-5. In the Proxy server section, perform the following steps:
-
- ![Proxy server](./media/zscaler-two-tutorial/proxy.png "Proxy server")
+5. In the Proxy server section, perform the following steps:
- a. Select **Use a proxy server for your LAN**.
+ ![Proxy server](./media/zscaler-two-tutorial/proxy.png "Proxy server")
- b. In the Address textbox, type **gateway.Zscaler Two.net**.
+ a. Select **Use a proxy server for your LAN**.
- c. In the Port textbox, type **80**.
+ b. In the Address textbox, type **gateway.Zscaler Two.net**.
- d. Select **Bypass proxy server for local addresses**.
+ c. In the Port textbox, type **80**.
- e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+ d. Select **Bypass proxy server for local addresses**.
-6. Click **OK** to close the **Internet Options** dialog.
+ e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+6. Click **OK** to close the **Internet Options** dialog.
### Create Zscaler Two test user In this section, a user called Britta Simon is created in Zscaler Two. Zscaler Two supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler Two, a new one is created after authentication.
->[!Note]
->If you need to create a user manually, contact [Zscaler Two support team](https://www.zscaler.com/company/contact).
+> [!Note]
+> If you need to create a user manually, contact [Zscaler Two support team](https://www.zscaler.com/company/contact).
-## Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler Two Sign-on URL where you can initiate the login flow.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler Two Sign-on URL where you can initiate the login flow.
-* Go to Zscaler Two Sign-on URL directly and initiate the login flow from there.
+- Go to Zscaler Two Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Zscaler Zscloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-zscloud-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Zscaler ZSCloud | Microsoft Docs'
+ Title: "Tutorial: Azure Active Directory integration with Zscaler ZSCloud | Microsoft Docs"
description: Learn how to configure single sign-on between Azure Active Directory and Zscaler ZSCloud.
Last updated 12/21/2020 + # Tutorial: Azure Active Directory integration with Zscaler ZSCloud In this tutorial, you'll learn how to integrate Zscaler ZSCloud with Azure Active Directory (Azure AD). When you integrate Zscaler ZSCloud with Azure AD, you can:
-* Control in Azure AD who has access to Zscaler ZSCloud.
-* Enable your users to be automatically signed-in to Zscaler ZSCloud with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Zscaler ZSCloud.
+- Enable your users to be automatically signed-in to Zscaler ZSCloud with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler ZSCloud, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* Zscaler ZSCloud single sign-on enabled subscription.
+- An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+- Zscaler ZSCloud single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler ZSCloud supports **SP** initiated SSO
+- Zscaler ZSCloud supports **SP** initiated SSO
-* Zscaler ZSCloud supports **Just In Time** user provisioning
+- Zscaler ZSCloud supports **Just In Time** user provisioning
## Adding Zscaler ZSCloud from the gallery
Configure and test Azure AD SSO with Zscaler ZSCloud using a test user called **
To configure and test Azure AD SSO with Zscaler ZSCloud, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Zscaler ZSCloud SSO](#configure-zscaler-zscloud-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Zscaler ZSCloud test user](#create-zscaler-zscloud-test-user)** - to have a counterpart of B.Simon in Zscaler ZSCloud that is linked to the Azure AD representation of user.
+ 1. **[Create Zscaler ZSCloud test user](#create-zscaler-zscloud-test-user)** - to have a counterpart of B.Simon in Zscaler ZSCloud that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your ZScaler ZSCloud application.
+ In the **Sign-on URL** textbox, type the URL used by your users to sign-on to your ZScaler ZSCloud application.
+
+ > [!NOTE]
+ > You have to update the value with the actual Sign-On URL. Contact [Zscaler ZSCloud Client support team](https://help.zscaler.com/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Your Zscaler ZSCloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
- > [!NOTE]
- > You have to update the value with the actual Sign-On URL. Contact [Zscaler ZSCloud Client support team](https://help.zscaler.com/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
-5. Your Zscaler ZSCloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.
+1. In addition to above, Zscaler ZSCloud application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+ | Name | Source Attribute |
+ | -- | |
+ | memberOf | user.assignedroles |
-6. In addition to above, Zscaler ZSCloud application expects few more attributes to be passed back in SAML response. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
-
- | Name | Source Attribute |
- | | |
- | memberOf | user.assignedroles |
+ a. Click **Add new claim** to open the **Manage user claims** dialog.
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
- ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
+ ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png)
- ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png)
+ b. In the **Name** textbox, type the attribute name shown for that row.
- b. In the **Name** textbox, type the attribute name shown for that row.
+ c. Leave the **Namespace** blank.
- c. Leave the **Namespace** blank.
+ d. Select Source as **Attribute**.
- d. Select Source as **Attribute**.
+ e. From the **Source attribute** list, type the attribute value shown for that row.
- e. From the **Source attribute** list, type the attribute value shown for that row.
-
- f. Click **Save**.
+ f. Click **Save**.
- > [!NOTE]
- > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
+ > [!NOTE]
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to know how to configure Role in Azure AD.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificatebase64.png)
-8. On the **Set up Zscaler ZSCloud** section, copy the appropriate URL(s) as per your requirement.
+1. On the **Set up Zscaler ZSCloud** section, copy the appropriate URL(s) as per your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
-### Create an Azure AD test user
+### Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon. 1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. 1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **Name** field, enter `B.Simon`.
1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you enable Britta Simon to use Azure single sign-on by granting
4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. 5. In the **Users and groups** dialog, select the user like **Britta Simon** from the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_users.png)
+ ![Screenshot shows the Users and groups dialog box where you can select a user.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_users.png)
6. From the **Select Role** dialog choose the appropriate user role in the list, then click the **Select** button at the bottom of the screen.
- ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_roles.png)
+ ![Screenshot shows the Select Role dialog box where you can choose a user role.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_roles.png)
7. In the **Add Assignment** dialog select the **Assign** button.
- ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_assign.png)
+ ![Screenshot shows the Add Assignment dialog box where you can select Assign.](./media/zscaler-zscloud-tutorial/tutorial_zscalerzscloud_assign.png)
- >[!NOTE]
- >Default access role is not supported as this will break provisioning, so the default role cannot be selected while assigning user.
+ > [!NOTE]
+ > Default access role is not supported as this will break provisioning, so the default role cannot be selected while assigning user.
## Configure Zscaler ZSCloud SSO 1. To automate the configuration within Zscaler ZSCloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![My apps extension](common/install-myappssecure-extension.png)
+ ![My apps extension](common/install-myappssecure-extension.png)
2. After adding extension to the browser, click on **Setup Zscaler ZSCloud** will direct you to the Zscaler ZSCloud application. From there, provide the admin credentials to sign into Zscaler ZSCloud. The browser extension will automatically configure the application for you and automate steps 3-6.
- ![Setup sso](common/setup-sso.png)
+ ![Setup sso](common/setup-sso.png)
3. If you want to setup Zscaler ZSCloud manually, open a new web browser window and sign into your Zscaler ZSCloud company site as an administrator and perform the following steps: 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps:
-
- ![Screenshot shows the Zscaler site with steps as described.](./media/zscaler-zscloud-tutorial/ic800206.png "Administration")
- a. Under Authentication Type, choose **SAML**.
+ ![Screenshot shows the Zscaler site with steps as described.](./media/zscaler-zscloud-tutorial/ic800206.png "Administration")
- b. Click **Configure SAML**.
+ a. Under Authentication Type, choose **SAML**.
+
+ b. Click **Configure SAML**.
5. On the **Edit SAML** window, perform the following steps: and click Save.
-
- ![Manage Users & Authentication](./media/zscaler-zscloud-tutorial/ic800208.png "Manage Users & Authentication")
-
- a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
- b. In the **Login Name Attribute** textbox, enter **NameID**.
+ ![Manage Users & Authentication](./media/zscaler-zscloud-tutorial/ic800208.png "Manage Users & Authentication")
+
+ a. In the **SAML Portal URL** textbox, Paste the **Login URL** which you have copied from Azure portal.
+
+ b. In the **Login Name Attribute** textbox, enter **NameID**.
- c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
+ c. Click **Upload**, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the **Public SSL Certificate**.
- d. Toggle the **Enable SAML Auto-Provisioning**.
+ d. Toggle the **Enable SAML Auto-Provisioning**.
- e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
+ e. In the **User Display Name Attribute** textbox, enter **displayName** if you want to enable SAML auto-provisioning for displayName attributes.
- f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
+ f. In the **Group Name Attribute** textbox, enter **memberOf** if you want to enable SAML auto-provisioning for memberOf attributes.
- g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
+ g. In the **Department Name Attribute** Enter **department** if you want to enable SAML auto-provisioning for department attributes.
- h. Click **Save**.
+ h. Click **Save**.
6. On the **Configure User Authentication** dialog page, perform the following steps:
- ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-zscloud-tutorial/ic800207.png)
+ ![Screenshot shows the Configure User Authentication dialog box with Activate selected.](./media/zscaler-zscloud-tutorial/ic800207.png)
- a. Hover over the **Activation** menu near the bottom left.
+ a. Hover over the **Activation** menu near the bottom left.
- b. Click **Activate**.
+ b. Click **Activate**.
## Configuring proxy settings+ ### To configure the proxy settings in Internet Explorer 1. Start **Internet Explorer**.
-2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
-
- ![Internet Options](./media/zscaler-zscloud-tutorial/ic769492.png "Internet Options")
+2. Select **Internet options** from the **Tools** menu for open the **Internet Options** dialog.
+
+ ![Internet Options](./media/zscaler-zscloud-tutorial/ic769492.png "Internet Options")
+
+3. Click the **Connections** tab.
-3. Click the **Connections** tab.
-
- ![Connections](./media/zscaler-zscloud-tutorial/ic769493.png "Connections")
+ ![Connections](./media/zscaler-zscloud-tutorial/ic769493.png "Connections")
4. Click **LAN settings** to open the **LAN Settings** dialog.
-5. In the Proxy server section, perform the following steps:
-
- ![Proxy server](./media/zscaler-zscloud-tutorial/ic769494.png "Proxy server")
+5. In the Proxy server section, perform the following steps:
- a. Select **Use a proxy server for your LAN**.
+ ![Proxy server](./media/zscaler-zscloud-tutorial/ic769494.png "Proxy server")
- b. In the Address textbox, type **gateway.Zscaler ZSCloud.net**.
+ a. Select **Use a proxy server for your LAN**.
- c. In the Port textbox, type **80**.
+ b. In the Address textbox, type **gateway.Zscaler ZSCloud.net**.
- d. Select **Bypass proxy server for local addresses**.
+ c. In the Port textbox, type **80**.
- e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+ d. Select **Bypass proxy server for local addresses**.
-6. Click **OK** to close the **Internet Options** dialog.
+ e. Click **OK** to close the **Local Area Network (LAN) Settings** dialog.
+6. Click **OK** to close the **Internet Options** dialog.
### Create Zscaler ZSCloud test user In this section, a user called Britta Simon is created in Zscaler ZSCloud. Zscaler ZSCloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler ZSCloud, a new one is created after authentication.
->[!Note]
->If you need to create a user manually, contact [Zscaler ZSCloud support team](https://help.zscaler.com/).
-
-### Test SSO
+> [!Note]
+> If you need to create a user manually, contact [Zscaler ZSCloud support team](https://help.zscaler.com/).
-In this section, you test your Azure AD single sign-on configuration with following options.
+### Test SSO
-* Click on **Test this application** in Azure portal. This will redirect to Zscaler ZSCloud Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.
+- Click on **Test this application** in Azure portal. This will redirect to Zscaler ZSCloud Sign-on URL where you can initiate the login flow.
-* You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+- Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.
+- You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
aks Enable Host Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/enable-host-encryption.md
-# Host-based encryption on Azure Kubernetes Service (AKS) (preview)
+# Host-based encryption on Azure Kubernetes Service (AKS)
With host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks. By default, when using AKS, OS and data disks are encrypted at rest with platform-managed keys, meaning that the caches for these disks are also by default encrypted at rest with platform-managed keys. You can specify your own managed keys following [Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service](azure-disk-customer-managed-keys.md). The cache for these disks will then also be encrypted using the key that you specify in this step.
This feature can only be set at cluster creation or node pool creation time.
### Prerequisites -- Ensure you have the `aks-preview` CLI extension v0.4.73 or higher version installed.-- Ensure you have the `EnableEncryptionAtHostPreview` feature flag under `Microsoft.ContainerService` enabled.-
-You must enable the feature for your subscription before you use the EncryptionAtHost property for your Azure Kubernetes Service cluster. Please follow the steps below to enable the feature for your subscription:
-
-1. Execute the following command to register the feature for your subscription
-
-```azurecli-interactive
-Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
-```
-2. Please check that the registration state is Registered (takes a few minutes) using the command below before trying out the feature.
-
-```azurecli-interactive
-Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
-```
-
-### Install aks-preview CLI extension
-
-To create an AKS cluster that host-based encryption, you need the latest *aks-preview* CLI extension. Install the *aks-preview* Azure CLI extension using the [az extension add][az-extension-add] command, or check for any available updates using the [az extension update][az-extension-update] command:
-
-```azurecli-interactive
-# Install the aks-preview extension
-az extension add --name aks-preview
-
-# Update the extension to make sure you have the latest version installed
-az extension update --name aks-preview
-```
+- The Azure CLI version 2.23.0 or later
### Limitations
az extension update --name aks-preview
- Can only be enabled in [Azure regions][supported-regions] that support server-side encryption of Azure managed disks and only with specific [supported VM sizes][supported-sizes]. - Requires an AKS cluster and node pool based on Virtual Machine Scale Sets(VMSS) as *VM set type*.
-## Use host-based encryption on new clusters (preview)
+## Use host-based encryption on new clusters
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_D
If you want to create clusters without host-based encryption, you can do so by omitting the `--enable-encryption-at-host` parameter.
-## Use host-based encryption on existing clusters (preview)
+## Use host-based encryption on existing clusters
You can enable host-based encryption on existing clusters by adding a new node pool to your cluster. Configure a new node pool to use host-based encryption by using the `--enable-encryption-at-host` parameter.
automanage Automanage Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-linux.md
For all of these services, we will auto-onboard, auto-configure, monitor for dri
Automanage supports the following Linux distributions and versions: -- CentOS 7.3+-- RHEL 7.4+
+- CentOS 7.3+, 8
+- RHEL 7.4+, 8
- Ubuntu 16.04 and 18.04 - SLES 12 (SP3-SP5 only)
automanage Automanage Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-windows-server.md
Automanage supports the following Windows Server versions:
|[VM Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No | |[Backup](../backup/backup-overview.md) |Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn [more](../backup/backup-azure-vms-introduction.md). Charges are based on the number and size of VMs being protected. Learn [more](https://azure.microsoft.com/pricing/details/backup/). |Production |Yes | |[Azure Security Center](../security-center/security-center-introduction.md) |Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Learn [more](../security-center/security-center-introduction.md). Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it. |Production, Dev/Test |No |
-|[Microsoft Antimalware](../security/fundamentals/antimalware.md) |Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. Learn [more](../security/fundamentals/antimalware.md). |Production, Dev/Test |Yes |
+|[Microsoft Antimalware](../security/fundamentals/antimalware.md) |Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. **Note:** Microsoft Antimalware requires that there be no other antimalware software installed, or it may fail to work. Learn [more](../security/fundamentals/antimalware.md). |Production, Dev/Test |Yes |
|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your virtual machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No | |[Change Tracking & Inventory](../automation/change-tracking/overview.md) |Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn [more](../automation/change-tracking/overview.md). |Production, Dev/Test |No | |[Azure Guest Configuration](../governance/policy/concepts/guest-configuration.md) | Guest Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the [Windows security baselines](/windows/security/threat-protection/windows-security-baselines) using the Guest Configuration extension. For Windows machines, the guest configuration service will automatically reapply the baseline settings if they are out of compliance. Learn [more](../governance/policy/concepts/guest-configuration.md). |Production, Dev/Test |No |
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/change-tracking/overview.md
Title: Azure Automation Change Tracking and Inventory overview
description: This article describes the Change Tracking and Inventory feature, which helps you identify software and Microsoft service changes in your environment. Previously updated : 05/04/2021 Last updated : 05/06/2021
Change Tracking and Inventory doesn't support or has the following limitations:
- Different installation methods - ***.exe** files stored on Windows - The **Max File Size** column and values are unused in the current implementation.
+- If you are tracking file changes, it is limited to a file size of 5 MB or less.
- If you try to collect more than 2500 files in a 30-minute collection cycle, Change Tracking and Inventory performance might be degraded. - If network traffic is high, change records can take up to six hours to display. - If you modify a configuration while a machine or server is shut down, it might post changes belonging to the previous configuration.
azure-arc Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/azure-rbac.md
After the proxy process is running, you can open another tab in your console to
An administrator needs to create a new role assignment authorizing this user to have access on the resource.
+## Use Conditional Access with Azure AD
+
+When integrating Azure AD with your Arc enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster.
+
+> [!NOTE]
+> Azure AD Conditional Access is an Azure AD Premium capability.
+
+To create an example Conditional Access policy to use with the cluster, complete the following steps:
+
+1. At the top of the Azure portal, search for and select Azure Active Directory.
+1. In the menu for Azure Active Directory on the left-hand side, select *Enterprise applications*.
+1. In the menu for Enterprise applications on the left-hand side, select *Conditional Access*.
+1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
+1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
+
+ [ ![Adding conditional access policy](./media/azure-rbac/conditional-access-new-policy.png) ](./media/azure-rbac/conditional-access-new-policy.png#lightbox)
+
+1. Enter a name for the policy such as *arc-k8s-policy*.
+1. Select *Users and groups*, then under *Include* select *Select users and groups*. Choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administration access to your cluster.
+
+ [ ![Selecting users or groups to apply the Conditional Access policy](./media/azure-rbac/conditional-access-users-groups.png) ](./media/azure-rbac/conditional-access-users-groups.png#lightbox)
+
+1. Select *Cloud apps or actions*, then under *Include* select *Select apps*. Search and select the server application you created earlier.
+
+ [ ![Select server application for applying the Conditional Access policy](./media/azure-rbac/conditional-access-apps.png) ](./media/azure-rbac/conditional-access-apps.png#lightbox)
+
+1. Under *Access controls*, select *Grant*. Select *Grant access* then *Require device to be marked as compliant*.
+
+ [ ![Selecting to only allow compliant devices for the Conditional Access policy](./media/azure-rbac/conditional-access-grant-compliant.png) ](./media/azure-rbac/conditional-access-grant-compliant.png#lightbox)
+
+1. Under *Enable policy*, select *On* then *Create*.
+
+ [ ![Enabling the Conditional Access policy](./media/azure-rbac/conditional-access-enable-policies.png) ](./media/azure-rbac/conditional-access-enable-policies.png#lightbox)
+
+Access the cluster again. For example by running `kubectl get nodes` command to view nodes in the cluster:
+
+```console
+kubectl get nodes
+```
+
+Follow the instructions to sign in again. Notice there is an error message stating you are successfully logged in, but your admin requires the device requesting access to be managed by your Azure AD to access the resource.
+
+In the Azure portal, navigate to Azure Active Directory, select *Enterprise applications* then under *Activity* select *Sign-ins*. Notice an entry at the top with a *Status* of *Failed* and a *Conditional Access* of *Success*. Select the entry then select *Conditional Access* in *Details*. Notice your Conditional Access policy is listed.
+
+[ ![Failed sign-in entry due to Conditional Access policy](./media/azure-rbac/conditional-access-sign-in-activity.png) ](./media/azure-rbac/conditional-access-sign-in-activity.png#lightbox)
+
+## Configure just-in-time cluster access with Azure AD
+
+Another option for cluster access control is to use Privileged Identity Management (PIM) for just-in-time requests.
+
+>[!NOTE]
+> PIM is an Azure AD Premium capability requiring a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide](https://azure.microsoft.com/pricing/details/active-directory/).
+
+To configure just-in-time access requests for your cluster, complete the following steps:
+
+1. At the top of the Azure portal, search for and select Azure Active Directory.
+1. Take note of the Tenant ID, referred to for the rest of these instructions as `<tenant-id>
+
+ [ ![AAD tenant details](./media/azure-rbac/jit-get-tenant-id.png) ](./media/azure-rbac/jit-get-tenant-id.png#lightbox)
+
+1. In the menu for Azure Active Directory on the left-hand side, under *Manage* select *Groups* then *New Group*.
+
+ [ ![Select new group](./media/azure-rbac/jit-create-new-group.png) ](./media/azure-rbac/jit-create-new-group.png#lightbox)
+
+1. Make sure a Group Type of *Security* is selected and enter a group name, such as *myJITGroup*. Under *Azure AD Roles can be assigned to this group (Preview)*, select *Yes*. Finally, select *Create*.
+
+ [ ![New group creation](./media/azure-rbac/jit-new-group-created.png) ](./media/azure-rbac/jit-new-group-created.png#lightbox)
+
+1. You will be brought back to the *Groups* page. Select your newly created group and take note of the Object ID, referred to for the rest of these instructions as `<object-id>`.
+
+ [ ![Created group](./media/azure-rbac/jit-get-object-id.png) ](./media/azure-rbac/jit-get-object-id.png#lightbox)
+
+1. Back in the Azure portal, in the menu for *Activity* on the left-hand side, select *Privileged Access (Preview)* and select *Enable Privileged Access*.
+
+ [ ![Enable privileged access](./media/azure-rbac/jit-enabling-priv-access.png) ](./media/azure-rbac/jit-enabling-priv-access.png#lightbox)
+
+1. Select *Add Assignments* to begin granting access.
+
+ [ ![Add active assignment](./media/azure-rbac/jit-add-active-assignment.png) ](./media/azure-rbac/jit-add-active-assignment.png#lightbox)
+
+1. Select a role of *member*, and select the users and groups to whom you wish to grant cluster access. These assignments can be modified at any time by a group admin. When you're ready to move on, select *Next*.
+
+ [ ![Adding assignment](./media/azure-rbac/jit-adding-assignment.png) ](./media/azure-rbac/jit-adding-assignment.png#lightbox)
+
+1. Choose an assignment type of *Active*, the desired duration, and provide a justification. When you're ready to proceed, select *Assign*. For more on assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management](../../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group).
+
+ [ ![Choosing properties for assignment](./media/azure-rbac/jit-set-active-assignment.png) ](./media/azure-rbac/jit-set-active-assignment.png#lightbox)
+
+Once the assignments have been made, verify just-in-time access is working by accessing the cluster. For example:
+
+Use the `kubectl get nodes` command to view nodes in the cluster:
+
+```console
+kubectl get nodes
+```
+
+Note the authentication requirement and follow the steps to authenticate. If successful, you should see output similar to the following:
+
+```output
+To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AAAAAAAAA to authenticate.
+
+NAME STATUS ROLES AGE VERSION
+node-1 Ready agent 6m36s v1.18.14
+node-2 Ready agent 6m42s v1.18.14
+node-3 Ready agent 6m33s v1.18.14
+```
## Next steps
azure-arc Manage Vm Extensions Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-powershell.md
Title: Enable VM extension using Azure PowerShell description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments using Azure PowerShell. Previously updated : 04/13/2021 Last updated : 05/06/2021
The following example enables the Log Analytics VM extension on a Arc enabled Li
```powershell PS C:\> $Setting = @{ "workspaceId" = "workspaceId" } PS C:\> $protectedSetting = @{ "workspaceKey" = "workspaceKey" }
-PS C:\> New-AzConnectedMachineExtension -Name OMSLinuxAgent -ResourceGroupName "myResourceGroup" -MachineName "myMachine" -Location "eastus" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.10" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "OmsAgentForLinux"
+PS C:\> New-AzConnectedMachineExtension -Name OMSLinuxAgent -ResourceGroupName "myResourceGroup" -MachineName "myMachine" -Location "eastus" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "OmsAgentForLinux"
``` To enable the Log Analytics VM extension on an Arc enabled Windows server, change the value for the `-ExtensionType` parameter to `"MicrosoftMonitoringAgent"` in the previous example.
The following example enables the Custom Script Extension on an Arc enabled serv
```powershell PS C:\> $Setting = @{ "commandToExecute" = "powershell.exe -c Get-Process" }
-PS C:\> New-AzConnectedMachineExtension -Name custom -ResourceGroupName myResourceGroup -MachineName myMachineName -Location eastus -Publisher "Microsoft.Compute" -TypeHandlerVersion 1.10 -Settings $Setting -ExtensionType CustomScriptExtension
+PS C:\> New-AzConnectedMachineExtension -Name custom -ResourceGroupName myResourceGroup -MachineName myMachineName -Location eastus -Publisher "Microsoft.Compute" -Settings $Setting -ExtensionType CustomScriptExtension
``` ### Key Vault VM extension (preview)
azure-arc Manage Vm Extensions Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-template.md
To use the Azure Monitor Dependency agent extension, the following sample is pro
"properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "DependencyAgentLinux",
- "typeHandlerVersion": "9.5",
"autoUpgradeMinorVersion": true } }
To use the Azure Monitor Dependency agent extension, the following sample is pro
"properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "DependencyAgentWindows",
- "typeHandlerVersion": "9.5",
"autoUpgradeMinorVersion": true } }
The following JSON shows the schema for the Key Vault VM extension (preview). Th
"properties": { "publisher": "Microsoft.Azure.KeyVault", "type": "KeyVaultForLinux",
- "typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true, "settings": { "secretsManagementSettings": {
The following JSON shows the schema for the Key Vault VM extension (preview). Th
"properties": { "publisher": "Microsoft.Azure.KeyVault", "type": "KeyVaultForWindows",
- "typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true, "settings": { "secretsManagementSettings": {
azure-arc Plan Evaluate On Azure Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/plan-evaluate-on-azure-virtual-machine.md
+
+ Title: How to evaluate Azure Arc enabled servers with an Azure VM
+description: Learn how to evaluate Azure Arc enabled servers using an Azure virtual machine.
Last updated : 05/06/2021+++
+# Evaluate Arc enabled servers on an Azure virtual machine
+
+Azure Arc enabled servers is designed to help you connect servers running on-premises or in other clouds to Azure. Normally, you would not use Azure Arc enabled servers on an Azure virtual machine because all the same capabilities are natively available for these VMs, including a representation of the VM in Azure Resource Manager, VM extensions, managed identities, and Azure Policy. If you attempt to install Azure Arc enabled servers on an Azure VM, you'll receive an error message stating that it is unsupported and the agent installation will be canceled.
+
+While you cannot install Azure Arc enabled servers on an Azure VM for production scenarios, it is possible to configure Azure Arc enabled servers to run on an Azure VM for *evaluation and testing purposes only*. This article will help you set up an Azure VM before you can enable Azure Arc enabled servers on it.
+
+## Prerequisites
+
+* Your account is assigned to the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role.
+* The Azure virtual machine is running an [operating system supported by Arc enabled servers](agent-overview.md#supported-operating-systems). If you don't have an Azure VM, you can deploy a [simple Windows VM](https://portal.azure.com/#create/Microsoft.Template/uri/https%3a%2f%2fraw.githubusercontent.com%2fAzure%2fazure-quickstart-templates%2fmaster%2f101-vm-simple-windows%2fazuredeploy.json) or a [simple Ubuntu Linux 18.04 LTS VM](https://portal.azure.com/#create/Microsoft.Template/uri/https%3a%2f%2fraw.githubusercontent.com%2fAzure%2fazure-quickstart-templates%2fmaster%2f101-vm-simple-linux%2fazuredeploy.json).
+* Your Azure VM can communicate outbound to download the Azure Connected Machine agent package for Windows from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent), and Linux from the Microsoft [package repository](https://packages.microsoft.com/). If outbound connectivity to the Internet is restricted following your IT security policy, you will need to download the agent package manually and copy it to a folder on the Azure VM.
+* An account with elevated (that is, an administrator or as root) privileges on the VM, and RDP or SSH access to the VM.
+* To register and manage the Azure VM with Arc enabled servers, you are a member of the [Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator) or [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
+
+## Plan
+
+To start managing your Azure VM as an Arc enabled server, you need to make the following changes to the Azure VM before you can install and configure Arc enabled servers.
+
+1. Remove any VM extensions deployed to the Azure VM, such as the Log Analytics agent. While Arc enabled servers support many of the same extensions as Azure VMs, the Arc enabled servers agent can't manage VM extensions already deployed to the VM.
+
+2. Disable the Azure Windows or Linux Guest Agent. The Azure VM guest agent serves a similar purpose to the Azure Arc enabled servers Connected Machine agent. To avoid conflicts between the two, the Azure VM Agent needs to be disabled. Once it is disabled, you cannot use VM extensions or some Azure services.
+
+3. Create a security rule to deny access to the Azure Instance Metadata Service (IMDS). IMDS is a REST API that applications can call to get information about the VM's representation in Azure, including its resource ID and location. IMDS also provides access to any managed identities assigned to the machine. Azure Arc enabled servers provides its own IMDS implementation and returns information about the Azure Arc representation of the VM. To avoid situations where both IMDS endpoints are available and apps have to choose between the two, you block access to the Azure VM IMDS so that the Azure Arc enabled server IMDS implementation is the only one available.
+
+After you've made these changes, your Azure VM behaves like any machine or server outside of Azure and is at the necessary starting point to install and evaluate Azure Arc enabled servers.
+
+When Arc enabled servers is configured on the VM, you see two representations of it in Azure. One is the Azure VM resource, with a `Microsoft.Compute/virtualMachines` resource type, and the other is an Azure Arc resource, with a `Microsoft.HybridCompute/machines` resource type. As a result of preventing management of the guest operating system from the shared physical host server, the best way to think about the two resources is the Azure VM resource is the virtual hardware for your VM, and let's you control the power state and view information about its SKU, network, and storage configurations. The Azure Arc resource manages the guest operating system in that VM, and can be used to install extensions, view compliance data for Azure Policy, and complete any other supported task by Arc enabled servers.
+
+## Reconfigure Azure VM
+
+1. Remove any VM extensions on the Azure VM.
+
+ In the Azure portal, navigate to your Azure VM resource and from the left-hand pane, select **Extensions**. If there are any extensions installed on the VM, select each extension individually and then select **Uninstall**. Wait for all extensions to finish uninstalling before proceeding to step 2.
+
+2. Disable the Azure VM Guest Agent.
+
+ To disable the Azure VM Guest Agent, you'll need to connect to your VM using Remote Desktop Connection (Windows) or SSH (Linux). Once connected, run the following commands to disable the guest agent.
+
+ For Windows, run the following PowerShell commands:
+
+ ```powershell
+ Set-Service WindowsAzureGuestAgent -StartupType Disabled -Verbose
+ Stop-Service WindowsAzureGuestAgent -Force -Verbose
+ ```
+
+ For Linux, run the following commands:
+
+ ```bash
+ sudo service walinuxagent stop
+ sudo waagent -deprovision -force
+ sudo rm -rf /var/lib/waagent
+ ```
+
+3. Block access to the Azure IMDS endpoint.
+
+ While still connected to the server, run the following commands to block access to the Azure IMDS endpoint. For Windows, run the following PowerShell command:
+
+ ```powershell
+ New-NetFirewallRule -Name BlockAzureIMDS -DisplayName "Block access to Azure IMDS" -Enabled True -Profile Any -Direction Outbound -Action Block -RemoteAddress 169.254.169.254
+ ```
+
+ For Linux, consult your distribution's documentation for the best way to block outbound access to `169.254.169.254/32` over TCP port 80. Normally you'll block outbound access with the built-in firewall, but you can also temporarily block it with **iptables** or **nftables**.
+
+ If your Azure VM is running Ubuntu, perform the following steps to configure its uncomplicated firewall (UFW):
+
+ ```bash
+ sudo ufw --force enable
+ sudo ufw deny out from any to 169.254.169.254
+ sudo ufw default allow incoming
+ sudo apt-get update
+ ```
++
+ To configure a generic iptables configuration, run the following command:
+
+ ```bash
+ iptables -A OUTPUT -d 169.254.169.254 -j DROP
+ ```
+
+ > [!NOTE]
+ > This configuration needs to be set after every reboot unless a persistent iptables solution is used.
+
+4. Install and configure the Azure Arc enabled servers agent.
+
+ The VM is now ready for you to begin evaluating Arc enabled servers. To install and configure the Arc enabled servers agent, see [Connect hybrid machines using the Azure portal](onboard-portal.md) and follow the steps to generate an installation script and install using the scripted method.
+
+ > [!NOTE]
+ > If outbound connectivity to the internet is restricted from your Azure VM, you'll need to download the agent package manually. Copy the agent package to the Azure VM, and modify the Arc enabled servers installation script to reference the source folder.
+
+If you missed one of the steps, the installation script detects it is running on an Azure VM and terminates with an error. Verify you've completed steps 1-3, and then rerun the script.
+
+## Verify the connection with Azure Arc
+
+After you install and configure the agent to register with Azure Arc enabled servers, go to the Azure portal to verify that the server has successfully connected. View your machine in the [Azure portal](https://portal.azure.com).
+
+![A successful server connection](./media/onboard-portal/arc-for-servers-successful-onboard.png)
+
+## Next steps
+
+* Learn [how to plan and enable a large number of machines to Azure Arc enabled servers](plan-at-scale-deployment.md) to simplify configuration of essential security management and monitoring capabilities in Azure.
+
+* Learn about our [supported Azure VM extensions](manage-vm-extensions.md) available to simplify deployment with other Azure services like Automation, KeyVault, and others for your Windows or Linux machine.
+
+* When you have finished testing, see [Remove Arc enabled servers agent](manage-agent.md#remove-the-agent).
azure-cache-for-redis Cache How To Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-geo-replication.md
Some features aren't supported with geo-replication:
After geo-replication is configured, the following restrictions apply to your linked cache pair: -- The secondary linked cache is read-only; you can read from it, but you can't write any data to it. If you choose to read from the Geo-Secondary instance, it is important to note that whenever a full data sync is happening between the Geo-Primary and the Geo-Secondary (happens when either Geo-Primary or Geo-Secondary is updated and on some reboot scenarios as well), the Geo-Secondary instance will throw erorrs (stating that a full data sync is in progress) on any Redis operation against it until the full data sync between Geo-Primary and Geo-Secondary is complete. Applications reading from Geo-Seocndary should be built to fall back to the Geo-Primary whenever the Geo-Seocndary is throwing such errors.
+- The secondary linked cache is read-only; you can read from it, but you can't write any data to it. If you choose to read from the Geo-Secondary instance, it is important to note that whenever a full data sync is happening between the Geo-Primary and the Geo-Secondary (happens when either Geo-Primary or Geo-Secondary is updated and on some reboot scenarios as well), the Geo-Secondary instance will throw erorrs (stating that a full data sync is in progress) on any Redis operation against it until the full data sync between Geo-Primary and Geo-Secondary is complete. Applications reading from Geo-Secondary should be built to fall back to the Geo-Primary whenever the Geo-Secondary is throwing such errors.
- Any data that was in the secondary linked cache before the link was added is removed. If the geo-replication is later removed however, the replicated data remains in the secondary linked cache. - You can't [scale](cache-how-to-scale.md) either cache while the caches are linked. - You can't [change the number of shards](cache-how-to-premium-clustering.md) if the cache has clustering enabled.
azure-functions Functions Kubernetes Keda https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-kubernetes-keda.md
To run Functions on your Kubernetes cluster, you must install the KEDA component
### Installing with Helm
-There are various ways to install KEDA in any Kubernetes cluster including Helm. Deployment options are documented on the [KEDA site](https://keda.sh/docs/1.4/deploy/).
+There are various ways to install KEDA in any Kubernetes cluster including Helm. Deployment options are documented on the [KEDA site](https://keda.sh/docs/deploy/).
## Deploying a function app to Kubernetes
kubectl delete secret <name-of-function-deployment>
## Uninstalling KEDA from Kubernetes
-Steps to uninstall KEDA are documented [on the KEDA site](https://keda.sh/docs/1.4/deploy/).
+Steps to uninstall KEDA are documented [on the KEDA site](https://keda.sh/docs/deploy/).
## Supported triggers in KEDA
azure-functions Functions Kubernetes Keda https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-glossary-cloud-terminology.md
The agreement that describes MicrosoftΓÇÖs commitments for uptime and connectivi
See [Service Level Agreements](https://azure.microsoft.com/support/legal/sla/) ## <a name="sas"></a>shared access signature (SAS)
-A signature that enables you to grant limited access to a resource, without exposing your account key. For example, [Azure Storage uses SAS](./storage/common/storage-sas-overview.md) to grant client access to objects such as blobs. [IoT Hub uses SAS](iot-hub/iot-hub-devguide-security.md#security-tokens) to grant devices permission to send telemetry.
+A signature that enables you to grant limited access to a resource, without exposing your account key. For example, [Azure Storage uses SAS](./storage/common/storage-sas-overview.md) to grant client access to objects such as blobs. [IoT Hub uses SAS](iot-hub/iot-hub-dev-guide-sas.md#security-tokens) to grant devices permission to send telemetry.
## storage account An account that gives you access to the Azure Blob, Queue, Table, and File services in Azure Storage. The storage account name defines the unique namespace for Azure Storage data objects.
azure-monitor Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/action-groups.md
While setting up *Email ARM Role* you need to make sure below 3 conditions are m
2. The assignment needs to be done at the **subscription** level. 3. The user needs to have an email configured in their **AAD profile**.
+> [!NOTE]
+> It can take upto **24 hours** for customer to start receiving notifications after they add new ARM Role to their subscription.
### Function Calls an existing HTTP trigger endpoint in [Azure Functions](../../azure-functions/functions-get-started.md). To handle a request, your endpoint must handle the HTTP POST verb.
azure-monitor Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/pricing.md
Previously updated : 3/30/2021 Last updated : 5/05/2021
The volume of data you send can be managed using the following techniques:
* **Daily cap**: When you create an Application Insights resource in the Azure portal, the daily cap is set to 100 GB/day. When you create an Application Insights resource in Visual Studio, the default is small (only 32.3 MB/day). The daily cap default is set to facilitate testing. It's intended that the user will raise the daily cap before deploying the app into production.
- The maximum cap is 1,000 GB/day unless you request a higher maximum for a high-traffic application.
-
+ The maximum cap in Application Insights is 1,000 GB/day unless you request a higher maximum for a high-traffic application.
+
+ > [!TIP]
+ > If you have a workspace-based Application Insights resource, we recommend using the [workspace's daily cap](../logs/manage-cost-storage.md#manage-your-maximum-daily-data-volume) to limit ingestion and costs instead of the cap in Application Insights.
+ Warning emails about the daily cap are sent to account that are members of these roles for your Application Insights resource: "ServiceAdmin", "AccountAdmin", "CoAdmin", "Owner". Use care when you set the daily cap. Your intent should be to *never hit the daily cap*. If you hit the daily cap, you lose data for the remainder of the day, and you can't monitor your application. To change the daily cap, use the **Daily volume cap** option. You can access this option in the **Usage and estimated costs** pane (this is described in more detail later in the article).
The volume of data you send can be managed using the following techniques:
You can use the daily volume cap to limit the data collected. However, if the cap is met, a loss of all telemetry sent from your application for the remainder of the day occurs. It is *not advisable* to have your application hit the daily cap. You can't track the health and performance of your application after it reaches the daily cap.
+> [!WARNING]
+> If you have a workspace-based Application Insights resource, we recommend using the [workspace's daily cap](../logs/manage-cost-storage.md#manage-your-maximum-daily-data-volume) to limit ingestion and costs. The daily cap in Application Insights may not limit ingestion in all cases to the selected level. (If your Application Insights resource is ingesting a lot of data, the Application Insights daily cap might need to be raised.)
+ Instead of using the daily volume cap, use [sampling](./sampling.md) to tune the data volume to the level you want. Then, use the daily cap only as a "last resort" in case your application unexpectedly begins to send much higher volumes of telemetry. ### Identify what daily data limit to define
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-data-export.md
If you have configured your Storage Account to allow access from selected networ
A data export rule defines the tables for which data is exported and the destination. You can have 10 enabled rules in your workspace when any additional rule above 10 must be in disable state. A destination must be unique across all export rules in your workspace. > [!NOTE]
-> Data export sends logs to destinations that you own while these have some limits: [storage accounts scalability](../../storage/common/scalability-targets-standard-account.md#scale-targets-for-standard-storage-accounts), [event hub namespace quota](../../event-hubs/event-hubs-quotas.md). ItΓÇÖs recommended that you monitor your destinations for throttling and apply measures when nearing the destination limit. For example:
+> Data export sends logs to destinations that you own while these have some limits: [storage accounts scalability](../../storage/common/scalability-targets-standard-account.md#scale-targets-for-standard-storage-accounts), [event hub namespace quota](../../event-hubs/event-hubs-quotas.md). ItΓÇÖs recommended to monitor your destinations for throttling and apply measures when nearing its limit. For example:
> - Set auto-inflate feature in event hub to automatically scale up and increase the number of TUs (throughput units). You can request more TUs when auto-inflate is at max > - Splitting tables to several export rules where each is to different destinations
Supported tables are currently limited to those specified below. All data from t
| DnsEvents | | | DnsInventory | | | Dynamics365Activity | |
-| Event | Partial support ΓÇô some of the data to this table is ingested through storage account. This portion is missing in export currently. |
+| Event | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export. |
| ExchangeAssessmentRecommendation | | | FailedIngestion | | | FunctionAppLogs | |
Supported tables are currently limited to those specified below. All data from t
| SecurityBaseline | | | SecurityBaselineSummary | | | SecurityDetection | |
-| SecurityEvent | Partial support ΓÇô some of the data to this table is ingested through storage account. This portion is missing in export currently. |
+| SecurityEvent | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export. |
| SecurityIncident | | | SecurityIoTRawEvent | | | SecurityNestedRecommendation | |
Supported tables are currently limited to those specified below. All data from t
| SynapseSqlPoolRequestSteps | | | SynapseSqlPoolSqlRequests | | | SynapseSqlPoolWaits | |
-| Syslog | Partial support ΓÇô some of the data to this table is ingested through storage account. This portion is missing in export currently. |
+| Syslog | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export. |
| ThreatIntelligenceIndicator | | | Update | Partial support ΓÇô some of the data is ingested through internal services that isn't supported for export. This portion is missing in export currently. | | UpdateRunProgress | |
azure-netapp-files Azure Netapp Files Cost Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-cost-model.md
The following diagram illustrates the concepts.
* [Understand volume quota](volume-quota-introduction.md) * [Monitor the capacity of a volume](monitor-volume-capacity.md) * [Resize the capacity pool or a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md)
+* [Manage billing by using tags](manage-billing-tags.md)
* [Capacity management FAQs](azure-netapp-files-faqs.md#capacity-management-faqs)
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
na ms.devlang: na Previously updated : 04/20/2021 Last updated : 05/05/2021 # Create an SMB volume for Azure NetApp Files
You can set permissions for a file or folder by using the **Security** tab of th
* [Mount or unmount a volume for Windows or Linux virtual machines](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
-* [SMB FAQs](./azure-netapp-files-faqs.md#smb-faqs)
+* [Configure ADDS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md)
+* [SMB FAQs](azure-netapp-files-faqs.md#smb-faqs)
* [Troubleshoot SMB or dual-protocol volumes](troubleshoot-dual-protocol-volumes.md) * [Learn about virtual network integration for Azure services](../virtual-network/virtual-network-for-azure-services.md) * [Install a new Active Directory forest using Azure CLI](/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm)
azure-netapp-files Azure Netapp Files Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes.md
na ms.devlang: na Previously updated : 04/05/2021 Last updated : 05/05/2021 # Create an NFS volume for Azure NetApp Files
This article shows you how to create an NFS volume. For SMB volumes, see [Create
A volume inherits subscription, resource group, location attributes from its capacity pool. To monitor the volume deployment status, you can use the Notifications tab. - ## Next steps * [Configure NFSv4.1 default domain for Azure NetApp Files](azure-netapp-files-configure-nfsv41-domain.md) * [Configure NFSv4.1 Kerberos encryption](configure-kerberos-encryption.md)
+* [Configure ADDS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md)
* [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) * [Mount or unmount a volume for Windows or Linux virtual machines](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md) * [Configure export policy for an NFS volume](azure-netapp-files-configure-export-policy.md)
azure-netapp-files Azure Netapp Files Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-metrics.md
na ms.devlang: na Previously updated : 04/28/2021 Last updated : 05/06/2021 # Metrics for Azure NetApp Files
You can find metrics for a capacity pool or volume by selecting the **capacity p
The number of reads to the volume per second. - *Write IOPS* The number of writes to the volume per second.
-<!-- These two metrics are not yet available, until ~ 2020.09
-- *Read MiB/s*
- Read throughput in bytes per second.
-- *Write MiB/s*
- Write throughput in bytes per second.
>
-<!-- ANF-4128; 2020.07
-- *Pool Provisioned Throughput*
- The total throughput a capacity pool can provide to its volumes based on "Pool Provisioned Size" and "Service Level".
-- *Pool Allocated to Volume Throughput*
- The total throughput allocated to volumes in a given capacity pool (that is, the total of the volumes' allocated throughput in the capacity pool).
>-
-<!-- ANF-6443; 2020.11
-- *Pool Consumed Throughput*
- The total throughput being consumed by volumes in a given capacity pool.
>- ## <a name="replication"></a>Volume replication metrics
You can find metrics for a capacity pool or volume by selecting the **capacity p
- *Volume replication total transfer* The cumulative bytes transferred for the relationship.
+## Throughput metrics for capacity pools
+
+* *Pool Allocated to Volume Throughput*
+ The total throughput allocated to volumes in a given capacity pool. That is, the total of the volumes' allocated throughput in the capacity pool.
+
+* *Pool Consumed Throughput*
+ The total throughput being consumed by volumes in a given capacity pool.
+
+* *Percentage Pool Allocated to Volume Throughput*
+ Percentage of capacity pool provisioned throughput that is allocated to volumes.
+
+* *Percentage Pool Consumed Throughput*
+ Percentage of capacity pool provisioned throughput that is consumed by volumes.
+
+## Throughput metrics for volumes
+
+* *Volume Allocated Throughput*
+ The parent capacity pool throughput (MiB/s) the volume is allocated with. This is the maximum throughput the volume is able to consume.
+
+* *Volume Consumed Throughput*
+ The actual throughput (MiB/s) the volume is utilizing.
+
+* *Percentage Volume Consumed Throughput*
+ Percentage of allocated throughput the volume is utilizing. That is, *Volume Consumed Throughput* as a percentage of *Volume Allocated Throughput*.
++ ## Next steps * [Understand the storage hierarchy of Azure NetApp Files](azure-netapp-files-understand-storage-hierarchy.md)
azure-netapp-files Configure Kerberos Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/configure-kerberos-encryption.md
na ms.devlang: na Previously updated : 02/18/2021 Last updated : 05/06/2021 # Configure NFSv4.1 Kerberos encryption for Azure NetApp Files
Azure NetApp Files supports NFS client encryption in Kerberos modes (krb5, krb5i
The following requirements apply to NFSv4.1 client encryption:
-* Active Directory Domain Services (AD DS) connection to facilitate Kerberos ticketing
+* Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (AADDS) connection to facilitate Kerberos ticketing
* DNS A/PTR record creation for both the client and Azure NetApp Files NFS server IP addresses * A Linux client This article provides guidance for RHEL and Ubuntu clients. Other clients will work with similar configuration steps.
azure-netapp-files Configure Ldap Over Tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/configure-ldap-over-tls.md
+
+ Title: Configure ADDS LDAP over TLS for Azure NetApp Files | Microsoft Docs
+description: Describes how to configure ADDS LDAP over TLS for Azure NetApp Files, including root CA certificate management.
+
+documentationcenter: ''
++
+editor: ''
+
+ms.assetid:
++
+ na
+ms.devlang: na
+ Last updated : 05/05/2021++
+# Configure ADDS LDAP over TLS for Azure NetApp Files
+
+You can use LDAP over TLS to secure communication between an Azure NetApp Files volume and the Active Directory LDAP server. You can enable LDAP over TLS for NFS, SMB, and dual-protocol volumes of Azure NetApp Files.
+
+## Considerations
+
+* LDAP over TLS must not be enabled if you are using Azure Active Directory Domain Services (AADDS). AADDS uses LDAPS (port 636) to secure LDAP traffic instead of LDAP over TLS (port 389).
+
+## Register the LDAP over TLS feature
+
+The LDAP over TLS feature is currently in preview. If you are using this feature for the first time, register the feature before using it.
+
+1. Register the feature:
+
+ ```azurepowershell-interactive
+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFLdapOverTls
+ ```
+
+2. Check the status of the feature registration:
+
+ > [!NOTE]
+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to `Registered`. Wait until the status is `Registered` before continuing.
+
+ ```azurepowershell-interactive
+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFLdapOverTls
+ ```
+You can also use [Azure CLI commands](/cli/azure/feature?preserve-view=true&view=azure-cli-latest) `az feature register` and `az feature show` to register the feature and display the registration status.
+
+## Generate and export root CA certificate
+
+If you do not have a root CA certificate, you need to generate one and export it for use with LDAP over TLS authentication.
+
+1. Follow [Install the Certification Authority](/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority) to install and configure ADDS Certificate Authority.
+
+2. Follow [View certificates with the MMC snap-in](/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) to use the MMC snap-in and the Certificate Manager tool.
+ Use the Certificate Manager snap-in to locate the root or issuing certificate for the local device. You should run the Certificate Management snap-in commands from one of the following settings:
+ * A Windows-based client that has joined the domain and has the root certificate installed
+ * Another machine in the domain containing the root certificate
+
+3. Export the root CA certificate.
+ Root CA certificates can be exported from the Personal or Trusted Root Certification Authorities directory, as shown in the following examples:
+ ![screenshot that shows personal certificates](../media/azure-netapp-files/personal-certificates.png)
+ ![screenshot that shows trusted root certification authorities](../media/azure-netapp-files/trusted-root-certification-authorities.png)
+
+ Ensure that the certificate is exported in the Base-64 encoded X.509 (.CER) format:
+
+ ![Certificate Export Wizard](../media/azure-netapp-files/certificate-export-wizard.png)
+
+## Enable LDAP over TLS and upload root CA certificate
+
+1. Go to the NetApp account that is used for the volume, and click **Active Directory connections**. Then, click **Join** to create a new AD connection or **Edit** to edit an existing AD connection.
+
+2. In the **Join Active Directory** or **Edit Active Directory** window that appears, select the **LDAP over TLS** checkbox to enable LDAP over TLS for the volume. Then click **Server root CA Certificate** and upload the [generated root CA certificate](#generate-and-export-root-ca-certificate) to use for LDAP over TLS.
+
+ ![Screenshot that shows the LDAP over TLS option](../media/azure-netapp-files/ldap-over-tls-option.png)
+
+ Ensure that the certificate authority name can be resolved by DNS. This name is the "Issued By" or "Issuer" field on the certificate:
+
+ ![Screenshot that shows certificate information](../media/azure-netapp-files/certificate-information.png)
+
+If you uploaded an invalid certificate, and you have existing AD configurations, SMB volumes, or Kerberos volumes, an error similar to the following occurs:
+
+`Error updating Active Directory settings The LDAP client configuration "ldapUserMappingConfig" for Vservers is an invalid configuration.`
+
+To resolve the error condition, upload a valid root CA certificate to your NetApp account as required by the Windows Active Directory LDAP server for LDAP authentication.
+
+## Next steps
+
+* [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md)
+* [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md)
+* [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md)
+
azure-netapp-files Create Volumes Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/create-volumes-dual-protocol.md
na ms.devlang: na Previously updated : 04/27/2021 Last updated : 05/05/2021 # Create a dual-protocol (NFSv3 and SMB) volume for Azure NetApp Files
Follow instructions in [Configure an NFS client for Azure NetApp Files](configur
## Next steps * [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md)
+* [Configure ADDS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md)
* [Troubleshoot SMB or dual-protocol volumes](troubleshoot-dual-protocol-volumes.md) * [Troubleshoot LDAP volume issues](troubleshoot-ldap-volumes.md)
azure-netapp-files Cross Region Replication Create Peering https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/cross-region-replication-create-peering.md
# Create volume replication for Azure NetApp Files > [!IMPORTANT]
-> The cross-region replication feature is currently in public preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
+> The cross-region replication feature is currently in preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
This article shows you how to set up cross-region replication by creating replication peering.
azure-netapp-files Cross Region Replication Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/cross-region-replication-introduction.md
The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to failover your critical application in case of a region-wide outage or disaster. > [!IMPORTANT]
-> The cross-region replication feature is currently in public preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
+> The cross-region replication feature is currently in preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
## <a name="supported-region-pairs"></a>Supported cross-region replication pairs
azure-netapp-files Cross Region Replication Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/cross-region-replication-requirements-considerations.md
Note the following requirements and considerations about [using the volume cross
## Requirements and considerations
-* The cross-region replication feature is currently in public preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
+* The cross-region replication feature is currently in preview. You need to submit a waitlist request for accessing the feature through the [Azure NetApp Files cross-region replication waitlist submission page](https://aka.ms/anfcrrpreviewsignup). Wait for an official confirmation email from the Azure NetApp Files team before using the cross-region replication feature.
* Azure NetApp Files replication is only available in certain fixed region pairs. See [Supported region pairs](cross-region-replication-introduction.md#supported-region-pairs). * SMB volumes are supported along with NFS volumes. Replication of SMB volumes requires an Active Directory connection in the source and destination NetApp accounts. The destination AD connection must have access to the DNS servers or ADDS Domain Controllers that are reachable from the delegated subnet in the destination region. For more information, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). * The destination account must be in a different region from the source volume region. You can also select an existing NetApp account in a different region.
azure-netapp-files Dynamic Change Volume Service Level https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/dynamic-change-volume-service-level.md
na ms.devlang: na Previously updated : 04/22/2021 Last updated : 05/06/2021 # Dynamically change the service level of a volume
-> [!IMPORTANT]
-> Dynamically changing the service level of a replication destination volume is currently not supported.
- You can change the service level of an existing volume by moving the volume to another capacity pool that uses the [service level](azure-netapp-files-service-levels.md) you want for the volume. This in-place service-level change for the volume does not require that you migrate data. It also does not impact access to the volume. This functionality enables you to meet your workload needs on demand. You can change an existing volume to use a higher service level for better performance, or to use a lower service level for cost optimization. For example, if the volume is currently in a capacity pool that uses the *Standard* service level and you want the volume to use the *Premium* service level, you can move the volume dynamically to a capacity pool that uses the *Premium* service level.
azure-netapp-files Manage Billing Tags https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/manage-billing-tags.md
+
+ Title: Manage Azure NetApp Files billing by using tags | Microsoft Docs
+description: Describes how to manage Azure NetApp Files billing by using tags.
+
+documentationcenter: ''
++
+editor: ''
+
+ms.assetid:
++
+ na
+ms.devlang: na
+ Last updated : 05/06/2021++
+# Manage billing by using capacity pool billing tags
+
+Tags are name and value pairs that enable you to categorize resources and view consolidated billing. You can apply the same tag to multiple resources and resource groups. See [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md) for details about tags.
+
+Using tags helps you manage Azure NetApp Files billing and expenses. For example, your company might have only one Azure subscription but multiple departments that use Azure resources and incur expenses. You can tag the resources with the department names at the capacity pool level. The corresponding tags would be displayed in the bill to help you see the expense incurred by each department.
+
+Billing tags are assigned at the capacity pool level, not volume level.
+
+## Steps
+
+1. To add or edit a tag on a capacity pool, go to the **capacity pool** and select **Tags**.
+
+2. Fill in the **Name** and **Value** pair. Click **Apply**.
+
+ > [!IMPORTANT]
+ > Tag data is replicated globally. As such, do not use tag names or values that could compromise the security of your resources. For example, do not use tag names that contain personal or sensitive information.
+
+ ![Snapshot that shows the Tags window of a capacity pool.](../media/azure-netapp-files/billing-tags-capacity-pool.png)
+
+3. You can display and download information about tagged resources by using the [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) portal:
+ 1. Click **Cost Analysis** and select the **Cost by resource** view.
+ [ ![Screenshot that shows Cost Analysis of Azure Cost Management](../media/azure-netapp-files/cost-analysis.png) ](../media/azure-netapp-files/cost-analysis.png#lightbox)
+
+ 2. To download an invoice, selecting **Invoices** and then the **Download** button.
+ [ ![Screenshot that shows Invoices of Azure Cost Management](../media/azure-netapp-files/azure-cost-invoices.png) ](../media/azure-netapp-files/azure-cost-invoices.png#lightbox)
+
+ 1. In the Download window that appears, download usage details. The downloaded `csv` file will include capacity pool billing tags for the corresponding resources.
+ ![Snapshot that shows the Download window of Azure Cost Management.](../media/azure-netapp-files/invoice-download.png)
+
+ [ ![Screenshot that shows the downloaded spreadsheet.](../media/azure-netapp-files/spreadsheet-download.png) ](../media/azure-netapp-files/spreadsheet-download.png#lightbox)
+
+## Next steps
+
+[Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/whats-new.md
na ms.devlang: na Previously updated : 04/30/2021 Last updated : 05/06/2021
Azure NetApp Files is updated regularly. This article provides a summary about the latest new features and enhancements.
+## May 2021
+
+* [Support for capacity pool billing tags](manage-billing-tags.md)
+
+ Azure NetApp Files now supports billing tags to help you cross-reference cost with business units or other internal consumers. Billing tags are assigned at the capacity pool level and not volume level, and they appear on the customer invoice.
+
+* [ADDS LDAP over TLS](configure-ldap-over-tls.md) (Preview)
+
+ By default, LDAP communications between client and server applications are not encrypted. This means that it is possible to use a network monitoring device or software to view the communications between an LDAP client and server computers. This scenario might be problematic in non-isolated or shared VNets when an LDAP simple bind is used, because the credentials (user name and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted. LDAP over TLS (also known as LDAPS) is a protocol that uses TLS to secure communication between LDAP clients and LDAP servers. Azure NetApp Files now supports the secure communication between an Active Directory Domain Server (ADDS) using LDAP over TLS. Azure NetApp Files can now use LDAP over TLS for setting up authenticated sessions between the Active Directory-integrated LDAP servers. You can enable the LDAP over TLS feature for NFS, SMB, and dual-protocol volumes. By default, LDAP over TLS is disabled on Azure NetApp Files.
+
+* Support for throughput [metrics](azure-netapp-files-metrics.md)
+
+ Azure NetApp Files adds support for the following metrics:
+ * Capacity pool throughput metrics
+ * *Pool Allocated to Volume Throughput*
+ * *Pool Consumed Throughput*
+ * *Percentage Pool Allocated to Volume Throughput*
+ * *Percentage Pool Consumed Throughput*
+ * Volume throughput metrics
+ * *Volume Allocated Throughput*
+ * *Volume Consumed Throughput*
+ * *Percentage Volume Consumed Throughput*
+
+* Support for [dynamic change of service level](dynamic-change-volume-service-level.md) of replication volumes
+
+ Azure NetApp Files now supports dynamically changing the service level of replication source and destination volumes.
+ ## April 2021 * [Manual volume and capacity pool management](volume-quota-introduction.md) (hard quota)
Azure NetApp Files is updated regularly. This article provides a summary about t
* [NFS v4.1 Kerberos encryption in transit](configure-kerberos-encryption.MD)
- Azure NetApp Files now supports NFS client encryption in Kerberos modes (krb5, krb5i, and krb5p) with AES-256 encryption, providing you with additional data security. This feature is free of charge (normal [Azure NetApp Files storage cost](https://azure.microsoft.com/pricing/details/netapp/) still applies) and is generally available. Learn more from the [NFS v4.1 Kerberos encryption documentation](configure-kerberos-encryption.MD).
+ Azure NetApp Files now supports NFS client encryption in Kerberos modes (krb5, krb5i, and krb5p) with AES-256 encryption, providing you with more data security. This feature is free of charge (normal [Azure NetApp Files storage cost](https://azure.microsoft.com/pricing/details/netapp/) still applies) and is generally available. Learn more from the [NFS v4.1 Kerberos encryption documentation](configure-kerberos-encryption.MD).
-* [Dynamic volume service level change](dynamic-change-volume-service-level.MD)
+* [Dynamic volume service level change](dynamic-change-volume-service-level.MD) (Preview)
- Cloud promises flexibility in IT spending. You can now change the service level of an existing Azure NetApp Files volume by moving the volume to another capacity pool that uses the service level you want for the volume. This in-place service-level change for the volume does not require that you migrate data. It also does not impact the data plane access to the volume. You can change an existing volume to use a higher service level for better performance, or to use a lower service level for cost optimization. This feature is free of charge (normal [Azure NetApp Files storage cost](https://azure.microsoft.com/pricing/details/netapp/) still applies) and is currently in public preview. You can register for the feature preview by following the [dynamic volume service level change documentation](dynamic-change-volume-service-level.md).
+ Cloud promises flexibility in IT spending. You can now change the service level of an existing Azure NetApp Files volume by moving the volume to another capacity pool that uses the service level you want for the volume. This in-place service-level change for the volume does not require that you migrate data. It also does not impact the data plane access to the volume. You can change an existing volume to use a higher service level for better performance, or to use a lower service level for cost optimization. This feature is free of charge (normal [Azure NetApp Files storage cost](https://azure.microsoft.com/pricing/details/netapp/) still applies). It is currently in preview. You can register for the feature preview by following the [dynamic volume service level change documentation](dynamic-change-volume-service-level.md).
* [Volume snapshot policy](azure-netapp-files-manage-snapshots.md#manage-snapshot-policies) (Preview)
azure-percept How To Connect To Percept Dk Over Serial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-connect-to-percept-dk-over-serial.md
Follow the steps below to set up a serial connection to your Azure Percept DK th
1. Connection Type: Serial :::image type="content" source="./media/how-to-connect-to-percept-dk-over-serial/putty-serial-session.png" alt-text="PuTTY session window with serial parameters selected.":::-
-## Next Steps
azure-percept How To Select Update Package https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-select-update-package.md
For more information on how to update your device, see these articles:
- An [Azure Percept DK](https://go.microsoft.com/fwlink/?linkid=2155270) that has been [set up and connected to Azure Percept Studio and IoT Hub](https://docs.microsoft.com/azure/azure-percept/quickstart-percept-dk-set-up).
-## Identify the current model name and software version on your Azure Percept DK
+## Identify the model name and software version of your dev kit
To ensure you apply the correct update package to your dev kit, you must first determine which software version it's currently running. > [!WARNING]
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
Complete the Azure Percept DK setup experience to configure your dev kit and dep
If you experience any issues during this process, refer to the [setup troubleshooting guide](./how-to-troubleshoot-setup.md) for possible solutions.
+> [!TIP]
+> You can return to the setup experience at any time to reinitialize your dev kit for things like connecting to a new wi-fi network, creating a new SSH user, and reconnecting to IoT Hub.
+ ## Prerequisites - An Azure Percept DK (dev kit).
azure-portal Azure Portal Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/azure-portal-dashboards.md
Title: Create a dashboard in the Azure portal
description: This article describes how to create and customize a dashboard in the Azure portal. ms.assetid: ff422f36-47d2-409b-8a19-02e24b03ffe7 Previously updated : 04/15/2021 Last updated : 05/06/2021 # Create a dashboard in the Azure portal
This example shows how to create a new private dashboard with an assigned name.
:::image type="content" source="media/azure-portal-dashboards/dashboard-name.png" alt-text="Screenshot of an empty grid with the Tile Gallery.":::
-1. To save the dashboard as is, select **Done customizing** in the page header. Or, continue to the next section to add tiles and save your dashboard.
+1. To save the dashboard as is, select **Done customizing** in the page header. Or, continue to Step 2 of the next section to add tiles and save your dashboard.
The dashboard view now shows your new dashboard. Select the arrow next to the dashboard name to see dashboards available to you. The list might include dashboards that other users have created and shared.
To add tiles to a dashboard, follow these steps:
- If you work with more than one organization, add the **Organization identity** tile to your dashboard to clearly show which organization the resources belong to.
-1. If desired, resize the tile by dragging and dropping the lower right hand corner of the tile.
+1. If desired, [resize or rearrange](#resize-or-rearrange-tiles) your tiles.
-1. To save your changes, select **Save** in the page header. You can also preview the changes without saving by selecting **Preview** in the page header. From the preview screen, you can select **Save** to keep the changes, **Discard** to remove them, or **Edit** to go back to the editing options and make further changes.
+1. To save your changes, select **Save** in the page header. You can also preview the changes without saving by selecting **Preview** in the page header. This preview mode also allows you to see how [filters](#set-and-override-dashboard-filters) affect your tiles. From the preview screen, you can select **Save** to keep the changes, **Discard** to remove them, or **Edit** to go back to the editing options and make further changes.
:::image type="content" source="media/azure-portal-dashboards/dashboard-save.png" alt-text="Screenshot of the Preview, Save, and Discard options.":::
+> [!NOTE]
+> A markdown tile lets you display custom, static content on your dashboard. This could be basic instructions, an image, a set of hyperlinks, or even contact information. For more information about using a markdown tile, see [Use a markdown tile on Azure dashboards to show custom content](azure-portal-markdown-tile.md).
+ ### Pin content from a resource page Another way to add tiles to your dashboard is directly from a resource page.
-Many resource pages include a pin icon in the command bar. If you select this icon, you can pin a tile representing the source page to an existing dashboard, or to a new dashboard that you create.
+Many resource pages include a pin icon in the page header, which means that you can pin a tile representing the source page. In some cases, a pin icon may also appear by specific content within a page, which means you can pin a tile for that specific content, rather than the entire page.
-![Screenshot of page command bar with pin icon](./media/azure-portal-dashboards/dashboard-pin-blade.png)
-In some cases, a pin icon may also appear by specific content within a page, which means you can pin a tile for that specific content rather than the entire page.
+If you select this icon, you can pin the tile to an existing private or shared dashboard. You can also create a new dashboard which will include this pin by selecting **Create new**.
+ ### Resize or rearrange tiles
To change the size of a tile or to rearrange the tiles on a dashboard, follow th
1. Select a tile and drag it to a new location on the grid to arrange your dashboard.
-### Additional tile configuration
+### Set and override dashboard filters
+
+Near the top of your dashboard, you'll see options to set the **Auto refresh** and **Time settings** for data displayed in the dashboard, along with an option to add additional filters.
++
+By default, data will be refreshed every hour. To change this, select **Auto refresh** and choose a new refresh interval. When you've made your selection, select **Apply**.
+
+The default time settings are **UTC Time**, showing data for the **Past 24 hours**. To change this, select the button and choose a new time range, time granularity, and/or time zone, then select **Apply**.
+
+To apply additional filters, select **Add filters**. The options you'll see will vary depending on the tiles in your dashboard. For example, you may be able to show only data for a specific subscription or location. Select the filter you'd like to use and make your selections. The filter will then be applied to your data. To remove a filter, select the **X** in its button.
-Some tiles might require more configuration to show the information you want. For example, the **Metrics chart** tile has to be set up to display a metric from Azure Monitor. You can also customize tile data to override the dashboard's default time settings.
+Tiles which support filtering have a ![filter icon](./media/azure-portal-dashboards/dashboard-filter.png) filter icon in the top-left corner of the tile. Some tiles allow you to override the global filters with filters specific to that tile. To do so, select **Configure tile data** from the context menu, or select the filter icon, then apply the desired filters.
-Any tile that needs to be set up displays a banner until you customize the tile. For the **Metrics chart**, the banner is **Edit in Metrics**.To customize the tile:
+If you set filters for a particular tile, the left corner of that tile displays a double filter icon, indicating that the data in that tile reflects its own filters.
++
+## Modify tile settings
+
+Some tiles might require more configuration to show the information you want. For example, the **Metrics chart** tile has to be set up to display a metric from Azure Monitor. You can also customize tile data to override the dashboard's default time settings and filters.
+
+## Complete tile configuration
+
+Any tile that needs to be set up displays a banner until you customize the tile. For example, in the **Metrics chart**, the banner reads **Edit in Metrics**. Other banners may use different text, such as **Configure tile**.
+
+To customize the tile:
1. In the page header select **Save** to exit edit mode. 1. Select the banner, then do the required setup.
- ![Screenshot of tile that requires configuration](./media/azure-portal-dashboards/dashboard-configure-tile.png)
-
-> [!NOTE]
-> A markdown tile lets you display custom, static content on your dashboard. This could be basic instructions, an image, a set of hyperlinks, or even contact information. For more information about using a markdown tile, see [Use a markdown tile on Azure dashboards to show custom content](azure-portal-markdown-tile.md).
+ ![Screenshot of tile that requires configuration.](./media/azure-portal-dashboards/dashboard-configure-tile.png)
-### Customize tile data
+### Customize time span for a tile
-Data on the dashboard automatically shows activity for the past 24 hours. To show a different time span for just this tile, follow these steps:
+Data on the dashboard shows activity and refreshes based on the global filters. Some tiles will allow you to select a different time span for just one tile. To do so, follow these steps:
-1. Select **Customize tile data** from the context menu or from the ![filter icon](./media/azure-portal-dashboards/dashboard-filter.png) filter in the upper left corner of the tile.
+1. Select **Customize tile data** from the context menu or from the ![filter icon](./media/azure-portal-dashboards/dashboard-filter.png) in the upper left corner of the tile.
![Screenshot of tile context menu.](./media/azure-portal-dashboards/dashboard-customize-tile-data.png)
Data on the dashboard automatically shows activity for the past 24 hours. To sho
1. Choose the time span to show for this tile. You can choose from the past 30 minutes to the past 30 days or define a custom range.
-1. Choose the time granularity to display. You can show anywhere from one-minute increments to one-month.
+1. Choose the time granularity to display. You can show anywhere from one-minute increments to one-month.
1. Select **Apply**.
azure-portal Azure Portal Supported Browsers Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/azure-portal-supported-browsers-devices.md
Title: Supported browsers and devices for Azure portal
description: You can use the Azure portal on all modern devices and with the latest browser versions. Consult this article to be sure your browser is supported. ms.assetid: 35fa18ec-21d8-41bf-af2b-e5e92703401d Previously updated : 01/22/2021 Last updated : 05/06/2021
If you need to manage Azure resources from a mobile device, try the [Azure mobi
We recommend that you use the most up-to-date browser that's compatible with your operating system. The following browsers are supported: * Microsoft Edge (latest version)
-* Internet Explorer 11 (supported until March 31, 2021)
* Safari (latest version, Mac only) * Chrome (latest version) * Firefox (latest version)
azure-resource-manager Tag Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/tag-resources.md
az tag update --resource-id $group --operation Merge --tags "Cost Center"=Financ
You can tag resources, resource groups, and subscriptions during deployment with an Azure Resource Manager template (ARM template). > [!NOTE]
-> The tags you apply through the ARM template overwrite any existing tags.
+> The tags you apply through an ARM template or Bicep file overwrite any existing tags.
### Apply values
azure-resource-manager Template Functions Array https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-functions-array.md
The following [example template](https://github.com/Azure/azure-docs-json-sample
```bicep param prefix string = 'prefix'
-output concatOutput string = concat(prefix, '-', uniqueString(resourceGroup().id))
+output concatOutput string = '${prefix}-${uniqueString(resourceGroup().id)}'
```
azure-sql-edge Deploy Onnx https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql-edge/deploy-onnx.md
ms.technology: machine-learning
Previously updated : 10/13/2020 Last updated : 05/06/2021 # Deploy and make predictions with an ONNX model and SQL machine learning
-In this quickstart, you'll learn how to train a model, convert it to ONNX, deploy it to [Azure SQL Edge](onnx-overview.md) or [Azure SQL Managed Instance (preview)](../azure-sql/managed-instance/machine-learning-services-overview.md), and then run native PREDICT on data using the uploaded ONNX model.
+In this quickstart, you'll learn how to train a model, convert it to ONNX, deploy it to [Azure SQL Edge](onnx-overview.md) or [Azure SQL Managed Instance](../azure-sql/managed-instance/machine-learning-services-overview.md), and then run native PREDICT on data using the uploaded ONNX model.
This quickstart is based on **scikit-learn** and uses the [Boston Housing dataset](https://scikit-learn.org/stable/modules/generated/sklearn.datasets.load_boston.html).
FROM PREDICT(MODEL = @model, DATA = predict_input, RUNTIME=ONNX) WITH (variable1
## Next Steps * [Machine Learning and AI with ONNX in SQL Edge](onnx-overview.md)
-* [Machine Learning Services in Azure SQL Managed Instance (preview)](../azure-sql/managed-instance/machine-learning-services-overview.md)
+* [Machine Learning Services in Azure SQL Managed Instance](../azure-sql/managed-instance/machine-learning-services-overview.md)
azure-sql Arm Templates Content Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/arm-templates-content-guide.md
The following table includes links to Azure Resource Manager templates for Azure
|Link|Description| |||
-| [SQL Managed Instance in a new VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sqlmi-new-vnet) | This Azure Resource Manager template creates a new configured Azure virtual network and managed instance in the virtual network. |
+| [SQL Managed Instance in a new VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sqlmi-new-vnet) | This Azure Resource Manager template creates a new configured Azure virtual network and managed instance in the virtual network. |
| [Network environment for SQL Managed Instance](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-managed-instance-azure-environment) | This deployment will create a configured Azure virtual network with two subnets, one that will be dedicated to your managed instances and another where you can place other resources (for example VMs, App Service environments, etc.). This template will create a properly configured networking environment where you can deploy managed instances. | | [SQL Managed Instance with P2S connection](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sqlmi-new-vnet-w-point-to-site-vpn) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `GatewaySubnet`. SQL Managed Instance will be deployed in the ManagedInstance subnet. A virtual network gateway will be created in the `GatewaySubnet` subnet and configured for Point-to-Site VPN connection. | | [SQL Managed Instance with a virtual machine](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sqlmi-new-vnet-w-jumpbox) | This deployment will create an Azure virtual network with two subnets, `ManagedInstance` and `Management`. SQL Managed Instance will be deployed in the `ManagedInstance` subnet. A virtual machine with the latest version of SQL Server Management Studio (SSMS) will be deployed in the `Management` subnet. |
azure-sql Connect Query Content Reference Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connect-query-content-reference-guide.md
Standard (PCI-DSS).
Non-Microsoft drivers might not use TLS by default. This can be a factor when connecting to Azure SQL Database or Azure SQL Managed Instance. Applications with embedded drivers might not allow you to control these connection settings. We recommend that you examine the security of such drivers and applications before using them on systems that interact with sensitive data.
+## Drivers
+
+The following minimal versions of the tools and drivers are recommended if you want to connect to Azure SQL database:
+
+| Driver/tool | Version |
+| | |
+|.NET Framework | 4.6.1 (or .NET Core) |
+|ODBC driver| v17 |
+|PHP driver| 5.2.0 |
+|JDBC driver| 6.4.0 |
+|Node.js driver| 2.1.1 |
+|OLEDB driver| 18.0.2.0 |
+|[SMO](/sql/relational-databases/server-management-objects-smo/sql-server-management-objects-smo-programming-guide) | [150](https://www.nuget.org/packages/Microsoft.SqlServer.SqlManagementObjects) or higher |
+ ## Libraries You can use various libraries and frameworks to connect to Azure SQL Database or Azure SQL Managed Instance. Check out our [Get started tutorials](https://aka.ms/sqldev) to quickly get started with programming languages such as C#, Java, Node.js, PHP, and Python. Then build an app by using SQL Server on Linux or Windows or Docker on macOS.
The following table lists connectivity libraries or *drivers* that client applic
| Ruby | Windows, Linux, macOS | [Ruby driver for SQL Server](/sql/connect/ruby/ruby-driver-for-sql-server/) | [Install](/sql/connect/ruby/step-1-configure-development-environment-for-ruby-development/) | [Get started](https://www.microsoft.com/sql-server/developer-get-started/ruby/ubuntu) | C++ | Windows, Linux, macOS | [Microsoft ODBC driver for SQL Server](/sql/connect/odbc/microsoft-odbc-driver-for-sql-server/) | [Download](/sql/connect/odbc/microsoft-odbc-driver-for-sql-server/) |
+### Data-access frameworks
+ The following table lists examples of object-relational mapping (ORM) frameworks and web frameworks that client applications can use with SQL Server, Azure SQL Database, Azure SQL Managed Instance, or Azure Synapse Analytics. You can use the frameworks on Linux, Windows, or Docker. | Language | Platform | ORM(s) |
azure-sql Connectivity Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connectivity-architecture.md
The following steps describe how a connection is established to Azure SQL Databa
Servers in SQL Database and Azure Synapse support the following three options for the server's connection policy setting: - **Redirect (recommended):** Clients establish connections directly to the node hosting the database, leading to reduced latency and improved throughput. For connections to use this mode, clients need to:
- - Allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 11999. Use the Service Tags for SQL to make this easier to manage.
+ - Allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 to 11999. Use the Service Tags for SQL to make this easier to manage.
- Allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433. - **Proxy:** In this mode, all connections are proxied via the Azure SQL Database gateways, leading to increased latency and reduced throughput. For connections to use this mode, clients need to allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.
azure-sql Private Endpoint Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/private-endpoint-overview.md
Once the network admin creates the Private Endpoint (PE), the SQL admin can mana
1. After approval or rejection, the list will reflect the appropriate state along with the response text. ![Screenshot of all PECs after approval][5]
-## On-premises connectivity over private peering
-
-When customers connect to the public endpoint from on-premises machines, their IP address needs to be added to the IP-based firewall using a [Server-level firewall rule](firewall-create-server-level-portal-quickstart.md). While this model works well for allowing access to individual machines for dev or test workloads, it's difficult to manage in a production environment.
+1. Finally clicking on the private endpoint name
+ ![Screenshot of PEC details][7]
-With Private Link, customers can enable cross-premises access to the private endpoint using [ExpressRoute](../../expressroute/expressroute-introduction.md), private peering, or VPN tunneling. Customers can then disable all access via the public endpoint and not use the IP-based firewall to allow any IP addresses.
+ leads to the Network Interface details
+ ![Screenshot of NIC details][8]
-## Use cases of Private Link for Azure SQL Database
-
-Clients can connect to the Private endpoint from the same virtual network, peered virtual network in same region, or via virtual network to virtual network connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. Below is a simplified diagram showing the common use cases.
-
- ![Diagram of connectivity options][1]
-
-In addition, services that are not running directly in the virtual network but are integrated with it (for example, App Service web apps or Functions) can also achieve private connectivity to the database. For more information on this specific use case, see the [Web app with private connectivity to Azure SQL database](/azure/architecture/example-scenario/private-web-app/private-web-app) architecture scenario.
+ which finally leads to the IP address for the private endpoint
+ ![Screenshot of Private IP][9]
## Test connectivity to SQL Database from an Azure VM in same virtual network-
-For this scenario, assume you've created an Azure Virtual Machine (VM) running Windows Server 2016.
+For this scenario, assume you've created an Azure Virtual Machine (VM) running a recent version of Windows in the same virtual network as the private endpoint.
1. [Start a Remote Desktop (RDP) session and connect to the virtual machine](../../virtual-machines/windows/connect-logon.md#connect-to-the-virtual-machine). + 1. You can then do some basic connectivity checks to ensure that the VM is connecting to SQL Database via the private endpoint using the following tools: 1. Telnet 1. Psping
For this scenario, assume you've created an Azure Virtual Machine (VM) running W
Open a Command Prompt window after you have installed Telnet. Run the Telnet command and specify the IP address and private endpoint of the database in SQL Database. ```
->telnet 10.1.1.5 1433
+>telnet 10.9.0.4 1433
``` When Telnet connects successfully, you'll see a blank screen at the command window like the below image:
When Telnet connects successfully, you'll see a blank screen at the command wind
### Check Connectivity using Psping
-[Psping](/sysinternals/downloads/psping) can be used as follows to check that the Private endpoint connection(PEC) is listening for connections on port 1433.
+[Psping](/sysinternals/downloads/psping) can be used as follows to check that the private endpoint is listening for connections on port 1433.
Run psping as follows by providing the FQDN for logical SQL server and port 1433: ``` >psping.exe mysqldbsrvr.database.windows.net:1433-
-PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
-Copyright (C) 2012-2016 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-TCP connect to 10.6.1.4:1433:
+...
+TCP connect to 10.9.0.4:1433:
5 iterations (warmup 1) ping test:
-Connecting to 10.6.1.4:1433 (warmup): from 10.6.0.4:49953: 2.83ms
-Connecting to 10.6.1.4:1433: from 10.6.0.4:49954: 1.26ms
-Connecting to 10.6.1.4:1433: from 10.6.0.4:49955: 1.98ms
-Connecting to 10.6.1.4:1433: from 10.6.0.4:49956: 1.43ms
-Connecting to 10.6.1.4:1433: from 10.6.0.4:49958: 2.28ms
+Connecting to 10.9.0.4:1433 (warmup): from 10.6.0.4:49953: 2.83ms
+Connecting to 10.9.0.4:1433: from 10.6.0.4:49954: 1.26ms
+Connecting to 10.9.0.4:1433: from 10.6.0.4:49955: 1.98ms
+Connecting to 10.9.0.4:1433: from 10.6.0.4:49956: 1.43ms
+Connecting to 10.9.0.4:1433: from 10.6.0.4:49958: 2.28ms
```
-The output show that Psping could ping the private IP address associated with the PEC.
+The output show that Psping could ping the private IP address associated with the private endpoint.
### Check connectivity using Nmap
Nmap (Network Mapper) is a free and open-source tool used for network discovery
Run Nmap as follows by providing the address range of the subnet that hosts the private endpoint. ```
->nmap -n -sP 10.1.1.0/24
-...
+>nmap -n -sP 10.9.0.0/24
...
-Nmap scan report for 10.1.1.5
+Nmap scan report for 10.9.0.4
Host is up (0.00s latency). Nmap done: 256 IP addresses (1 host up) scanned in 207.00 seconds ```- The result shows that one IP address is up; which corresponds to the IP address for the private endpoint. ### Check connectivity using SQL Server Management Studio (SSMS) > [!NOTE] > Use the **Fully Qualified Domain Name (FQDN)** of the server in connection strings for your clients (`<server>.database.windows.net`). Any login attempts made directly to the IP address or using the private link FQDN (`<server>.privatelink.database.windows.net`) shall fail. This behavior is by design, since private endpoint routes traffic to the SQL Gateway in the region and the correct FQDN needs to be specified for logins to succeed.
-Follow the steps here to use [SSMS to connect to the SQL Database](connect-query-ssms.md). After you connect to the SQL Database using SSMS, verify that you're connecting from the private IP address of the Azure VM by running the following query:
+Follow the steps here to use [SSMS to connect to the SQL Database](connect-query-ssms.md). After you connect to the SQL Database using SSMS, the following query shall reflect client_net_address that matches the private IP address of the Azure VM you are connecting from:
```` select client_net_address from sys.dm_exec_connections where session_id=@@SPID ````
-## Data exfiltration prevention
-
-Data exfiltration in Azure SQL Database is when an authorized user, such as a database admin is able extract data from one system and move it another location or system outside the organization. For example, the user moves the data to a storage account owned by a third party.
+## On-premises connectivity over private peering
-Consider a scenario with a user running SQL Server Management Studio (SSMS) inside an Azure virtual machine connecting to a database in SQL Database. This database is in the West US data center. The example below shows how to limit access with public endpoints on SQL Database using network access controls.
+When customers connect to the public endpoint from on-premises machines, their IP address needs to be added to the IP-based firewall using a [Server-level firewall rule](firewall-create-server-level-portal-quickstart.md). While this model works well for allowing access to individual machines for dev or test workloads, it's difficult to manage in a production environment.
-1. Disable all Azure service traffic to SQL Database via the public endpoint by setting Allow Azure Services to **OFF**. Ensure no IP addresses are allowed in the server and database level firewall rules. For more information, see [Azure SQL Database and Azure Synapse Analytics network access controls](network-access-controls-overview.md).
-1. Only allow traffic to the database in SQL Database using the Private IP address of the VM. For more information, see the articles on [Service Endpoint](vnet-service-endpoint-rule-overview.md) and [virtual network firewall rules](firewall-configure.md).
-1. On the Azure VM, narrow down the scope of outgoing connection by using [Network Security Groups (NSGs)](../../virtual-network/manage-network-security-group.md) and Service Tags as follows
- - Specify an NSG rule to allow traffic for Service Tag = SQL.WestUs - only allowing connection to SQL Database in West US
- - Specify an NSG rule (with a **higher priority**) to deny traffic for Service Tag = SQL - denying connections to SQL Database in all regions
+With Private Link, customers can enable cross-premises access to the private endpoint using [ExpressRoute](../../expressroute/expressroute-introduction.md), private peering, or VPN tunneling. Customers can then disable all access via the public endpoint and not use the IP-based firewall to allow any IP addresses.
-At the end of this setup, the Azure VM can connect only to a database in SQL Database in the West US region. However, the connectivity isn't restricted to a single database in SQL Database. The VM can still connect to any database in the West US region, including the databases that aren't part of the subscription. While we've reduced the scope of data exfiltration in the above scenario to a specific region, we haven't eliminated it altogether.
+## Use cases of Private Link for Azure SQL Database
-With Private Link, customers can now set up network access controls like NSGs to restrict access to the private endpoint. Individual Azure PaaS resources are then mapped to specific private endpoints. A malicious insider can only access the mapped PaaS resource (for example a database in SQL Database) and no other resource.
+Clients can connect to the Private endpoint from the same virtual network, peered virtual network in same region, or via virtual network to virtual network connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. Below is a simplified diagram showing the common use cases.
-## Limitations
-Connections to private endpoint only support **Proxy** as the [connection policy](connectivity-architecture.md#connection-policy)
+ ![Diagram of connectivity options][1]
+In addition, services that are not running directly in the virtual network but are integrated with it (for example, App Service web apps or Functions) can also achieve private connectivity to the database. For more information on this specific use case, see the [Web app with private connectivity to Azure SQL database](/azure/architecture/example-scenario/private-web-app/private-web-app) architecture scenario.
## Connecting from an Azure VM in Peered Virtual Network
To establish connectivity from an on-premises environment to the database in SQL
- [Site-to-Site VPN connection](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md) - [ExpressRoute circuit](../../expressroute/expressroute-howto-linkvnet-portal-resource-manager.md) - ## Connecting from Azure Synapse Analytics to Azure Storage using Polybase and the COPY statement PolyBase and the COPY statement is commonly used to load data into Azure Synapse Analytics from Azure Storage accounts. If the Azure Storage account that you're loading data from limits access only to a set of virtual network subnets via Private Endpoints, Service Endpoints, or IP-based firewalls, the connectivity from PolyBase and the COPY statement to the account will break. For enabling both import and export scenarios with Azure Synapse Analytics connecting to Azure Storage that's secured to a virtual network, follow the steps provided [here](vnet-service-endpoint-rule-overview.md#impact-of-using-virtual-network-service-endpoints-with-azure-storage).
+## Data exfiltration prevention
+
+Data exfiltration in Azure SQL Database is when a user, such as a database admin is able extract data from one system and move it another location or system outside the organization. For example, the user moves the data to a storage account owned by a third party.
+
+Consider a scenario with a user running SQL Server Management Studio (SSMS) inside an Azure virtual machine connecting to a database in SQL Database. This database is in the West US data center. The example below shows how to limit access with public endpoints on SQL Database using network access controls.
+
+1. Disable all Azure service traffic to SQL Database via the public endpoint by setting Allow Azure Services to **OFF**. Ensure no IP addresses are allowed in the server and database level firewall rules. For more information, see [Azure SQL Database and Azure Synapse Analytics network access controls](network-access-controls-overview.md).
+1. Only allow traffic to the database in SQL Database using the Private IP address of the VM. For more information, see the articles on [Service Endpoint](vnet-service-endpoint-rule-overview.md) and [virtual network firewall rules](firewall-configure.md).
+1. On the Azure VM, narrow down the scope of outgoing connection by using [Network Security Groups (NSGs)](../../virtual-network/manage-network-security-group.md) and Service Tags as follows
+ - Specify an NSG rule to allow traffic for Service Tag = SQL.WestUs - only allowing connection to SQL Database in West US
+ - Specify an NSG rule (with a **higher priority**) to deny traffic for Service Tag = SQL - denying connections to SQL Database in all regions
+
+At the end of this setup, the Azure VM can connect only to a database in SQL Database in the West US region. However, the connectivity isn't restricted to a single database in SQL Database. The VM can still connect to any database in the West US region, including the databases that aren't part of the subscription. While we've reduced the scope of data exfiltration in the above scenario to a specific region, we haven't eliminated it altogether.
+
+With Private Link, customers can now set up network access controls like NSGs to restrict access to the private endpoint. Individual Azure PaaS resources are then mapped to specific private endpoints. A malicious insider can only access the mapped PaaS resource (for example a database in SQL Database) and no other resource.
+ ## Next steps - For an overview of Azure SQL Database security, see [Securing your database](security-overview.md)
PolyBase and the COPY statement is commonly used to load data into Azure Synapse
- You may also be interested in the [Web app with private connectivity to Azure SQL database](/azure/architecture/example-scenario/private-web-app/private-web-app) architecture scenario, which connects a web application outside of the virtual network to the private endpoint of a database. <!--Image references-->
-[1]: media/quickstart-create-single-database/pe-connect-overview.png
-[2]: media/quickstart-create-single-database/telnet-result.png
-[3]: media/quickstart-create-single-database/pec-list-before.png
-[4]: media/quickstart-create-single-database/pec-approve.png
-[5]: media/quickstart-create-single-database/pec-list-after.png
-[6]: media/quickstart-create-single-database/pec-select.png
+[1]: media/private-endpoint/pe-connect-overview.png
+[2]: media/private-endpoint/telnet-result.png
+[3]: media/private-endpoint/pec-list-before.png
+[4]: media/private-endpoint/pec-approve.png
+[5]: media/private-endpoint/pec-list-after.png
+[6]: media/private-endpoint/pec-select.png
+[7]: media/private-endpoint/pec-click.png
+[8]: media/private-endpoint/pec-nic-click.png
+[9]: media/private-endpoint/pec-ip-display.png
azure-sql Sql Data Sync Data Sql Server Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-data-sync-data-sql-server-sql-database.md
Provisioning and deprovisioning during sync group creation, update, and deletion
- Columns with User-Defined Data Types aren't supported - Moving servers between different subscriptions isn't supported. - If two primary keys are only different in case (e.g. Foo and foo), Data Sync won't support this scenario.
+- Truncating tables is not an operation supported by Data Sync (changes won't be tracked).
#### Unsupported data types
azure-sql Sql Database Vulnerability Assessment Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-database-vulnerability-assessment-rules.md
Previously updated : 03/17/2021 Last updated : 05/06/2021 # SQL Vulnerability Assessment rules reference guide This article lists the set of built-in rules that are used to flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.
azure-sql Create Template Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/create-template-quickstart.md
This quickstart focuses on the process of deploying an Azure Resource Manager te
If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-sqlmi-new-vnet%2Fazuredeploy.json)
+[![Deploy to Azure](../../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.sql%2Fsqlmi-new-vnet%2Fazuredeploy.json)
## Prerequisites
If you don't have an Azure subscription, [create a free account](https://azure.m
The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-sqlmi-new-vnet/). These resources are defined in the template:
Select **Try it** from the following PowerShell code block to open Azure Cloud S
```azurepowershell-interactive $projectName = Read-Host -Prompt "Enter a project name that is used for generating resource names" $location = Read-Host -Prompt "Enter the location (i.e. centralus)"
-$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-sqlmi-new-vnet/azuredeploy.json"
+$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.sql/sqlmi-new-vnet/azuredeploy.json"
$resourceGroupName = "${projectName}rg"
Read-Host -Prompt "Press [ENTER] to continue ..."
```azurecli-interactive read -p "Enter a project name that is used for generating resource names:" projectName && read -p "Enter the location (i.e. centralus):" location &&
-templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-sqlmi-new-vnet/azuredeploy.json" &&
+templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.sql/sqlmi-new-vnet/azuredeploy.json" &&
resourceGroupName="${projectName}rg" && az group create --name $resourceGroupName --location "$location" && az deployment group create --resource-group $resourceGroupName --template-uri $templateUri &&
azure-vmware Configure Site To Site Vpn Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-site-to-site-vpn-gateway.md
Title: Configure a VPN gateway into Azure VMware Solution
+ Title: Configure a site-to-site VPN in vWAN for Azure VMware Solution
description: Learn how to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site tunnel into Azure VMware Solutions. Last updated 03/23/2021
-# Configure a VPN gateway into Azure VMware Solution
+# Configure a site-to-site VPN in vWAN for Azure VMware Solution
In this article, we'll go through the steps to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site tunnel terminating in the Microsoft Azure Virtual WAN hub. The hub contains the Azure VMware Solution ExpressRoute gateway and the site-to-site VPN gateway. It connects an on-premise VPN device with an Azure VMware Solution endpoint.
backup Backup Azure Vms Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vms-encryption.md
Encrypted VMs can only be restored by restoring the VM disk as explained below.
Restore encrypted VMs as follows: 1. [Restore the VM disk](backup-azure-arm-restore-vms.md#restore-disks).+
+ > [!NOTE]
+ > After you restore the VM disk, swap the OS disk of the original VM with the restored VM disk without re-creating it. [Learn more](https://azure.microsoft.com/blog/os-disk-swap-managed-disks/).
+ 2. Recreate the virtual machine instance by doing one of the following actions: 1. Use the template that's generated during the restore operation to customize VM settings, and trigger VM deployment. [Learn more](backup-azure-arm-restore-vms.md#use-templates-to-customize-a-restored-vm). 2. Create a new VM from the restored disks using PowerShell. [Learn more](backup-azure-vms-automation.md#create-a-vm-from-restored-disks).
backup Backup Blobs Storage Account Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-blobs-storage-account-ps.md
In this article, you'll learn how to:
For information on the Azure blob region availability, supported scenarios and limitations, see the [support matrix](blob-backup-support-matrix.md).
+> [!IMPORTANT]
+> Support for Azure blobs is available from Az 5.9.0 version.
+ ## Create a Backup vault A Backup vault is a storage entity in Azure that holds backup data for various newer workloads that Azure Backup supports, such as Azure Database for PostgreSQL servers, Azure blobs and Azure blobs. Backup vaults make it easy to organize your backup data, while minimizing management overhead. Backup vaults are based on the Azure Resource Manager model of Azure, which provides enhanced capabilities to help secure backup data.
-Before creating a backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the backup vault with that storage redundancy and the location. In this article, we will create a backup vault _TestBkpVault_ in region _westus_, under the resource group _testBkpVaultRG_. Use the [New-AzDataProtectionBackupVault](/powershell/module/az.dataprotection/new-azdataprotectionbackupvault?view=azps-5.7.0&preserve-view=true) command to create a backup vault.Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).
+Before creating a backup vault, choose the storage redundancy of the data within the vault. Then proceed to create the backup vault with that storage redundancy and the location. In this article, we will create a backup vault _TestBkpVault_ in region _westus_, under the resource group _testBkpVaultRG_. Use the [New-AzDataProtectionBackupVault](/powershell/module/az.dataprotection/new-azdataprotectionbackupvault?view=azps-5.9.0&preserve-view=true) command to create a backup vault.Learn more about [creating a Backup vault](./backup-vault-overview.md#create-a-backup-vault).
```azurepowershell-interactive $storageSetting = New-AzDataProtectionBackupVaultStorageSettingObject -Type LocallyRedundant/GeoRedundant -DataStoreType VaultStore
After creation of vault, let's create a backup policy to protect Azure blobs.
> [!IMPORTANT] > Read [this section](blob-backup-configure-manage.md#before-you-start) before proceeding to create the policy and configuring backups for Azure blobs.
-To understand the inner components of a backup policy for Azure blob backup, retrieve the policy template using the [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate?view=azps-5.7.0&preserve-view=true) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.
+To understand the inner components of a backup policy for Azure blob backup, retrieve the policy template using the [Get-AzDataProtectionPolicyTemplate](/powershell/module/az.dataprotection/get-azdataprotectionpolicytemplate?view=azps-5.9.0&preserve-view=true) command. This command returns a default policy template for a given datasource type. Use this policy template to create a new policy.
```azurepowershell-interactive $policyDefn = Get-AzDataProtectionPolicyTemplate -DatasourceType AzureBlob
TargetDataStoreCopySetting :
> [!NOTE] > Restoring over long durations may lead to restore operations taking longer to complete. Also, the time that it takes to restore a set of data is based on the number of write and delete operations made during the restore period. For example, an account with one million objects with 3,000 objects added per day and 1,000 objects deleted per day will require approximately two hours to restore to a point 30 days in the past.<br><br>We do not recommend a retention period and restoration more than 90 days in the past for an account with this rate of change.
-Once the policy object has all the desired values, proceed to create a new policy from the policy object using the [New-AzDataProtectionBackupPolicy](/powershell/module/az.dataprotection/new-azdataprotectionbackuppolicy?view=azps-5.7.0&preserve-view=true) command.
+Once the policy object has all the desired values, proceed to create a new policy from the policy object using the [New-AzDataProtectionBackupPolicy](/powershell/module/az.dataprotection/new-azdataprotectionbackuppolicy?view=azps-5.9.0&preserve-view=true) command.
```azurepowershell-interactive New-AzDataProtectionBackupPolicy -ResourceGroupName "testBkpVaultRG" -VaultName $TestBkpVault.Name -Name blobBkpPolicy -Policy $policyDefn
You need to assign a few permissions via RBAC to vault (represented by vault MSI
### Prepare the request
-Once all the relevant permissions are set, the configuration of backup is performed in 2 steps. First, we prepare the relevant request by using the relevant vault, policy, storage account using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command. Then, we submit the request to protect the blobs within the storage account using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command.
+Once all the relevant permissions are set, the configuration of backup is performed in 2 steps. First, we prepare the relevant request by using the relevant vault, policy, storage account using the [Initialize-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/initialize-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command. Then, we submit the request to protect the blobs within the storage account using the [New-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/new-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command.
```azurepowershell-interactive $instance = Initialize-AzDataProtectionBackupInstance -DatasourceType AzureBlob -DatasourceLocation $TestBkpvault.Location -PolicyId $blobBkpPol[0].Id -DatasourceId $SAId
backup Restore Blobs Storage Account Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-blobs-storage-account-ps.md
Last updated 05/05/2021
This article describes how to restore [blobs](blob-backup-overview.md) to any point-in-time using Azure Backup.
+> [!IMPORTANT]
+> Support for Azure blobs is available from Az 5.9.0 version.
+ > [!IMPORTANT] > Before proceeding to restore Azure blobs using Azure Backup, see [important points](blob-restore.md#before-you-start).
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date ```
-First fetch all instances using [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.7.0&preserve-view=true) command and identify the relevant instance.
+First fetch all instances using [Get-AzDataProtectionBackupInstance](/powershell/module/az.dataprotection/get-azdataprotectionbackupinstance?view=azps-5.9.0&preserve-view=true) command and identify the relevant instance.
```azurepowershell-interactive $AllInstances = Get-AzDataProtectionBackupInstance -ResourceGroupName "testBkpVaultRG" -VaultName $TestBkpVault.Name ```
-You can also use Az.Resourcegraph and the [Search-AzDataProtectionBackupInstanceInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionbackupinstanceinazgraph?view=azps-5.7.0&preserve-view=true) command to search across instances in many vaults and subscriptions.
+You can also use Az.Resourcegraph and the [Search-AzDataProtectionBackupInstanceInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionbackupinstanceinazgraph?view=azps-5.9.0&preserve-view=true) command to search across instances in many vaults and subscriptions.
```azurepowershell-interactive $AllInstances = Search-AzDataProtectionBackupInstanceInAzGraph -ResourceGroupName "testBkpVaultRG" -VaultName $TestBkpVault.Name -DatasourceType AzureBlob -ProtectionStatus ProtectionConfigured ```
-Once the instance is identified then fetch the relevant recovery range using the Find-AzDataProtectionRestorableTimeRange command.
+Once the instance is identified then fetch the relevant recovery range using the [Find-AzDataProtectionRestorableTimeRange](/powershell/module/az.dataprotection/find-azdataprotectionrestorabletimerange) command.
```azurepowershell-interactive Find-AzDataProtectionRestorableTimeRange -ResourceGroupName "testBkpVaultRG" -VaultName $TestBkpVault.Name -BackupInstanceName $AllInstances[2].BackupInstanceName -StartTime $startDate -endTime $endDate
+EndTime : 2021-04-24T08:57:36.4149422Z
+ObjectType : RestorableTimeRange
+StartTime : 2021-03-25T14:27:31.0000000Z
+ $DesiredPIT = (Get-Date -Date "2021-04-23T02:47:02.9500000Z") ``` ### Preparing the restore request
-Once the point-in-time to restore is fixed, there are multiple options to restore. Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.7.0&preserve-view=true) command to prepare the restore request with all relevant details.
+Once the point-in-time to restore is fixed, there are multiple options to restore. Use the [Initialize-AzDataProtectionRestoreRequest](/powershell/module/az.dataprotection/initialize-azdataprotectionrestorerequest?view=azps-5.9.0&preserve-view=true) command to prepare the restore request with all relevant details.
#### Restoring all the blobs to a point-in-time
$restorerequest = Initialize-AzDataProtectionRestoreRequest -DatasourceType Azur
### Trigger the restore
-Use the [Start-AzDataProtectionBackupInstanceRestore](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-5.7.0&preserve-view=true) command to trigger the restore with the request prepared above.
+Use the [Start-AzDataProtectionBackupInstanceRestore](/powershell/module/az.dataprotection/start-azdataprotectionbackupinstancerestore?view=azps-5.9.0&preserve-view=true) command to trigger the restore with the request prepared above.
```azurepowershell-interactive Start-AzDataProtectionBackupInstanceRestore -BackupInstanceName $AllInstances[2].BackupInstanceName -ResourceGroupName "testBkpVaultRG" -VaultName $TestBkpVault.Name -Parameter $restorerequest
Start-AzDataProtectionBackupInstanceRestore -BackupInstanceName $AllInstances[2]
## Tracking job
-Track all jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.7.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.
+Track all jobs using the [Get-AzDataProtectionJob](/powershell/module/az.dataprotection/get-azdataprotectionjob?view=azps-5.9.0&preserve-view=true) command. You can list all jobs and fetch a particular job detail.
-You can also use Az.ResourceGraph to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.7.0&preserve-view=true) command to get the relevant job which can be across any backup vault.
+You can also use Az.ResourceGraph to track all jobs across all backup vaults. Use the [Search-AzDataProtectionJobInAzGraph](/powershell/module/az.dataprotection/search-azdataprotectionjobinazgraph?view=azps-5.9.0&preserve-view=true) command to get the relevant job which can be across any backup vault.
```azurepowershell-interactive $job = Search-AzDataProtectionJobInAzGraph -Subscription $sub -ResourceGroupName "testBkpVaultRG" -Vault $TestBkpVault.Name -DatasourceType AzureBlob -Operation Restore
cloud-services-extended-support Deploy Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-sdk.md
This article shows how to use the [Azure SDK](https://azure.microsoft.com/downloads/) to deploy a Cloud Services (extended support) instance that has multiple roles (web role and worker role) and the remote desktop extension. Cloud Services (extended support) is a deployment model of Azure Cloud Services that's based on Azure Resource Manager.
-> [!IMPORTANT]
-> Cloud Services (extended support) is currently in public preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
- ## Before you begin Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create associated resources.
cloud-services Cloud Services Nodejs Chat App Socketio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-nodejs-chat-app-socketio.md
Title: Node.js application using Socket.io - Azure
-description: Use this tutorial to learn how to host a socket.IO-based chat application on Azure. Socket.IO provides real time communication for a node.js server and clients.
+description: Use this tutorial to learn how to host a socket.IO-based chat application on Azure. Socket.IO provides real time communication for a Node.js server and clients.
Last updated 10/14/2020
> [!IMPORTANT] > [Azure Cloud Services (extended support)](../cloud-services-extended-support/overview.md) is a new Azure Resource Manager based deployment model for the Azure Cloud Services product. With this change, Azure Cloud Services running on the Azure Service Manager based deployment model have been renamed as Cloud Services (classic) and all new deployments should use [Cloud Services (extended support)](../cloud-services-extended-support/overview.md).
-Socket.IO provides real time communication between your node.js
+Socket.IO provides real time communication between your Node.js
server and clients. This tutorial walks you through hosting a socket.IO based chat application on Azure. For more information on Socket.IO, see [socket.io](https://socket.io).
For more information, see also the [Node.js Developer Center](/azure/developer/j
[chat-contents]: ./media/cloud-services-nodejs-chat-app-socketio/socketio-5.png [The-output-of-the-npm-install-command]: ./media/cloud-services-nodejs-chat-app-socketio/socketio-7.png
-[The output of the Publish-AzureService command]: ./media/cloud-services-nodejs-chat-app-socketio/socketio-9.png
+[The output of the Publish-AzureService command]: ./media/cloud-services-nodejs-chat-app-socketio/socketio-9.png
cognitive-services Luis Reference Prebuilt Entities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md
Previously updated : 04/13/2021 Last updated : 05/05/2021
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
-[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | - |
[Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 | [PersonName](luis-reference-prebuilt-person.md) | V2, V3 | [Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![KeyPhrase](luis-reference-prebuilt-keyphrase.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
## Dutch entity support
The following entities are supported:
| | :: | [Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | V2, V3 | [Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | V2, V3 |
-[Datetime](luis-reference-prebuilt-deprecated.md) | - |
[Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![Datetime](luis-reference-prebuilt-deprecated.md) | - |-->
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## English (American) entity support
The following entities are supported:
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## French (Canadian) entity support
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## German entity support
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## Italian entity support
The following entities are supported:
| | :: | [Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | V2, V3 | [Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | V2, V3 |
-[Datetime](luis-reference-prebuilt-deprecated.md) | - |
+[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 |
[Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## Japanese entity support
The following entities are supported:
| -- | :: | [Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | V2, - | [Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | V2, - |
-[Datetime](luis-reference-prebuilt-deprecated.md) | - |
[Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, - | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, - | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, - |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, - |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, - | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![Datetime](luis-reference-prebuilt-deprecated.md) | - |-->
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## Korean entity support
The following entities are supported:
| Prebuilt entity | ko-KR | | | :: |
-[Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | - |
-[Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | - |
-[Datetime](luis-reference-prebuilt-deprecated.md) | - |
-[Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | - |
[Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 |
-[Number](luis-reference-prebuilt-number.md) | - |
-[Ordinal](luis-reference-prebuilt-ordinal.md) | - |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
-[Percentage](luis-reference-prebuilt-percentage.md) | - |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 |
-[Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | - |
[URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | - |-->
+<![Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | - |-->
+<![Datetime](luis-reference-prebuilt-deprecated.md) | - |-->
+<![Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | - |-->
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![Number](luis-reference-prebuilt-number.md) | - |-->
+<![Ordinal](luis-reference-prebuilt-ordinal.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![Percentage](luis-reference-prebuilt-percentage.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
+<![Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | - |-->
## Portuguese (Brazil) entity support
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
KeyPhrase is not available in all subcultures of Portuguese (Brazil) - ```pt-BR```.
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
## Spanish (Mexico) entity support
The following entities are supported:
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | - | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | - | [Email](luis-reference-prebuilt-email.md) | V2, V3 |
-[GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |
[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 | [Number](luis-reference-prebuilt-number.md) | V2, V3 | [Ordinal](luis-reference-prebuilt-ordinal.md) | - |
-[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |
[Percentage](luis-reference-prebuilt-percentage.md) | - |
-[PersonName](luis-reference-prebuilt-person.md) | - |
[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 | [Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | - | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+<![GeographyV2](luis-reference-prebuilt-geographyV2.md) | - |-->
+<![OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | - |-->
+<![PersonName](luis-reference-prebuilt-person.md) | - |-->
-See notes on [Deprecated prebuilt entities](luis-reference-prebuilt-deprecated.md)
+<! See notes on [Deprecated prebuilt entities](luis-reference-prebuilt-deprecated.md)-->
## Turkish entity support
See notes on [Deprecated prebuilt entities](luis-reference-prebuilt-deprecated.m
[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | - | [Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | - | [Email](luis-reference-prebuilt-email.md) | - |
-[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | - |
[Number](luis-reference-prebuilt-number.md) | - | [Ordinal](luis-reference-prebuilt-ordinal.md) | - | [Percentage](luis-reference-prebuilt-percentage.md) | - |
-[Phonenumber](luis-reference-prebuilt-phonenumber.md) | - |
[Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | - | [URL](luis-reference-prebuilt-url.md) | - |
+<![KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 |-->
+<!Phonenumber](luis-reference-prebuilt-phonenumber.md) | - |-->
-<!
-See notes on [Deprecated prebuilt entities](luis-reference-prebuilt-deprecated.md)
-KeyPhrase is not available.
>
+<! See notes on [Deprecated prebuilt entities](luis-reference-prebuilt-deprecated.md). -->
## Contribute to prebuilt entity cultures The prebuilt entities are developed in the Recognizers-Text open-source project. [Contribute](https://github.com/Microsoft/Recognizers-Text) to the project. This project includes examples of currency per culture.
cognitive-services Reference Entity Regular Expression https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/reference-entity-regular-expression.md
description: A regular expression is best for raw utterance text. It ignores cas
Previously updated : 04/14/2020 Last updated : 05/05/2021 # Regular expression entity A regular expression entity extracts an entity based on a regular expression pattern you provide.
-A regular expression is best for raw utterance text. It ignores case and ignores cultural variant. Regular expression matching is applied after spell-check alterations at the character level, not the token level. If the regular expression is too complex, such as using many brackets, you're not able to add the expression to the model. Uses part but not all of the [.NET Regex](/dotnet/standard/base-types/regular-expressions) library.
+A regular expression is best for raw utterance text. It ignores case and ignores cultural variant. Regular expression matching is applied after spell-check alterations at the token level. If the regular expression is too complex, such as using many brackets, you're not able to add the expression to the model. Uses part but not all of the [.NET Regex](/dotnet/standard/base-types/regular-expressions) library.
**The entity is a good fit when:**
A regular expression is best for raw utterance text. It ignores case and ignores
![Regular expression entity](./media/luis-concept-entities/regex-entity.png)
-## Usage considerations
-
-Regular expressions may match more than you expect to match. An example of this is numeric word matching such as `one` and `two`. An example is the following regex, which matches the number `one` along with other numbers:
-
-```javascript
-(plus )?(zero|one|two|three|four|five|six|seven|eight|nine)(\s+(zero|one|two|three|four|five|six|seven|eight|nine))*
-```
-
-This regex expression also matches any words that end with these numbers, such as `phone`. In order to fix issues like this, make sure the regex matches takes into account word boundaries. The regex to use word boundaries for this example is used in the following regex:
-
-```javascript
-\b(plus )?(zero|one|two|three|four|five|six|seven|eight|nine)(\s+(zero|one|two|three|four|five|six|seven|eight|nine))*\b
-```
-
-### Example JSON
+## Example JSON
When using `kb[0-9]{6}`, as the regular expression entity definition, the following JSON response is an example utterance with the returned regular expression entities for the query:
This is the JSON if `verbose=true` is set in the query string:
Learn more about entities: * [Concepts](luis-concept-entity-types.md)
-* [How to create](luis-how-to-add-entities.md)
+* [How to create](luis-how-to-add-entities.md)
cognitive-services Create Publish Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/Quickstarts/create-publish-knowledge-base.md
You can create a QnA Maker knowledge base (KB) from your own content, such as FA
|Setting|Value| |--|--| |**Enable multi-turn extraction from URLs, .pdf or .docx files.**|Checked|
- |**Multi-turn default text**| Select and option|
+ |**Multi-turn default text**| Select an option|
|**+ Add URL**|`https://www.microsoft.com/en-us/software-download/faq`| |**Chit-chat**|Select **Professional**|
You can create a QnA Maker knowledge base (KB) from your own content, such as FA
|Setting|Value| |--|--| |**Enable multi-turn extraction from URLs, .pdf or .docx files.**|Checked|
- |**Multi-turn default text**| Select and option|
+ |**Multi-turn default text**| Select an option|
|**+ Add File**| Download Surface laptop manual from: 'https://download.microsoft.com/download/7/B/1/7B10C82E-F520-4080-8516-5CF0D803EEE0/surface-book-user-guide-EN.pdf' |**Chit-chat**|Select **Professional**|
cognitive-services How To Use Logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-use-logging.md
config.SetProperty(PropertyId.Speech_LogFilename, logFile.Path);
More about file access permission for UWP applications is available [here](/windows/uwp/files/file-access-permissions).
+### Universal Windows Platform (UWP) on Unity
+
+In Unity and UWP application, a log file can be created in the application persistent folder as follows:
+
+```csharp
+#if ENABLE_WINMD_SUPPORT
+ string logFile = Application.persistentDataPath + "/logFile.txt";
+ config.SetProperty(PropertyId.Speech_LogFilename, logFile);
+#endif
+```
+ ### Android You can save a log file to either internal storage, external storage, or the cache directory. Files created in the internal storage or the cache directory are private to the application. It is preferable to create a log file in external storage.
More about iOS File System is available [here](https://developer.apple.com/libra
## Next steps > [!div class="nextstepaction"]
-> [Explore our samples on GitHub](https://aka.ms/csspeech/samples)
+> [Explore our samples on GitHub](https://aka.ms/csspeech/samples)
cognitive-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/language-support.md
More than 75 standard voices are available in over 45 languages and locales, whi
### Customization
-Custom Voice is available in the standard and the neural tier. The languages supported are different for these two tiers.
+Custom Voice is available in the neural tier (a.k.a, Custom Neural Voice). Check below for the languages supported.
-| Language | Locale | Standard | Neural |
-|--|--|--|--|
-| Chinese (Mandarin, Simplified) | `zh-CN` | Yes | Yes |
-| Chinese (Mandarin, Simplified), English bilingual | `zh-CN` bilingual | Yes | Yes |
-| English (Australia) | `en-AU` | No | Yes |
-| English (India) | `en-IN` | Yes | Yes |
-| English (United Kingdom) | `en-GB` | Yes | Yes |
-| English (United States) | `en-US` | Yes | Yes |
-| French (Canada) | `fr-CA` | No | Yes |
-| French (France) | `fr-FR` | Yes | Yes |
-| German (Germany) | `de-DE` | Yes | Yes |
-| Italian (Italy) | `it-IT` | Yes | Yes |
-| Japanese (Japan) | `ja-JP` | No | Yes |
-| Korean (Korea) | `ko-KR` | No | Yes |
-| Portuguese (Brazil) | `pt-BR` | Yes | Yes |
-| Spanish (Mexico) | `es-MX` | Yes | Yes |
-| Spanish (Spain) | `es-ES` | No | Yes |
+> [!IMPORTANT]
+> The standard tier including the statistical parametric and the concatenative training methods of custom voice is being deprecated and will be retired on 2/29/2024. If you are using non-neural/standard Custom Voice, migrate to Custom Neural Voice immediately to enjoy the better quality and deploy the voices responsibly.
+
+| Language | Locale | Neural |
+|--|--|--|
+| Bulgarian (Bulgaria)| `bg-BG` | Yes |
+| Chinese (Mandarin, Simplified) | `zh-CN` | Yes |
+| Chinese (Mandarin, Simplified), English bilingual | `zh-CN` bilingual | Yes |
+| Dutch (Netherlands) | `nl-NL` | Yes |
+| English (Australia) | `en-AU` | Yes |
+| English (India) | `en-IN` | Yes |
+| English (United Kingdom) | `en-GB` | Yes |
+| English (United States) | `en-US` | Yes |
+| French (Canada) | `fr-CA` | Yes |
+| French (France) | `fr-FR` | Yes |
+| German (Germany) | `de-DE` | Yes |
+| Italian (Italy) | `it-IT` | Yes |
+| Japanese (Japan) | `ja-JP` | Yes |
+| Korean (Korea) | `ko-KR` | Yes |
+| Portuguese (Brazil) | `pt-BR` | Yes |
+| Spanish (Mexico) | `es-MX` | Yes |
+| Spanish (Spain) | `es-ES` | Yes |
Select the right locale that matches the training data you have to train a custom voice model. For example, if the recording data you have is spoken in English with a British accent, select `en-GB`.
cognitive-services Quickstart Translator https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/quickstart-translator.md
In this quickstart, you learn to use the Translator service via REST. You start
* [Add Newtonsoft.Json using .NET CLI](https://www.nuget.org/packages/Newtonsoft.Json/). * Run the program from the project directory: ``dotnet run``
+> [!div class="nextstepaction"]
+> [I created a project](#headers) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=platform-setup)
+ # [Go](#tab/go) * Create a new Go project in your favorite code editor.
In this quickstart, you learn to use the Translator service via REST. You start
* Build the file, for example: 'go build example-code.go'. * Run the file, for example: 'example-code'.
+> [!div class="nextstepaction"]
+> [I created a project](#headers) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=platform-setup)
+ # [Java](#tab/java) * Create a working directory for your project. For example: `mkdir sample-project`.
In this quickstart, you learn to use the Translator service via REST. You start
* Create a Java file and copy in the code from the provided sample. Don't forget to add your subscription key. * Run the sample: `gradle run`.
+> [!div class="nextstepaction"]
+> [I created a project](#headers) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=platform-setup)
+ # [Node.js](#tab/nodejs) * Create a new project in your favorite IDE or editor.
In this quickstart, you learn to use the Translator service via REST. You start
* Set your subscription key. * Run the program. For example: `node Translate.js`.
+> [!div class="nextstepaction"]
+> [I created a project](#headers) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=platform-setup)
+ # [Python](#tab/python) * Create a new project in your favorite IDE or editor.
In this quickstart, you learn to use the Translator service via REST. You start
* Set your subscription key. * Run the program. For example: `python translate.py`.
+> [!div class="nextstepaction"]
+> [I created a project](#headers) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=platform-setup)
+ ## Headers
class Program
} ```
+> [!div class="nextstepaction"]
+> [I translated text](#detect-language) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=translate-text)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I translated text](#detect-language) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=translate-text)
+ # [Java](#tab/java)
public class Translate {
} ```
+> [!div class="nextstepaction"]
+> [I translated text](#detect-language) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=translate-text)
+ # [Node.js](#tab/nodejs) ```Javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I translated text](#detect-language) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=translate-text)
++ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I translated text](#detect-language) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=translate-text)
+ After a successful call, you should see the following response:
class Program
} ```
+> [!div class="nextstepaction"]
+> [I detected source language during translation](#detect-source-language-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=detect-source-language-during-translation)
+ # [Go](#tab/go)
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I detected source language during translation](#detect-source-language-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=detect-source-language-during-translation)
++ # [Java](#tab/java) ```java
public class Translate {
} ```
+> [!div class="nextstepaction"]
+> [I detected source language during translation](#detect-source-language-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=detect-source-language-during-translation)
++ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I detected source language during translation](#detect-source-language-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=detect-source-language-during-translation)
++ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I detected source language during translation](#detect-source-language-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=detect-source-language-during-translation)
++ After a successful call, you should see the following response:
class Program
} ```
+> [!div class="nextstepaction"]
+> [I detected source languages without translation](#transliterate-text) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=detect-source-language-without-translation)
++ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I detected source languages without translation](#transliterate-text) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=detect-source-language-without-translation)
+ # [Java](#tab/java) ```java
public class Detect {
} ```
+> [!div class="nextstepaction"]
+> [I detected source languages without translation](#transliterate-text) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=detect-source-language-without-translation)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I detected source languages without translation](#transliterate-text) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=detect-source-language-without-translation)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```+
+> [!div class="nextstepaction"]
+> [I detected source languages without translation](#transliterate-text) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=detect-source-language-without-translation)
+ When using the `/detect` endpoint, the response will include alternate detections, and will let you know if translation and transliteration are supported for all of the detected languages. After a successful call, you should see the following response:
class Program
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text during translation](#transliterate-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=transliterate-during-translation)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text during translation](#transliterate-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=transliterate-during-translation)
+ # [Java](#tab/java) ```java
public class Translate {
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text during translation](#transliterate-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=transliterate-during-translation)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I transliterated text during translation](#transliterate-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=transliterate-during-translation)
+ # [Python](#tab/python) ```Python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I transliterated text during translation](#transliterate-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=transliterate-during-translation)
+ After a successful call, you should see the following response. Keep in mind that the response from `translate` endpoint includes the detected source language with a confidence score, a translation using the alphabet of the output language, and a transliteration using the Latin alphabet.
class Program
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text without translation](#get-sentence-length) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=transliterate-without-translation)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text without translation](#get-sentence-length) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=transliterate-without-translation)
+ # [Java](#tab/java) ```java
public class Transliterate {
} ```
+> [!div class="nextstepaction"]
+> [I transliterated text without translation](#get-sentence-length) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=transliterate-without-translation)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I transliterated text without translation](#get-sentence-length) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=transliterate-without-translation)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I transliterated text without translation](#get-sentence-length) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=transliterate-without-translation)
+ After a successful call, you should see the following response. Unlike the call to the `translate` endpoint, `transliterate` only returns the `script` and the output `text`.
class Program
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length during translation](#get-sentence-length-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-during-translation)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length during translation](#get-sentence-length-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-during-translation)
+ # [Java](#tab/java) ```java
public class Translate {
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length during translation](#get-sentence-length-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-during-translation)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I got sentence length during translation](#get-sentence-length-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-during-translation)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I got sentence length during translation](#get-sentence-length-without-translation) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-during-translation)
+ After a successful call, you should see the following response. In addition to the detected source language and translation, you'll get character counts for each detected sentence for both the source (`srcSentLen`) and translation (`transSentLen`).
class Program
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length without translation](#dictionary-lookup-alternate-translations) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-without-translation)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length without translation](#dictionary-lookup-alternate-translations) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-without-translation)
+ # [Java](#tab/java) ```java
public class BreakSentence {
} ```
+> [!div class="nextstepaction"]
+> [I got sentence length without translation](#dictionary-lookup-alternate-translations) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-without-translation)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I got sentence length without translation](#dictionary-lookup-alternate-translations) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-without-translation)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I got sentence length without translation](#dictionary-lookup-alternate-translations) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=get-sentence-length-without-translation)
+ After a successful call, you should see the following response. Unlike the call to the `translate` endpoint, `breaksentence` only returns the character counts for the source text in an array called `sentLen`.
class Program
} ```
+> [!div class="nextstepaction"]
+> [I got alternate translations](#dictionary-examples-translations-in-context) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=dictionary-lookup-alternate-translations)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I got alternate translations](#dictionary-examples-translations-in-context) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=dictionary-lookup-alternate-translations)
+ # [Java](#tab/java) ```java
public class DictionaryLookup {
} ```
+> [!div class="nextstepaction"]
+> [I got alternate translations](#dictionary-examples-translations-in-context) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=dictionary-lookup-alternate-translations)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I got alternate translations](#dictionary-examples-translations-in-context) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=dictionary-lookup-alternate-translations)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I got alternate translations](#dictionary-examples-translations-in-context) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=dictionary-lookup-alternate-translations)
+ After a successful call, you should see the following response. Let's break this down since the JSON is more complex than some of the other examples in this article. The `translations` array includes a list of translations. Each object in this array includes a confidence score (`confidence`), the text optimized for end-user display (`displayTarget`), the normalized text (`normalizedText`), the part of speech (`posTag`), and information about previous translation (`backTranslations`). For more information about the response, see [Dictionary Lookup](reference/v3-0-dictionary-lookup.md)
class Program
} ```
+> [!div class="nextstepaction"]
+> [I got translations in context](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=dictionary-examples-translations-in-context)
+ # [Go](#tab/go) ```go
func main() {
} ```
+> [!div class="nextstepaction"]
+> [I got translations in context](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=dictionary-examples-translations-in-context)
+ # [Java](#tab/java) ```java
public class DictionaryExamples {
} ```
+> [!div class="nextstepaction"]
+> [I got translations in context](#troubleshooting) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=dictionary-examples-translations-in-context)
+ # [Node.js](#tab/nodejs) ```javascript
axios({
}) ```
+> [!div class="nextstepaction"]
+> [I got translations in context](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Nodejs&Product=Translator&Page=quickstart-translator&Section=dictionary-examples-translations-in-context)
+ # [Python](#tab/python) ```python import requests, uuid, json
response = request.json()
print(json.dumps(response, sort_keys=True, ensure_ascii=False, indent=4, separators=(',', ': '))) ```
+> [!div class="nextstepaction"]
+> [I got translations in context](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=dictionary-examples-translations-in-context)
+ After a successful call, you should see the following response. For more information about the response, see [Dictionary Lookup](reference/v3-0-dictionary-examples.md)
communication-services Teams Embed https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/ui-framework/teams-embed.md
The Teams Embed provides most features supported in Teams meetings, including:
- In-meeting experience for configuring audio and video devices - [Video Backgrounds](https://support.microsoft.com/office/change-your-background-for-a-teams-meeting-f77a2381-443a-499d-825e-509a140f4780): allowing participants to blur or replace their backgrounds - [Multiple options for the video gallery](https://support.microsoft.com/office/using-video-in-microsoft-teams-3647fc29-7b92-4c26-8c2d-8a596904cdae) large gallery, together mode, focus, pinning, and spotlight-- [Content Sharing](https://support.microsoft.com/en-us/office/share-content-in-a-meeting-in-teams-fcc2bf59-aecd-4481-8f99-ce55dd836ce8): allowing participants to share their screen
+- [Content Sharing](https://support.microsoft.com/office/share-content-in-a-meeting-in-teams-fcc2bf59-aecd-4481-8f99-ce55dd836ce8): allowing participants to share their screen
For more information about this UI compared to other Azure Communication SDKs, see the [UI SDK concept introduction](ui-sdk-overview.md).
communication-services Get Started With Video Calling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/get-started-with-video-calling.md
Last updated 03/10/2021 --
-# QuickStart: Add 1:1 video calling to your app (JavaScript)
-
-## Download Code
-
-Find the finalized code for this quickstart on [GitHub](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/add-1-on-1-video-calling)
-
-## Prerequisites
-- Obtain an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- [Node.js](https://nodejs.org/en/) Active LTS and Maintenance LTS versions (8.11.1 and 10.14.1)-- Create an active Communication Services resource. [Create a Communication Services resource](../create-communication-resource.md?pivots=platform-azp&tabs=windows).-- Create a User Access Token to instantiate the call client. [Learn how to create and manage user access tokens](../access-tokens.md?pivots=programming-language-csharp).-
-## Setting up
-### Create a new Node.js application
-Open your terminal or command window create a new directory for your app, and navigate to it.
-```console
-mkdir calling-quickstart && cd calling-quickstart
-```
-### Install the package
-Use the `npm install` command to install the Azure Communication Services Calling SDK for JavaScript.
-
-> [!IMPORTANT]
-> This quickstart uses the Azure Communication Services Calling SDK version `1.0.0.beta-10`.
--
-```console
-npm install @azure/communication-common --save
-npm install @azure/communication-calling --save
-```
-### Set up the app framework
-
-This quickstart uses webpack to bundle the application assets. Run the following command to install the `webpack`, `webpack-cli` and `webpack-dev-server` npm packages and list them as development dependencies in your `package.json`:
-
-```console
-npm install webpack@4.42.0 webpack-cli@3.3.11 webpack-dev-server@3.10.3 --save-dev
-```
-Create an `https://docsupdatetracker.net/index.html` file in the root directory of your project. We'll use this file to configure a basic layout that will allow the user to place a 1:1 video call.
-
-Here's the code:
-```html
-<!DOCTYPE html>
-<html>
-<head>
- <title>Communication Client - 1:1 Video Calling Sample</title>
-</head>
-
-<body>
- <h4>Azure Communication Services</h4>
- <h1>1:1 Video Calling Quickstart</h1>
- <input
- id="callee-id-input"
- type="text"
- placeholder="Who would you like to call?"
- style="margin-bottom:1em; width: 200px;"
- />
-
- <div>
- <button id="call-button" type="button" disabled="true">
- start call
- </button>
- &nbsp;
- <button id="hang-up-button" type="button" disabled="true">
- hang up
- </button>
- &nbsp;
- <button id="start-Video" type="button" disabled="true">
- start video
- </button>
- &nbsp;
- <button id="stop-Video" type="button" disabled="true">
- stop video
- </button>
- </div>
-
- <div>Local Video</div>
- <div style="height:200px; width:300px; background-color:black; position:relative;">
- <div id="myVideo" style="background-color: black; position:absolute; top:50%; transform: translateY(-50%);">
- </div>
- </div>
- <div>Remote Video</div>
- <div style="height:200px; width:300px; background-color:black; position:relative;">
- <div id="remoteVideo" style="background-color: black; position:absolute; top:50%; transform: translateY(-50%);">
- </div>
- </div>
-
- <script src="./bundle.js"></script>
-</body>
-</html>
-```
-
-Create a file in the root directory of your project called `client.js` to contain the application logic for this quickstart. Add the following code to import the calling client and get references to the DOM elements.
-
-```JavaScript
-import { CallClient, CallAgent, VideoStreamRenderer, LocalVideoStream } from "@azure/communication-calling";
-import { AzureCommunicationTokenCredential } from '@azure/communication-common';
-
-let call;
-let callAgent;
-const calleeInput = document.getElementById("callee-id-input");
-const callButton = document.getElementById("call-button");
-const hangUpButton = document.getElementById("hang-up-button");
-const stopVideoButton = document.getElementById("stop-Video");
-const startVideoButton = document.getElementById("start-Video");
-
-let placeCallOptions;
-let deviceManager;
-let localVideoStream;
-let rendererLocal;
-let rendererRemote;
-```
-## Object model
-
-The following classes and interfaces handle some of the major features of the Azure Communication Services Calling SDK:
-
-| Name | Description |
-| : | :- |
-| CallClient | The CallClient is the main entry point to the Calling SDK. |
-| CallAgent | The CallAgent is used to start and manage calls. |
-| DeviceManager | The DeviceManager is used to manage media devices. |
-| AzureCommunicationTokenCredential | The AzureCommunicationTokenCredential class implements the CommunicationTokenCredential interface which is used to instantiate the CallAgent. |
-## Authenticate the client and access DeviceManager
-
-You need to replace <USER_ACCESS_TOKEN> with a valid user access token for your resource. Refer to the user access token documentation if you don't already have a token available. Using the `CallClient`, initialize a `CallAgent` instance with a `CommunicationUserCredential` which will enable us to make and receive calls.
-To access the `DeviceManager` a callAgent instance must first be created. You can then use the `getDeviceManager` method on the `CallClient` instance to get the `DeviceManager`.
-
-Add the following code to `client.js`:
-
-```JavaScript
-async function init() {
- const callClient = new CallClient();
- const tokenCredential = new AzureCommunicationTokenCredential("<USER ACCESS TOKEN>");
- callAgent = await callClient.createCallAgent(tokenCredential, { displayName: 'optional ACS user name' });
-
- deviceManager = await callClient.getDeviceManager();
- callButton.disabled = false;
-}
-init();
-```
-## Place a 1:1 outgoing video call to a user
-
-Add an event listener to initiate a call when the `callButton` is clicked:
-
-First you have to enumerate local cameras using the deviceManager `getCameraList` API. In this quickstart we're using the first camera in the collection. Once the desired camera is selected, a LocalVideoStream instance will be constructed and passed within `videoOptions` as an item within the localVideoStream array to the call method. Once your call connects it will automatically start sending a video stream to the other participant.
-
-```JavaScript
-callButton.addEventListener("click", async () => {
- const videoDevices = await deviceManager.getCameras();
- const videoDeviceInfo = videoDevices[0];
- localVideoStream = new LocalVideoStream(videoDeviceInfo);
- placeCallOptions = {videoOptions: {localVideoStreams:[localVideoStream]}};
-
- localVideoView();
- stopVideoButton.disabled = false;
- startVideoButton.disabled = true;
-
- const userToCall = calleeInput.value;
- call = callAgent.startCall(
- [{ communicationUserId: userToCall }],
- placeCallOptions
- );
-
- subscribeToRemoteParticipantInCall(call);
-
- hangUpButton.disabled = false;
- callButton.disabled = true;
-});
-```
-To render a `LocalVideoStream`, you need to create a new instance of `VideoStreamRenderer`, and then create a new `VideoStreamRendererView` instance using the asynchronous `createView` method. You may then attach `view.target` to any UI element.
-
-```JavaScript
-async function localVideoView() {
- rendererLocal = new VideoStreamRenderer(localVideoStream);
- const view = await rendererLocal.createView();
- document.getElementById("myVideo").appendChild(view.target);
-}
-```
-All remote participants are available through the `remoteParticipants` collection on a call instance. You need to listen to the event `remoteParticipantsUpdated`to be notified when a new remote participant is added into the call. You also need to iterate the `remoteParticipants` collection to subscribe to each of them in order to subscribe to their video streams.
-
-```JavaScript
-function subscribeToRemoteParticipantInCall(callInstance) {
- callInstance.on('remoteParticipantsUpdated', e => {
- e.added.forEach( p => {
- subscribeToParticipantVideoStreams(p);
- })
- });
- callInstance.remoteParticipants.forEach( p => {
- subscribeToParticipantVideoStreams(p);
- })
-}
-```
-You need to subscribe to the `videoStreamsUpdated` event to handle added video streams of remote participants. You can inspect the `videoStreams` collections to list the streams of each participant while going through the `remoteParticipants` collection of the current call.
-
-```JavaScript
-function subscribeToParticipantVideoStreams(remoteParticipant) {
- remoteParticipant.on('videoStreamsUpdated', e => {
- e.added.forEach(v => {
- handleVideoStream(v);
- })
- });
- remoteParticipant.videoStreams.forEach(v => {
- handleVideoStream(v);
- });
-}
-```
-You have to subscribe to a `isAvailableChanged` event to render the `remoteVideoStream`. If the `isAvailable` property changes to `true`, a remote participant is sending a stream. Whenever availability of a remote stream changes you can choose to destroy the whole `Renderer`, a specific `RendererView` or keep them, but this will result in displaying blank video frame.
-```JavaScript
-function handleVideoStream(remoteVideoStream) {
- remoteVideoStream.on('isAvailableChanged', async () => {
- if (remoteVideoStream.isAvailable) {
- remoteVideoView(remoteVideoStream);
- } else {
- rendererRemote.dispose();
- }
- });
- if (remoteVideoStream.isAvailable) {
- remoteVideoView(remoteVideoStream);
- }
-}
-```
-To render a `RemoteVideoStream`, you need to create a new instance of `VideoStreamRenderer`, and then create a new `VideoStreamRendererView` instance using the asynchronous `createView` method. You may then attach `view.target` to any UI element.
-
-```JavaScript
-async function remoteVideoView(remoteVideoStream) {
- rendererRemote = new VideoStreamRenderer(remoteVideoStream);
- const view = await rendererRemote.createView();
- document.getElementById("remoteVideo").appendChild(view.target);
-}
-```
-## Receive an incoming call
-To handle incoming calls you need to listen to the `incomingCall` event of `callAgent`. Once there is an incoming call, you need to enumerate local cameras and construct a `LocalVideoStream` instance to send a video stream to the other participant. You also need to subscribe to `remoteParticipants` to handle remote video streams. You can accept or reject the call through the `incomingCall` instance.
-
-Put the implementation in `init()` to handle incoming calls.
-
-```JavaScript
-callAgent.on('incomingCall', async e => {
- const videoDevices = await deviceManager.getCameras();
- const videoDeviceInfo = videoDevices[0];
- localVideoStream = new LocalVideoStream(videoDeviceInfo);
- localVideoView();
-
- stopVideoButton.disabled = false;
- callButton.disabled = true;
- hangUpButton.disabled = false;
-
- const addedCall = await e.incomingCall.accept({videoOptions: {localVideoStreams:[localVideoStream]}});
- call = addedCall;
-
- subscribeToRemoteParticipantInCall(addedCall);
-});
-```
-## End the current call
-Add an event listener to end the current call when the `hangUpButton` is clicked:
-```JavaScript
-hangUpButton.addEventListener("click", async () => {
- // dispose of the renderers
- rendererLocal.dispose();
- rendererRemote.dispose();
- // end the current call
- await call.hangUp();
- // toggle button states
- hangUpButton.disabled = true;
- callButton.disabled = false;
- stopVideoButton.disabled = true;
-});
-```
-## Subscribe to call updates
-You need to subscribe to the event when the remote participant ends the call to dispose of video renderers and toggle button states.
-
-Put the implementation in init() to subscribe to the `callsUpdated` event.
- ```JavaScript
-callAgent.on('callsUpdated', e => {
- e.removed.forEach(removedCall => {
- // dispose of video renders
- rendererLocal.dispose();
- rendererRemote.dispose();
- // toggle button states
- hangUpButton.disabled = true;
- callButton.disabled = false;
- stopVideoButton.disabled = true;
- })
-})
-```
-
-## Start and end video during the call
-You can stop the video during the current call by adding an event listener to the Stop Video button to dispose of the renderer of `localVideoStream`.
- ```JavaScript
-stopVideoButton.addEventListener("click", async () => {
- await call.stopVideo(localVideoStream);
- rendererLocal.dispose();
- startVideoButton.disabled = false;
- stopVideoButton.disabled = true;
-});
-```
-You can add an event listener to the Start Video button to turn the video back on when it was stopped during the current call.
-```JavaScript
-startVideoButton.addEventListener("click", async () => {
- await call.startVideo(localVideoStream);
- localVideoView();
- stopVideoButton.disabled = false;
- startVideoButton.disabled = true;
-});
-```
-## Run the code
-Use the `webpack-dev-server` to build and run your app. Run the following command to bundle application host in on a local webserver:
+zone_pivot_groups: acs-plat-web-ios-android
+
-```console
-npx webpack-dev-server --entry ./client.js --output bundle.js --debug --devtool inline-source-map
-```
-Open your browser and navigate to http://localhost:8080/. You should see the following:
+# QuickStart: Add 1:1 video calling to your app
-You can make an 1:1 outgoing video call by providing a user ID in the text field and clicking the Start Call button.
-## Sample Code
-You can download the sample app from [GitHub](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/add-1-on-1-video-calling).
## Clean up resources If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md?pivots=platform-azp&tabs=windows#clean-up-resources).
cosmos-db Concepts Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/concepts-limits.md
The following table lists the limits specific to MongoDB feature support. Other
| Resource | Default limit | | | | | Maximum MongoDB query memory size (This limitation is only for 3.2 server version) | 40 MB |
-|Maximum execution time for MongoDB operations (for 3.2 server version)| 15 seconds|
-|Maximum execution time for MongoDB operations(for 3.6 server version)| 60 seconds|
+| Maximum execution time for MongoDB operations (for 3.2 server version)| 15 seconds|
+| Maximum execution time for MongoDB operations(for 3.6 and 4.0 server version)| 60 seconds|
+| Maximum level of nesting for embedded objects / arrays on index definitions | 6 |
| Idle connection timeout for server side connection closure* | 30 minutes | \* We recommend that client applications set the idle connection timeout in the driver settings to 2-3 minutes because the [default timeout for Azure LoadBalancer is 4 minutes](../load-balancer/load-balancer-tcp-idle-timeout.md). This timeout will ensure that idle connections are not closed by an intermediate load balancer between the client machine and Azure Cosmos DB.
cost-management-billing Manage Azure Subscription Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/manage-azure-subscription-policy.md
# Manage Azure subscription policies
->[!NOTE]
->This feature is currently in preview and is being gradually rolled out, so not everyone may see this experience on the Azure portal yet.
- This article helps you configure Azure subscription policies for subscription operations to control the movement of Azure subscriptions from and into directories. ## Prerequisites
cost-management-billing Withholding Tax Credit India https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/withholding-tax-credit-india.md
+
+ Title: Request a credit for Withholding Tax on your account (India customers) - Azure
+description: Learn how to request a credit on your account for Withholding Tax you paid. This article only applies to customers in India.
++
+tags: billing
+++ Last updated : 05/06/2021+++
+# Request a credit for Withholding Tax on your account (India customers)
+
+Customers in India receive Web Direct (Azure and Microsoft 365) invoices billed by Microsoft Regional Sales Pte Ltd. Singapore (MRS) and make cross-border payments to Singapore to settle the invoice. If you withheld taxes when remitting the payment, this article explains the process for claiming a credit for the Withholding Tax (WHT) in your account with MRS.
+
+## Invoice payment by check and wire
+
+If you withheld tax when remitting payment to MRS and deposited the withheld tax with the Income Tax Department, you must submit a WHT request to settle the tax amount withheld in your account.
+
+Your WHT request must include the following items:
+
+- A completed copy of the [Withholding Tax Credit Form](https://download.microsoft.com/download/a/2/a/a2a35969-2d54-4faa-ba41-6a50525eba70/WHT%20Credit%20Form%20-%20India.docx) (filled out by the customer)
+- A digitally signed TDS Certificate (Form 16A) issued by the Indian Income Tax Department (provided by the customer)
+
+Submit the WHT request by opening a ticket with Microsoft support.
+
+## Credit card payment
+
+If your payment method is a credit card and you made a full payment to MRS, and paid WHT to the Income Tax Department, you must submit a WHT request to claim the refund of the tax amount.
+
+Your WHT request must include the following items:
+
+- A completed copy of the [Withholding Tax Credit Form](https://download.microsoft.com/download/a/2/a/a2a35969-2d54-4faa-ba41-6a50525eba70/WHT%20Credit%20Form%20-%20India.docx) (filled out by the customer)
+- A digitally signed TDS Certificate (Form 16A) issued by the Indian Income Tax Department (provided by the customer)
+
+Submit the WHT request by opening a ticket with Microsoft support
+
+## Timelines to send TDS Certificate with Withholding Tax Credit form
+
+The following table shows the due dates and timelines to submit digitally signed TDS Certificate (Form 16A) forms for each quarter.
+
+| Quarter | Period | Due date for issuance of TDS Certificate (Form 16A) | Extended timelines to submit Form 16A together with the Withholding Tax Credit form |
+|-|-|-|-|
+| 1 | April - June | 15-Aug | 31-Aug |
+| 2 | July - September | 15-Nov | 30-Nov |
+| 3 | October - December | 15-Feb | 28-Feb |
+| 4 | January - March | 15-Jun | 30-Jun |
+
+> [!IMPORTANT]
+>
+> - Customers can only submit a request for a refund of the WHT amount after paying the invoice.
+> - The invoice amount on the Withholding Tax Credit Form must match the invoice amount identified in the TDS certificate. If the invoice amount is different between the two forms, you must specify the reason for the difference in the Withholding Tax Credit Form. This information is checked by the review team, who might ask clarifying questions, if required.
+> - TDS certificate files must be in one of the following file formats: .PDF or Image only (.JPEG, .PNG and .GIF). Additionally, file names must not contain spaces or special characters. File size cannot exceed 1 MB.
+
+After you submit the request, it goes into the approval process where it's either approved for completion or is sent back to you for correction.
+
+If thereΓÇÖs a problem with your request, the review team might require corrections to the withholding amount or replacement of the TDS certificate. Resubmit the request for approval. The review team will either approve the request or ask for more changes.
+
+## Approved requests
+
+**For customers paying by check and wire:** Approved WHT requests are settled against the unpaid portion of the invoice amount reflected in the Withholding Tax Credit Form.
+
+After your claim is approved, itΓÇÖs reflected in the next billing cycle. The WHT amount paid is included in the payment section of your next invoice. The amount is also displayed under the paid amount in the customer portal.
+
+**For customers paying by credit card:** After your claim is approved, your overpayment is refunded to your credit card.
+
+> [!IMPORTANT]
+>
+> - If changes are required, the approval process might take longer because of the corrections that must be made and then resubmitted.
+> - If you have questions about the WHT request process, please open a ticket with Microsoft support.
+
+## Next steps
+
+- See [Resolve past due balance for your Azure subscription](resolve-past-due-balance.md) if you need to pay an Azure bill.
data-factory Azure Integration Runtime Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/azure-integration-runtime-ip-addresses.md
Title: Azure Integration Runtime IP addresses description: Learn which IP addresses you must allow inbound traffic from, in order to properly configure firewalls for securing network access to data stores.--++
data-factory Concepts Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/concepts-integration-runtime.md
Title: Integration runtime description: 'Learn about integration runtime in Azure Data Factory.'--++
data-factory Connect Data Factory To Azure Purview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connect-data-factory-to-azure-purview.md
Title: Connect a Data Factory to Azure Purview description: Learn about how to connect a Data Factory to Azure Purview---++
data-factory Connector Amazon Marketplace Web Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-amazon-marketplace-web-service.md
Title: Copy data from AWS Marketplace
description: Learn how to copy data from Amazon Marketplace Web Service to supported sink data stores by using a copy activity in an Azure Data Factory pipeline. --++ Last updated 08/01/2018
data-factory Connector Amazon Redshift https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-amazon-redshift.md
Title: Copy data from Amazon Redshift description: Learn about how to copy data from Amazon Redshift to supported sink data stores by using Azure Data Factory.--++ Last updated 12/09/2020
data-factory Connector Amazon Simple Storage Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-amazon-simple-storage-service.md
Title: Copy data from Amazon Simple Storage Service (S3) description: Learn about how to copy data from Amazon Simple Storage Service (S3) to supported sink data stores by using Azure Data Factory.--++
data-factory Connector Azure Blob Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-blob-storage.md
Title: Copy and transform data in Azure Blob storage description: Learn how to copy data to and from Blob storage, and transform data in Blob storage by using Data Factory.--++
data-factory Connector Azure Cosmos Db Mongodb Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-cosmos-db-mongodb-api.md
Title: Copy data from Azure Cosmos DB's API for MongoDB description: Learn how to copy data from supported source data stores to or from Azure Cosmos DB's API for MongoDB to supported sink stores by using Data Factory.--++
data-factory Connector Azure Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-cosmos-db.md
Title: Copy and transform data in Azure Cosmos DB (SQL API) description: Learn how to copy data to and from Azure Cosmos DB (SQL API), and transform data in Azure Cosmos DB (SQL API) by using Data Factory.--++
data-factory Connector Azure Data Explorer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-data-explorer.md
Title: Copy data to or from Azure Data Explorer description: Learn how to copy data to or from Azure Data Explorer by using a copy activity in an Azure Data Factory pipeline. -+
data-factory Connector Azure Data Lake Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-data-lake-storage.md
Title: Copy and transform data in Azure Data Lake Storage Gen2 description: Learn how to copy data to and from Azure Data Lake Storage Gen2, and transform data in Azure Data Lake Storage Gen2 by using Azure Data Factory.--++
data-factory Connector Azure Data Lake Store https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-data-lake-store.md
Title: Copy data to or from Azure Data Lake Storage Gen1 description: Learn how to copy data from supported source data stores to Azure Data Lake Store, or from Data Lake Store to supported sink stores, by using Data Factory.--++
data-factory Connector Azure Database For Mariadb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-database-for-mariadb.md
Title: Copy data from Azure Database for MariaDB description: Learn how to copy data from Azure Database for MariaDB to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Azure Database For Mysql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-database-for-mysql.md
Title: Copy and transform data in Azure Database for MySQL description: earn how to copy and transform data in Azure Database for MySQL by using Azure Data Factory.--++
data-factory Connector Azure Database For Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-database-for-postgresql.md
Title: Copy and transform data in Azure Database for PostgreSQL description: Learn how to copy and transform data in Azure Database for PostgreSQL by using Azure Data Factory.--++
data-factory Connector Azure Databricks Delta Lake https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-databricks-delta-lake.md
Title: Copy data to and from Azure Databricks Delta Lake description: Learn how to copy data to and from Azure Databricks Delta Lake by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Azure File Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-file-storage.md
Title: Copy data from/to Azure File Storage description: Learn how to copy data from Azure File Storage to supported sink data stores (or) from supported source data stores to Azure File Storage by using Azure Data Factory.--++
data-factory Connector Azure Search https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-search.md
Title: Copy data to Search index description: Learn about how to push or copy data to an Azure search index by using the Copy Activity in an Azure Data Factory pipeline.--++
data-factory Connector Azure Sql Data Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-data-warehouse.md
Title: Copy and transform data in Azure Synapse Analytics description: Learn how to copy data to and from Azure Synapse Analytics, and transform data in Azure Synapse Analytics by using Data Factory.--++ Last updated 03/17/2021
data-factory Connector Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-database.md
Title: Copy and transform data in Azure SQL Database description: Learn how to copy data to and from Azure SQL Database, and transform data in Azure SQL Database by using Azure Data Factory.--++
data-factory Connector Azure Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-managed-instance.md
Title: Copy and transform data in Azure SQL Managed Instance
description: Learn how to copy and transform data in Azure SQL Managed Instance by using Azure Data Factory. --++ Last updated 03/17/2021
data-factory Connector Azure Table Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-table-storage.md
Title: Copy data to and from Azure Table storage description: Learn how to copy data from supported source stores to Azure Table storage, or from Table storage to supported sink stores, by using Data Factory.--++
data-factory Connector Cassandra https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-cassandra.md
Title: Copy data from Cassandra using Azure Data Factory description: Learn how to copy data from Cassandra to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/12/2019-+ # Copy data from Cassandra using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Concur https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-concur.md
Title: Copy data from Concur using Azure Data Factory (Preview) description: Learn how to copy data from Concur to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 11/25/2020-+ # Copy data from Concur using Azure Data Factory (Preview)
data-factory Connector Couchbase https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-couchbase.md
Title: Copy data from Couchbase using Azure Data Factory (Preview) description: Learn how to copy data from Couchbase to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/12/2019-+ # Copy data from Couchbase using Azure Data Factory (Preview) [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Db2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-db2.md
Title: Copy data from DB2 using Azure Data Factory description: Learn how to copy data from DB2 to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 05/26/2020-+ # Copy data from DB2 by using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Drill https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-drill.md
Title: Copy data from Drill using Azure Data Factory description: Learn how to copy data from Drill to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 10/25/2019-+ # Copy data from Drill using Azure Data Factory
data-factory Connector Dynamics Ax https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-dynamics-ax.md
Title: Copy data from Dynamics AX description: Learn how to copy data from Dynamics AX to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Dynamics Crm Office 365 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-dynamics-crm-office-365.md
Title: Copy data in Dynamics (Common Data Service)
description: Learn how to copy data from Microsoft Dynamics CRM or Microsoft Dynamics 365 (Common Data Service/Microsoft Dataverse) to supported sink data stores or from supported source data stores to Dynamics CRM or Dynamics 365 by using a copy activity in a data factory pipeline. --++ Last updated 03/17/2021
data-factory Connector File System https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-file-system.md
Title: Copy data from/to a file system by using Azure Data Factory description: Learn how to copy data from file system to supported sink data stores (or) from supported source data stores to file system by using Azure Data Factory.-+ Last updated 03/29/2021-+ # Copy data to or from a file system by using Azure Data Factory
data-factory Connector Ftp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-ftp.md
Title: Copy data from an FTP server by using Azure Data Factory description: Learn how to copy data from an FTP server to a supported sink data store by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 03/17/2021-+ # Copy data from FTP server by using Azure Data Factory
data-factory Connector Google Adwords https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-google-adwords.md
Title: Copy data from Google AdWords description: Learn how to copy data from Google AdWords to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Google Bigquery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-google-bigquery.md
Title: Copy data from Google BigQuery by using Azure Data Factory description: Learn how to copy data from Google BigQuery to supported sink data stores by using a copy activity in a data factory pipeline.--++
data-factory Connector Google Cloud Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-google-cloud-storage.md
Title: Copy data from Google Cloud Storage by using Azure Data Factory description: Learn about how to copy data from Google Cloud Storage to supported sink data stores by using Azure Data Factory.-+ Last updated 03/17/2021-+ # Copy data from Google Cloud Storage by using Azure Data Factory
data-factory Connector Greenplum https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-greenplum.md
Title: Copy data from Greenplum using Azure Data Factory description: Learn how to copy data from Greenplum to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 09/04/2019-+ # Copy data from Greenplum using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Hbase https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-hbase.md
Title: Copy data from HBase using Azure Data Factory description: Learn how to copy data from HBase to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/12/2019-+ # Copy data from HBase using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Hdfs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-hdfs.md
Title: Copy data from HDFS by using Azure Data Factory description: Learn how to copy data from a cloud or on-premises HDFS source to supported sink data stores by using Copy activity in an Azure Data Factory pipeline.-+ Last updated 03/17/2021-+ # Copy data from the HDFS server by using Azure Data Factory
data-factory Connector Hive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-hive.md
Title: Copy data from Hive using Azure Data Factory description: Learn how to copy data from Hive to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 11/17/2020-+ # Copy and transform data from Hive using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Http https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-http.md
Title: Copy data from an HTTP source by using Azure Data Factory description: Learn how to copy data from a cloud or on-premises HTTP source to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 03/17/2021-+ # Copy data from an HTTP endpoint by using Azure Data Factory
data-factory Connector Hubspot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-hubspot.md
Title: Copy data from HubSpot using Azure Data Factory description: Learn how to copy data from HubSpot to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 12/18/2020-+ # Copy data from HubSpot using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Impala https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-impala.md
Title: Copy data from Impala by using Azure Data Factory description: Learn how to copy data from Impala to supported sink data stores by using a copy activity in a data factory pipeline.-+ Last updated 09/04/2019-+ # Copy data from Impala by using Azure Data Factory
data-factory Connector Informix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-informix.md
Title: Copy data from and to IBM Informix using Azure Data Factory description: Learn how to copy data from and to IBM Informix by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 03/17/2021-+ # Copy data from and to IBM Informix using Azure Data Factory
data-factory Connector Jira https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-jira.md
Title: Copy data from Jira using Azure Data Factory description: Learn how to copy data from Jira to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 10/25/2019-+ # Copy data from Jira using Azure Data Factory
data-factory Connector Magento https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-magento.md
Title: Copy data from Magento using Azure Data Factory (Preview) description: Learn how to copy data from Magento to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/01/2019-+ # Copy data from Magento using Azure Data Factory (Preview) [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Mariadb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-mariadb.md
Title: Copy data from MariaDB using Azure Data Factory description: Learn how to copy data from MariaDB to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/12/2019-+ # Copy data from MariaDB using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Marketo https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-marketo.md
Title: Copy data from Marketo using Azure Data Factory (Preview) description: Learn how to copy data from Marketo to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 06/04/2020-+ # Copy data from Marketo using Azure Data Factory (Preview) [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Microsoft Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-microsoft-access.md
Title: Copy data from and to Microsoft Access description: Learn how to copy data from and to Microsoft Access by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Mongodb Atlas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-mongodb-atlas.md
Title: Copy data from MongoDB Atlas description: Learn how to copy data from MongoDB Atlas to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Mongodb Legacy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-mongodb-legacy.md
Title: Copy data from MongoDB using legacy description: Learn how to copy data from Mongo DB to supported sink data stores by using a copy activity in a legacy Azure Data Factory pipeline.--++
data-factory Connector Mongodb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-mongodb.md
Title: Copy data from MongoDB description: Learn how to copy data from Mongo DB to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Mysql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-mysql.md
Title: Copy data from MySQL using Azure Data Factory description: Learn about MySQL connector in Azure Data Factory that lets you copy data from a MySQL database to a data store supported as a sink.-+ Last updated 09/09/2020-+ # Copy data from MySQL using Azure Data Factory
data-factory Connector Netezza https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-netezza.md
Title: Copy data from Netezza by using Azure Data Factory description: Learn how to copy data from Netezza to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 05/28/2020-+ # Copy data from Netezza by using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Odata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-odata.md
Title: Copy data from OData sources by using Azure Data Factory description: Learn how to copy data from OData sources to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 03/30/2021-+ # Copy data from an OData source by using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Odbc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-odbc.md
Title: Copy data from and to ODBC data stores using Azure Data Factory description: Learn how to copy data from and to ODBC data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 04/22/2020-+ # Copy data from and to ODBC data stores using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Office 365 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-office-365.md
Title: Copy data from Office 365 using Azure Data Factory description: Learn how to copy data from Office 365 to supported sink data stores by using copy activity in an Azure Data Factory pipeline.-+ Last updated 10/20/2019-+ # Copy data from Office 365 into Azure using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Oracle Eloqua https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-oracle-eloqua.md
Title: Copy data from Oracle Eloqua (Preview) description: Learn how to copy data from Oracle Eloqua to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Oracle Responsys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-oracle-responsys.md
Title: Copy data from Oracle Responsys (Preview) description: Learn how to copy data from Oracle Responsys to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Oracle Service Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-oracle-service-cloud.md
Title: Copy data from Oracle Service Cloud (Preview) description: Learn how to copy data from Oracle Service Cloud to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Oracle https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-oracle.md
Title: Copy data to and from Oracle by using Azure Data Factory description: Learn how to copy data from supported source stores to an Oracle database, or from Oracle to supported sink stores, by using Data Factory.-+ Last updated 03/17/2021-+ # Copy data from and to Oracle by using Azure Data Factory
data-factory Connector Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-overview.md
Title: Azure Data Factory connector overview description: Learn the supported connectors in Data Factory.-+ Last updated 03/10/2021-+ # Azure Data Factory connector overview
data-factory Connector Paypal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-paypal.md
Title: Copy data from PayPal using Azure Data Factory (Preview) description: Learn how to copy data from PayPal to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/01/2019-+ # Copy data from PayPal using Azure Data Factory (Preview) [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Phoenix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-phoenix.md
Title: Copy data from Phoenix using Azure Data Factory description: Learn how to copy data from Phoenix to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 09/04/2019-+ # Copy data from Phoenix using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-postgresql.md
Title: Copy data From PostgreSQL using Azure Data Factory description: Learn how to copy data from PostgreSQL to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 02/19/2020-+ # Copy data from PostgreSQL by using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Presto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-presto.md
Title: Copy data from Presto using Azure Data Factory description: Learn how to copy data from Presto to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 12/18/2020-+ # Copy data from Presto using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Quickbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-quickbooks.md
Title: Copy data from QuickBooks Online using Azure Data Factory (Preview) description: Learn how to copy data from QuickBooks Online to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-rest.md
Title: Copy data from and to a REST endpoint by using Azure Data Factory description: Learn how to copy data from a cloud or on-premises REST source to supported sink data stores, or from supported source data store to a REST sink by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 03/16/2021-+ # Copy data from and to a REST endpoint by using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Salesforce Marketing Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-salesforce-marketing-cloud.md
Title: Copy data from Salesforce Marketing Cloud description: Learn how to copy data from Salesforce Marketing Cloud to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Salesforce Service Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-salesforce-service-cloud.md
Title: Copy data from and to Salesforce Service Cloud description: Learn how to copy data from Salesforce Service Cloud to supported sink data stores or from supported source data stores to Salesforce Service Cloud by using a copy activity in a data factory pipeline.--++
data-factory Connector Salesforce https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-salesforce.md
Title: Copy data from and to Salesforce description: Learn how to copy data from Salesforce to supported sink data stores or from supported source data stores to Salesforce by using a copy activity in a data factory pipeline.--++
data-factory Connector Sap Business Warehouse Open Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-business-warehouse-open-hub.md
Title: Copy data from SAP Business Warehouse via Open Hub description: Learn how to copy data from SAP Business Warehouse (BW) via Open Hub to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Business Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-business-warehouse.md
Title: Copy data from SAP BW description: Learn how to copy data from SAP Business Warehouse to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Cloud For Customer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-cloud-for-customer.md
Title: Copy data from/to SAP Cloud for Customer description: Learn how to copy data from SAP Cloud for Customer to supported sink data stores (or) from supported source data stores to SAP Cloud for Customer by using Data Factory.--++
data-factory Connector Sap Ecc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-ecc.md
Title: Copy data from SAP ECC description: Learn how to copy data from SAP ECC to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Hana https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-hana.md
Title: Copy data from SAP HANA description: Learn how to copy data from SAP HANA to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sap Table https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sap-table.md
Title: Copy data from an SAP table description: Learn how to copy data from an SAP table to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-servicenow.md
Title: Copy data from ServiceNow description: Learn how to copy data from ServiceNow to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sftp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sftp.md
Title: Copy data from and to SFTP server description: Learn how to copy data from and to SFTP server by using Azure Data Factory.--++
data-factory Connector Sharepoint Online List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sharepoint-online-list.md
Title: Copy data from SharePoint Online List by using Azure Data Factory description: Learn how to copy data from SharePoint Online List to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 05/19/2020-+ # Copy data from SharePoint Online List by using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Shopify https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-shopify.md
Title: Copy data from Shopify (Preview) description: Learn how to copy data from Shopify to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Snowflake https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-snowflake.md
Title: Copy and transform data in Snowflake description: Learn how to copy and transform data in Snowflake by using Data Factory.--++
data-factory Connector Spark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-spark.md
Title: Copy data from Spark description: Learn how to copy data from Spark to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sql-server.md
Title: Copy data to and from SQL Server description: Learn about how to move data to and from SQL Server database that is on-premises or in an Azure VM by using Azure Data Factory.--++
data-factory Connector Square https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-square.md
Title: Copy data from Square (Preview) description: Learn how to copy data from Square to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.--++
data-factory Connector Sybase https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sybase.md
Title: Copy data from Sybase using Azure Data Factory description: Learn how to copy data from Sybase to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 06/10/2020-+ # Copy data from Sybase using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Teradata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-teradata.md
Title: Copy data from Teradata Vantage by using Azure Data Factory description: The Teradata Connector of the Data Factory service lets you copy data from a Teradata Vantage to data stores supported by Data Factory as sinks. -+ Last updated 01/22/2021-+ # Copy data from Teradata Vantage by using Azure Data Factory
data-factory Connector Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-troubleshoot-guide.md
Title: Troubleshoot Azure Data Factory connectors description: Learn how to troubleshoot connector issues in Azure Data Factory. -+ Last updated 04/13/2021-+
data-factory Connector Vertica https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-vertica.md
Title: Copy data from Vertica using Azure Data Factory description: Learn how to copy data from Vertica to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 09/04/2019-+ # Copy data from Vertica using Azure Data Factory [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Connector Web Table https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-web-table.md
Title: Copy data from Web Table using Azure Data Factory description: Learn about Web Table Connector of Azure Data Factory that lets you copy data from a web table to data stores supported by Data Factory as sinks. -+ Last updated 08/01/2019-+ # Copy data from Web table by using Azure Data Factory > [!div class="op_single_selector" title1="Select the version of Data Factory service you are using:"]
data-factory Connector Xero https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-xero.md
Title: Copy data from Xero using Azure Data Factory description: Learn how to copy data from Xero to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 01/26/2021-+ # Copy data from Xero using Azure Data Factory
data-factory Connector Zoho https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-zoho.md
Title: Copy data from Zoho using Azure Data Factory (Preview) description: Learn how to copy data from Zoho to supported sink data stores by using a copy activity in an Azure Data Factory pipeline.-+ Last updated 08/03/2020-+ # Copy data from Zoho using Azure Data Factory (Preview) [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Control Flow Execute Data Flow Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/control-flow-execute-data-flow-activity.md
Previously updated : 04/16/2021 Last updated : 05/06/2021 # Data Flow activity in Azure Data Factory
traceLevel | Set logging level of your data flow activity execution | Fine, Coar
The Core Count and Compute Type properties can be set dynamically to adjust to the size of your incoming source data at runtime. Use pipeline activities like Lookup or Get Metadata in order to find the size of the source dataset data. Then, use Add Dynamic Content in the Data Flow activity properties.
+> [!NOTE]
+> When choosing driver and worker node cores in Synapse Data Flows, a minimum of 3 nodes will always be utilized.
+ ![Dynamic Data Flow](media/data-flow/dyna1.png "Dynamic data flow") [Here is a brief video tutorial explaining this technique](https://www.youtube.com/watch?v=jWSkJdtiJNM)
data-factory Control Flow Get Metadata Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/control-flow-get-metadata-activity.md
Title: Get Metadata activity in Azure Data Factory description: Learn how to use the Get Metadata activity in a Data Factory pipeline.-+ Last updated 02/25/2021-+ # Get Metadata activity in Azure Data Factory
data-factory Control Flow Lookup Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/control-flow-lookup-activity.md
Title: Lookup activity in Azure Data Factory description: Learn how to use Lookup activity to look up a value from an external source. This output can be further referenced by succeeding activities. --++ Last updated 02/25/2021
data-factory Copy Activity Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-monitoring.md
Title: Monitor copy activity description: Learn about how to monitor the copy activity execution in Azure Data Factory. -+ Last updated 03/22/2021-+ # Monitor copy activity
data-factory Copy Activity Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-overview.md
Title: Copy activity in Azure Data Factory description: Learn about the Copy activity in Azure Data Factory. You can use it to copy data from a supported source data store to a supported sink data store.-+ Last updated 10/12/2020-+ # Copy activity in Azure Data Factory
data-factory Copy Activity Performance Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-performance-features.md
Title: Copy activity performance optimization features description: Learn about the key features that help you optimize the copy activity performance in Azure Data Factory。--++
data-factory Copy Activity Performance Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-performance-troubleshooting.md
Title: Troubleshoot copy activity performance description: Learn about how to troubleshoot copy activity performance in Azure Data Factory.--++
data-factory Copy Activity Performance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-performance.md
Title: Copy activity performance and scalability guide
description: Learn about key factors that affect the performance of data movement in Azure Data Factory when you use the copy activity. documentationcenter: ''--++
data-factory Copy Activity Preserve Metadata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-preserve-metadata.md
Title: Preserve metadata and ACLs using copy activity in Azure Data Factory description: 'Learn about how to preserve metadata and ACLs during copy using copy activity in Azure Data Factory.'-+ Last updated 09/23/2020-+ # Preserve metadata and ACLs using copy activity in Azure Data Factory
data-factory Copy Activity Schema And Type Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/copy-activity-schema-and-type-mapping.md
Title: Schema and data type mapping in copy activity description: Learn about how copy activity in Azure Data Factory maps schemas and data types from source data to sink data.--+ Last updated 06/22/2020-+ # Schema and data type mapping in copy activity [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Create Azure Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/create-azure-integration-runtime.md
description: Learn how to create Azure integration runtime in Azure Data Factory
Last updated 06/09/2020--++ # How to create and configure Azure Integration Runtime [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
data-factory Create Shared Self Hosted Integration Runtime Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/create-shared-self-hosted-integration-runtime-powershell.md
Title: Create a shared self-hosted integration runtime with PowerShell
description: Learn how to create a shared self-hosted integration runtime in Azure Data Factory, so multiple data factories can access the integration runtime. --++ Last updated 06/10/2020
data-factory Data Access Strategies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-access-strategies.md
Title: Data access strategies description: Azure Data Factory now supports Static IP address ranges.--++ Last updated 05/28/2020
data-factory Data Factory Private Link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-factory-private-link.md
Title: Azure Private Link for Azure Data Factory description: Learn about how Azure Private Link works in Azure Data Factory.---++
data-factory Data Factory Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-factory-service-identity.md
Title: Managed identity for Data Factory description: Learn about managed identity for Azure Data Factory. -+ Last updated 03/25/2021-+ # Managed identity for Data Factory
data-factory Encrypt Credentials Self Hosted Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/encrypt-credentials-self-hosted-integration-runtime.md
Title: Encrypt credentials in Azure Data Factory description: Learn how to encrypt and store credentials for your on-premises data stores on a machine with self-hosted integration runtime. -+ Last updated 01/15/2018-+ # Encrypt credentials for on-premises data stores in Azure Data Factory
data-factory Format Avro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-avro.md
Title: Avro format in Azure Data Factory description: 'This topic describes how to deal with Avro format in Azure Data Factory.'-+ Last updated 09/15/2020-+ # Avro format in Azure Data Factory
data-factory Format Binary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-binary.md
Title: Binary format in Azure Data Factory description: 'This topic describes how to deal with Binary format in Azure Data Factory.'-+ Last updated 10/29/2020-+ # Binary format in Azure Data Factory
data-factory Format Delimited Text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-delimited-text.md
Title: Delimited text format in Azure Data Factory description: 'This topic describes how to deal with delimited text format in Azure Data Factory.'-+ Last updated 03/23/2021-+ # Delimited text format in Azure Data Factory
data-factory Format Excel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-excel.md
Title: Excel format in Azure Data Factory description: 'This topic describes how to deal with Excel format in Azure Data Factory.'-+ Last updated 12/08/2020-+ # Excel format in Azure Data Factory
data-factory Format Json https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-json.md
Title: JSON format in Azure Data Factory description: 'This topic describes how to deal with JSON format in Azure Data Factory.'-+ Last updated 10/29/2020-+ # JSON format in Azure Data Factory
data-factory Format Orc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-orc.md
Title: ORC format in Azure Data Factory description: 'This topic describes how to deal with ORC format in Azure Data Factory.'-+ Last updated 09/28/2020-+ # ORC format in Azure Data Factory
For copy running on Self-hosted IR with ORC file serialization/deserialization,
- **To use JRE**: The 64-bit IR requires 64-bit JRE. You can find it from [here](https://go.microsoft.com/fwlink/?LinkId=808605). - **To use OpenJDK**: It's supported since IR version 3.13. Package the jvm.dll with all other required assemblies of OpenJDK into Self-hosted IR machine, and set system environment variable JAVA_HOME accordingly.-- **To install Visual C++ 2010 Redistributable Package**: Visual C++ 2010 Redistributable Package is not installed with self-hosted IR installations. You can find it from [here](https://www.microsoft.com/download/details.aspx?id=14632).
+- **To install Visual C++ 2010 Redistributable Package**: Visual C++ 2010 Redistributable Package is not installed with self-hosted IR installations. You can find it from [here](https://www.microsoft.com/download/details.aspx?id=26999).
> [!TIP] > If you copy data to/from ORC format using Self-hosted Integration Runtime and hit error saying "An error occurred when invoking java, message: **java.lang.OutOfMemoryError:Java heap space**", you can add an environment variable `_JAVA_OPTIONS` in the machine that hosts the Self-hosted IR to adjust the min/max heap size for JVM to empower such copy, then rerun the pipeline.
data-factory Format Parquet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-parquet.md
Title: Parquet format in Azure Data Factory description: 'This topic describes how to deal with Parquet format in Azure Data Factory.'-+ Last updated 09/27/2020-+ # Parquet format in Azure Data Factory
For copy running on Self-hosted IR with Parquet file serialization/deserializati
- **To use JRE**: The 64-bit IR requires 64-bit JRE. You can find it from [here](https://go.microsoft.com/fwlink/?LinkId=808605). - **To use OpenJDK**: It's supported since IR version 3.13. Package the jvm.dll with all other required assemblies of OpenJDK into Self-hosted IR machine, and set system environment variable JAVA_HOME accordingly.-- **To install Visual C++ 2010 Redistributable Package**: Visual C++ 2010 Redistributable Package is not installed with self-hosted IR installations. You can find it from [here](https://www.microsoft.com/download/details.aspx?id=14632).
+- **To install Visual C++ 2010 Redistributable Package**: Visual C++ 2010 Redistributable Package is not installed with self-hosted IR installations. You can find it from [here](https://www.microsoft.com/download/details.aspx?id=26999).
> [!TIP] > If you copy data to/from Parquet format using Self-hosted Integration Runtime and hit error saying "An error occurred when invoking java, message: **java.lang.OutOfMemoryError:Java heap space**", you can add an environment variable `_JAVA_OPTIONS` in the machine that hosts the Self-hosted IR to adjust the min/max heap size for JVM to empower such copy, then rerun the pipeline.
data-factory Format Xml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/format-xml.md
Title: XML format in Azure Data Factory description: 'This topic describes how to deal with XML format in Azure Data Factory.'-+ Last updated 04/29/2021-+ # XML format in Azure Data Factory
data-factory How To Discover Explore Purview Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/how-to-discover-explore-purview-data.md
Title: Discover and explore data in ADF using Purview
description: Learn how to discover, explore data in Azure Data Factory using Purview --++ Last updated 01/15/2021
data-factory How To Run Self Hosted Integration Runtime In Windows Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/how-to-run-self-hosted-integration-runtime-in-windows-container.md
Title: How to run Self-Hosted Integration Runtime in Windows container description: Learn about how to run Self-Hosted Integration Runtime in Windows container. --++
data-factory Load Azure Data Lake Storage Gen2 From Gen1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/load-azure-data-lake-storage-gen2-from-gen1.md
Title: Copy data from Azure Data Lake Storage Gen1 to Gen2 description: 'Use Azure Data Factory to copy data from Azure Data Lake Storage Gen1 to Gen2'--++
data-factory Load Azure Data Lake Storage Gen2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/load-azure-data-lake-storage-gen2.md
Title: Load data into Azure Data Lake Storage Gen2 description: 'Use Azure Data Factory to copy data into Azure Data Lake Storage Gen2'--++
data-factory Load Azure Data Lake Store https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/load-azure-data-lake-store.md
Title: Load data into Azure Data Lake Storage Gen1 description: 'Use Azure Data Factory to copy data into Azure Data Lake Storage Gen1'--++
data-factory Load Azure Sql Data Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/load-azure-sql-data-warehouse.md
Title: Load data into Azure Synapse Analytics description: Use Azure Data Factory to copy data into Azure Synapse Analytics--++
data-factory Load Office 365 Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/load-office-365-data.md
Title: Load data from Office 365 by using Azure Data Factory description: 'Use Azure Data Factory to copy data from Office 365'-+ Last updated 02/18/2021-+ # Load data from Office 365 by using Azure Data Factory
data-factory Managed Virtual Network Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/managed-virtual-network-private-endpoint.md
Title: Managed virtual network & managed private endpoints description: Learn about managed virtual network and managed private endpoints in Azure Data Factory.--++
data-factory Quickstart Create Data Factory Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/quickstart-create-data-factory-portal.md
Title: Create an Azure data factory using the Azure Data Factory UI description: Create a data factory with a pipeline that copies data from one location in Azure Blob storage to another location.-+ Last updated 12/14/2020-+ # Quickstart: Create a data factory by using the Azure Data Factory UI
data-factory Bulk Copy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/scripts/bulk-copy-powershell.md
Title: Copy data in bulk using PowerShell description: This PowerShell script shows how to use Azure Data Factory to copy data from a source data store to a destination data store in bulk. --++
data-factory Copy Azure Blob Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/scripts/copy-azure-blob-powershell.md
Title: Copy data in the cloud using PowerShell description: This PowerShell script copies data from one location in an Azure Blob Storage to another location in the same Blob Storage.--++
data-factory Hybrid Copy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/scripts/hybrid-copy-powershell.md
Title: Copy data from on-premises to Azure using PowerShell
description: This PowerShell script copies data from a SQL Server database to another an Azure Blob Storage. --++ Last updated 10/31/2017
data-factory Incremental Copy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/scripts/incremental-copy-powershell.md
Title: Incrementally load data using PowerShell description: This PowerShell script shows how to use Azure Data Factory to copy data incrementally from an Azure SQL Database to an Azure Blob Storage.--++
data-factory Self Hosted Integration Runtime Automation Scripts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/self-hosted-integration-runtime-automation-scripts.md
Title: Automating self-hosted integration runtime installation using local Power
description: To automate installation of Self-hosted Integration Runtime on local machines. --++ Last updated 05/09/2020
data-factory Solution Template Bulk Copy From Files To Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/solution-template-bulk-copy-from-files-to-database.md
Title: Bulk copy from files to database description: Learn how to use a solution template to copy data in bulk from Azure Data Lake Storage Gen2 to Azure Synapse Analytics / Azure SQL Database.--++ Last updated 12/09/2020
data-factory Store Credentials In Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/store-credentials-in-key-vault.md
Title: Store credentials in Azure Key Vault description: Learn how to store credentials for data stores used in an Azure key vault that Azure Data Factory can automatically retrieve at runtime. -+ Last updated 04/13/2020-+ # Store credential in Azure Key Vault
data-factory Supported File Formats And Compression Codecs Legacy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/supported-file-formats-and-compression-codecs-legacy.md
Title: Supported file formats in Azure Data Factory (legacy) description: 'This topic describes the file formats and compression codes that are supported by file-based connectors in Azure Data Factory.'--++ Last updated 12/10/2019
data-factory Supported File Formats And Compression Codecs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/supported-file-formats-and-compression-codecs.md
Title: Supported file formats by copy activity in Azure Data Factory description: 'This topic describes the file formats and compression codes that are supported by copy activity in Azure Data Factory.'-+ Last updated 07/16/2020-+ # Supported file formats and compression codecs by copy activity in Azure Data Factory
data-factory Turorial Push Lineage To Purview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/turorial-push-lineage-to-purview.md
Title: Push Data Factory lineage data to Azure Purview description: Learn about how to push Data Factory lineage data to Azure Purview--++
data-factory Tutorial Bulk Copy Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-bulk-copy-portal.md
Title: Copy data in bulk using Azure portal description: Use Azure Data Factory and Copy Activity to copy data from a source data store to a destination data store in bulk.--++
data-factory Tutorial Bulk Copy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-bulk-copy.md
Title: Copy data in bulk with PowerShell description: Use Azure Data Factory with Copy Activity to copy data from a source data store to a destination data store in bulk.--++
data-factory Tutorial Copy Data Dot Net https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-copy-data-dot-net.md
Title: Copy data from Azure Blob Storage to Azure SQL Database description: 'This tutorial provides step-by-step instructions for copying data from Azure Blob Storage to Azure SQL Database.'-+ Last updated 02/18/2021-+ # Copy data from Azure Blob to Azure SQL Database using Azure Data Factory
data-factory Tutorial Copy Data Portal Private https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-copy-data-portal-private.md
Title: Use private endpoints to create an Azure Data Factory pipeline description: This tutorial provides step-by-step instructions for using the Azure portal to create a data factory with a pipeline. The pipeline uses the copy activity to copy data from Azure Blob storage to an Azure SQL database.-+ Last updated 04/14/2021-+ # Copy data securely from Azure Blob storage to a SQL database by using private endpoints
data-factory Tutorial Copy Data Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-copy-data-portal.md
Title: Use the Azure portal to create a data factory pipeline description: This tutorial provides step-by-step instructions for using the Azure portal to create a data factory with a pipeline. The pipeline uses the copy activity to copy data from Azure Blob storage to Azure SQL Database.-+ Last updated 02/18/2021-+ # Copy data from Azure Blob storage to a database in Azure SQL Database by using Azure Data Factory
data-factory Tutorial Copy Data Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-copy-data-tool.md
Title: Copy data from Azure Blob storage to SQL using Copy Data tool description: Create an Azure Data Factory and then use the Copy Data tool to copy data from Azure Blob storage to a SQL Database.--++
dns Dns Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dns/dns-sdk.md
documentationcenter: na - ms.assetid: eed99b87-f4d4-4fbf-a926-263f7e30b884 ms.devlang: na na Previously updated : 09/19/2016 Last updated : 05/05/2021
You can automate operations to create, delete, or update DNS zones, record sets,
## Create a service principal account
-Typically, programmatic access to Azure resources is granted via a dedicated account rather than your own user credentials. These dedicated accounts are called 'service principal' accounts. To use the Azure DNS SDK sample project, you first need to create a service principal account and assign it the correct permissions.
+Typically, programmatic access to Azure resources is granted with a dedicated account rather than your own user credentials. These dedicated accounts are called 'service principal' accounts. To use the Azure DNS SDK sample project, you first need to create a service principal account and assign it with the correct permissions.
+
+1. [Create a service principal account](../active-directory/develop/howto-authenticate-service-principal-powershell.md). The Azure DNS SDK sample project assumes password-based authentication.)
+
+1. Then create a [resource group](../azure-resource-manager/templates/deploy-portal.md).
-1. Follow [these instructions](../active-directory/develop/howto-authenticate-service-principal-powershell.md) to create a service principal account (the Azure DNS SDK sample project assumes password-based authentication.)
-2. Create a resource group ([here's how](../azure-resource-manager/templates/deploy-portal.md)).
-3. Use Azure RBAC to grant the service principal account 'DNS Zone Contributor' permissions to the resource group ([here's how](../role-based-access-control/role-assignments-portal.md).)
-4. If using the Azure DNS SDK sample project, edit the 'program.cs' file as follows:
+1. Use [Azure RBAC](../role-based-access-control/role-assignments-portal.md) to grant the service principal account 'DNS Zone Contributor' permissions to the resource group.
- * Insert the correct values for the `tenantId`, `clientId` (also known as account ID), `secret` (service principal account password) and `subscriptionId` as used in step 1.
- * Enter the resource group name chosen in step 2.
+1. If you're using the Azure DNS SDK sample project, edit the 'program.cs' file as followed:
+
+ * Insert the correct values for the `tenantId`, `clientId` (also known as account ID), `secret` (service principal account password), and `subscriptionId` as used in step 1.
+ * Enter the resource group name created in step 2.
* Enter a DNS zone name of your choice. ## NuGet packages and namespace declarations
Typically, programmatic access to Azure resources is granted via a dedicated acc
To use the Azure DNS .NET SDK, you need to install the **Azure DNS Management Library** NuGet package and other required Azure packages. 1. In **Visual Studio**, open a project or new project.
-2. Go to **Tools** **>** **NuGet Package Manager** **>** **Manage NuGet Packages for Solution...**.
-3. Click **Browse**, enable the **Include prerelease** checkbox, and type **Microsoft.Azure.Management.Dns** into the search box.
-4. Select the package and click **Install** to add it to your Visual Studio project.
-5. Repeat the process above to also install the following packages: **Microsoft.Rest.ClientRuntime.Azure.Authentication** and **Microsoft.Azure.Management.ResourceManager**.
+
+1. Go to **Tools** **>** **NuGet Package Manager** **>** **Manage NuGet Packages for Solution...**.
+
+1. Select **Browse**, enable the **Include prerelease** checkbox, and type **Microsoft.Azure.Management.Dns** into the search box.
+
+1. Select the package and then select **Install** to add it to your Visual Studio project.
+
+1. Repeat the process above to also install the following packages: **Microsoft.Rest.ClientRuntime.Azure.Authentication** and **Microsoft.Azure.Management.ResourceManager**.
## Add namespace declarations
dnsClient.SubscriptionId = subscriptionId;
## Create or update a DNS zone
-To create a DNS zone, first a "Zone" object is created to contain the DNS zone parameters. Because DNS zones are not linked to a specific region, the location is set to 'global'. In this example, an [Azure Resource Manager 'tag'](https://azure.microsoft.com/updates/organize-your-azure-resources-with-tags/) is also added to the zone.
+To create a DNS zone, you first need to create a "Zone" object containing the DNS zone parameters. Since DNS zones aren't linked to a specific region, the location is set to 'global'. In this example, an [Azure Resource Manager 'tag'](https://azure.microsoft.com/updates/organize-your-azure-resources-with-tags/) is also added to the zone.
-To actually create or update the zone in Azure DNS, the zone object containing the zone parameters is passed to the `DnsManagementClient.Zones.CreateOrUpdateAsyc` method.
+To create or update the zone in Azure DNS, the zone object containing the zone parameters is passed to the `DnsManagementClient.Zones.CreateOrUpdateAsyc` method.
> [!NOTE] > DnsManagementClient supports three modes of operation: synchronous ('CreateOrUpdate'), asynchronous ('CreateOrUpdateAsync'), or asynchronous with access to the HTTP response ('CreateOrUpdateWithHttpMessagesAsync'). You can choose any of these modes, depending on your application needs.
-Azure DNS supports optimistic concurrency, called [Etags](./dns-getstarted-powershell.md). In this example, specifying "*" for the 'If-None-Match' header tells Azure DNS to create a DNS zone if one does not already exist. The call fails if a zone with the given name already exists in the given resource group.
+Azure DNS supports optimistic concurrency, called [Etags](./dns-getstarted-powershell.md). In this example, specifying "*" for the 'If-None-Match' header tells Azure DNS to create a DNS zone if one doesn't already exist. The call fails if a zone with the given name already exists in the given resource group.
```cs // Create zone parameters
DNS records are managed as a record set. A record set is a set of records with t
To create or update a record set, a "RecordSet" parameters object is created and passed to `DnsManagementClient.RecordSets.CreateOrUpdateAsync`. As with DNS zones, there are three modes of operation: synchronous ('CreateOrUpdate'), asynchronous ('CreateOrUpdateAsync'), or asynchronous with access to the HTTP response ('CreateOrUpdateWithHttpMessagesAsync').
-As with DNS zones, operations on record sets include support for optimistic concurrency. In this example, since neither 'If-Match' nor 'If-None-Match' are specified, the record set is always created. This call overwrites any existing record set with the same name and record type in this DNS zone.
+As with DNS zones, operations on record sets include support for optimistic concurrency. In this example, since 'If-Match' or 'If-None-Match' isn't specified, the record set is always created. This call overwrites any existing record set with the same name and record type in this DNS zone.
```cs // Create record set parameters
var recordSet = dnsClient.RecordSets.Get(resourceGroupName, zoneName, recordSetN
## Update an existing record set
-To update an existing DNS record set, first retrieve the record set, then update the record set contents, then submit the change. In this example, we specify the 'Etag' from the retrieved record set in the 'If-Match' parameter. The call fails if a concurrent operation has modified the record set in the meantime.
+To update an existing DNS record set, first retrieve the record set. Then update the record set contents before submitting the changes. In this example, we specify the 'Etag' from the retrieved record set in the 'If-Match' parameter. The call fails if a concurrent operation has modified the record set in the meantime.
```cs var recordSet = dnsClient.RecordSets.Get(resourceGroupName, zoneName, recordSetName, RecordType.A);
recordSet = await dnsClient.RecordSets.CreateOrUpdateAsync(resourceGroupName, zo
## List zones and record sets
-To list zones, use the *DnsManagementClient.Zones.List...* methods, which support listing either all zones in a given resource group or all zones in a given Azure subscription (across resource groups.) To list record sets, use *DnsManagementClient.RecordSets.List...* methods, which support either listing all record sets in a given zone or only those record sets of a specific type.
+* To list zones, use the *DnsManagementClient.Zones.List...* methods, which support listing either all zones in a given resource group or all zones in a given Azure subscription (across resource groups.)
+
+* To list record sets, use *DnsManagementClient.RecordSets.List...* methods, which support either listing all record sets in a given zone or only those record sets of a specific type.
Note when listing zones and record sets that results may be paginated. The following example shows how to iterate through the pages of results. (An artificially small page size of '2' is used to force paging; in practice this parameter should be omitted and the default page size used.)
while (page.NextPageLink != null)
## Next steps
-Download the [Azure DNS .NET SDK sample project](https://www.microsoft.com/en-us/download/details.aspx?id=47268&WT.mc_id=DX_MVP4025064&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True), which includes further examples on how to use the Azure DNS .NET SDK, including examples for other DNS record types.
+Download the [Azure DNS .NET SDK sample project](https://www.microsoft.com/en-us/download/details.aspx?id=47268&WT.mc_id=DX_MVP4025064&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True). Includes examples on how to use the Azure DNS .NET SDK and examples for other DNS record types.
expressroute Expressroute Locations Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations-providers.md
The following table shows connectivity locations and the service providers for e
| **Amsterdam2** | [Interxion AMS8](https://www.interxion.com/Locations/amsterdam/schiphol/) | 1 | West Europe | 10G, 100G | BICS, British Telecom, CenturyLink Cloud Connect, Colt, DE-CIX, Equinix, euNetworks, GÉANT, Interxion, NOS, NTT Global DataCenters EMEA, Orange, Vodafone | | **Atlanta** | [Equinix AT2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/atlanta-data-centers/at2/) | 1 | n/a | 10G, 100G | Equinix, Megaport | | **Auckland** | [Vocus Group NZ Albany](https://www.vocus.co.nz/business/cloud-data-centres) | 2 | n/a | 10G | Devoli, Kordia, Megaport, REANNZ, Spark NZ, Vocus Group NZ |
-| **Bangkok** | [AIS](https://business.ais.co.th/solution/en/azure-expressroute.html) | 2 | n/a | 10G | AIS, UIH |
+| **Bangkok** | [AIS](https://business.ais.co.th/solution/en/azure-expressroute.html) | 2 | n/a | 10G | AIS, National Telecom UIH |
| **Berlin** | [NTT GDC](https://www.e-shelter.de/en/location/berlin-1-data-center) | 1 | Germany North | 10G | Colt, Equinix, NTT Global DataCenters EMEA| | **Bogota** | [Equinix BG1](https://www.equinix.com/locations/americas-colocation/colombia-colocation/bogota-data-centers/bg1/) | 4 | n/a | 10G | Equinix | | **Busan** | [LG CNS](https://www.lgcns.com/En/Service/DataCenter) | 2 | Korea South | n/a | LG CNS |
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations.md
The following table shows locations by service provider. If you want to view ava
| **[Liquid Telecom](https://www.liquidtelecom.com/products-and-services/cloud.html)** |Supported |Supported |Cape Town, Johannesburg | | **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** |Supported |Supported |Amsterdam, Atlanta, Auckland, Chennai, Chicago, Dallas, Denver, Dubai2, Dublin, Frankfurt, Geneva, Hong Kong, Hong Kong2, Las Vegas, London, London2, Los Angeles, Melbourne, Miami, Minneapolis, Montreal, New York, Osaka, Oslo, Paris, Perth, Quebec City, San Antonio, Seattle, Silicon Valley, Singapore, Singapore2, Stavanger, Stockholm, Sydney, Sydney2, Tokyo, Tokyo2 Toronto, Vancouver, Washington DC, Washington DC2, Zurich | | **[MTN](https://www.mtnbusiness.co.za/en/Cloud-Solutions/Pages/microsoft-express-route.aspx)** |Supported |Supported |London |
+| **[National Telecom](https://www.nc.ntplc.co.th/cat/category/264/855/CAT+Direct+Cloud+Connect+for+Microsoft+ExpressRoute?lang=en_EN)** |Supported |Supported |Bangkok |
| **[Neutrona Networks](https://www.neutrona.com/index.php/azure-expressroute/)** |Supported |Supported |Dallas, Los Angeles, Miami, Sao Paulo, Washington DC | | **[Next Generation Data](https://vantage-dc-cardiff.co.uk/)** |Supported |Supported |Newport(Wales) | | **[NEXTDC](https://www.nextdc.com/services/axon-ethernet/microsoft-expressroute)** |Supported |Supported |Melbourne, Perth, Sydney, Sydney2 |
expressroute How To Expressroute Direct Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/how-to-expressroute-direct-portal.md
Previously updated : 12/14/2020 Last updated : 05/05/2021
Once enrolled, verify that the **Microsoft.Network** resource provider is regist
## <a name="authorization"></a>Generate the Letter of Authorization (LOA)
-Generating the letter of authorization is unavailable from the portal at this time. Use **[Azure PowerShell](expressroute-howto-erdirect.md#authorization)** to obtain the letter of authorization.
+1. Go to the overview page of the ExpressRoute Direct resource and select **Generate Letter of Authorization**.
+
+ :::image type="content" source="./media/how-to-expressroute-direct-portal/overview.png" alt-text="Screenshot of generate letter of authorization button on overview page.":::
+
+1. Enter your company name and select **Download** to generate the letter.
+
+ :::image type="content" source="./media/how-to-expressroute-direct-portal/letter-of-authorization-page.png" alt-text="Screenshot of letter of authorization page.":::
## <a name="state"></a>Change Admin State of links
firewall Firewall Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/firewall-diagnostics.md
Previously updated : 11/04/2020 Last updated : 05/06/2021 #Customer intent: As an administrator, I want monitor Azure Firewall logs and metrics so that I can track firewall activity.
You can access some of these logs through the portal. Logs can be sent to [Azure
## Prerequisites
-Before starting you should read [Azure Firewall logs and metrics](logs-and-metrics.md) for an overview of the diagnostics logs and metrics available for Azure Firewall.
+Before starting, you should read [Azure Firewall logs and metrics](logs-and-metrics.md) for an overview of the diagnostics logs and metrics available for Azure Firewall.
## Enable diagnostic logging through the Azure portal
To enable diagnostic logging with PowerShell, use the following steps:
You can use any workspace in your subscription. You can use the Azure portal to find this information. The information is located in the resource **Properties** page.
-2. Note your Firewall's resource ID for which logging is enabled. This value is of the form: `/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>`.
+2. Note the resource ID for the firewall. This value is of the form: `/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>`.
You can use the portal to find this information. 3. Enable diagnostic logging for all logs and metrics by using the following PowerShell cmdlet:
- ```powershell
- $diagSettings = @{
+ ```azurepowershell
+ $diagSettings = @{
Name = 'toLogAnalytics' ResourceId = '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>' WorkspaceId = '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>' Enabled = $true
- }
+ }
Set-AzDiagnosticSetting @diagSettings ```
To enable diagnostic logging with Azure CLI, use the following steps:
You can use any workspace in your subscription. You can use the Azure portal to find this information. The information is located in the resource **Properties** page.
-2. Note your Firewall's resource ID for which logging is enabled. This value is of the form: `/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>`.
+2. Note the resource ID for the firewall. This value is of the form: `/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>`.
You can use the portal to find this information. 3. Enable diagnostic logging for all logs and metrics by using the following Azure CLI command:
- ```azurecli-interactive
- az monitor diagnostic-settings create -n 'toLogAnalytics'
+ ```azurecli
+ az monitor diagnostic-settings create -n 'toLogAnalytics'
--resource '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>' --workspace '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>' --logs '[{\"category\":\"AzureFirewallApplicationRule\",\"Enabled\":true}, {\"category\":\"AzureFirewallNetworkRule\",\"Enabled\":true}, {\"category\":\"AzureFirewallDnsProxy\",\"Enabled\":true}]'
You can also connect to your storage account and retrieve the JSON log entries f
> If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the [log converter tools](https://github.com/Azure-Samples/networking-dotnet-log-converter) available from GitHub. ## View metrics
-Browse to an Azure Firewall, under **Monitoring** select **Metrics**. To view the available values, select the **METRIC** drop-down list.
+Browse to an Azure Firewall. Under **Monitoring**, select **Metrics**. To view the available values, select the **METRIC** drop-down list.
## Next steps Now that you've configured your firewall to collect logs, you can explore Azure Monitor logs to view your data.
-[Monitor logs using Azure Firewall Workbook](firewall-workbook.md)
+- [Monitor logs using Azure Firewall Workbook](firewall-workbook.md)
-[Networking monitoring solutions in Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md)
+- [Networking monitoring solutions in Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md)
frontdoor Resource Manager Template Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/standard-premium/resource-manager-template-samples.md
The following table includes links to Azure Resource Manager templates for Azure
|**App Service origins**| **Description** | | [App Service](https://github.com/Azure/azure-quickstart-templates/tree/master/201-front-door-standard-premium-app-service-public) | Creates an App Service app with a public endpoint, and a Front Door profile. | | [App Service with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/201-front-door-premium-app-service-private-link) | Creates an App Service app with a private endpoint, and a Front Door profile. |
-| [App Service environment with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/201-front-door-premium-app-service-environment-internal-private-link) | Creates an App Service environment, an app with a private endpoint, and a Front Door profile. |
|**Azure Functions origins**| **Description** | | [Azure Functions](https://github.com/Azure/azure-quickstart-templates/tree/master/201-front-door-standard-premium-function-public/) | Creates an Azure Functions app with a public endpoint, and a Front Door profile. | | [Azure Functions with Private Link](https://github.com/Azure/azure-quickstart-templates/tree/master/201-front-door-premium-function-private-link) | Creates an Azure Functions app with a private endpoint, and a Front Door profile. |
governance Guest Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/concepts/guest-configuration.md
The Audit policy definitions available for Guest Configuration include the
[Azure Arc for servers](../../../azure-arc/servers/overview.md) that are in the scope of the policy assignment are automatically included.
+## Availability
+
+Customers designing a highly available solution should consider the redundancy planning requirements for
+[virtual machines](../../../virtual-machines/availability.md) because guest assignments are extensions of
+machine resources in Azure. If a physical region becomes unavailable in Azure, it's not possible
+to view historical reports for a guest assignment until the region is restored.
+
+When considering an architecture for highly available applications,
+especially where virtual machines are provisioned in
+[Availability Sets](../../../virtual-machines/availability.md#availability-sets)
+behind a load balancer solution to provide high availability,
+it's best practice to assign the same policy definitions with the same parameters to all machines
+in the solution. If possible, a single policy assignment spanning all
+machines would offer the least administrative overhead.
+
+For machines protected by
+[Azure Site Recovery](../../../site-recovery/site-recovery-overview.md),
+ensure that machines in a secondary site are within scope of Azure Policy assignments
+for the same definitions using the same parameter values as machines in the primary site.
+ ## Troubleshooting guest configuration For more information about troubleshooting Guest Configuration, see
hdinsight Hdinsight Autoscale Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-autoscale-clusters.md
The following table describes the cluster types and versions that are compatible
| Version | Spark | Hive | Interactive Query | HBase | Kafka | Storm | ML | |||||||||
-| HDInsight 3.6 without ESP | Yes | Yes | Yes | Yes* | No | No | No |
-| HDInsight 4.0 without ESP | Yes | Yes | Yes | Yes* | No | No | No |
-| HDInsight 3.6 with ESP | Yes | Yes | Yes | Yes* | No | No | No |
-| HDInsight 4.0 with ESP | Yes | Yes | Yes | Yes* | No | No | No |
+| HDInsight 3.6 without ESP | Yes | Yes | Yes* | Yes* | No | No | No |
+| HDInsight 4.0 without ESP | Yes | Yes | Yes* | Yes* | No | No | No |
+| HDInsight 3.6 with ESP | Yes | Yes | Yes* | Yes* | No | No | No |
+| HDInsight 4.0 with ESP | Yes | Yes | Yes* | Yes* | No | No | No |
-\* HBase clusters can only be configured for schedule-based scaling, not load-based.
+\* HBase and Interactive Query clusters can only be configured for schedule-based scaling, not load-based.
## Get started
However, you may experience a Hive Server 2 restart failure if there are only a
## Limitations
-### Node label file missing
-
-HDInsight Autoscale uses a node label file to determine whether a node is ready to execute tasks. The node label file is stored on HDFS with three replicas. If the cluster size is dramatically scaled down and there is a large amount of temporary data, there is a small chance that all three replicas could be dropped. If this happens, the cluster enters an error state.
### Interactive Query Daemons count
healthcare-apis Convert Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/convert-data.md
You can use the [FHIR Converter extension](https://marketplace.visualstudio.com/
## Host and use templates
-It is strongly recommended that you host your own copy of templates on ACR. There are four steps involved in hosting your own copy of templates and using those in the $convert-data operation:
+It is strongly recommended that you host your own copy of templates on ACR. There're four steps involved in hosting your own copy of templates and using those in the $convert-data operation:
1. Push the templates to your Azure Container Registry. 1. Enable Managed Identity on your Azure API for FHIR instance. 1. Provide access of the ACR to the Azure API for FHIR Managed Identity. 1. Register the ACR servers in the Azure API for FHIR.
+1. Optionally configure ACR firewall for secure access.
### Push templates to Azure Container Registry
Grant AcrPull role to your Azure API for FHIR service instance.
You can register the ACR server using the Azure portal, or using CLI. #### Registering the ACR server using Azure portal
-Navigate to the _Artifacts_ blade under _Data transformation_ in your Azure API for FHIR instance. You will see the list of currently registered ACR servers. Click on _Add_ and select your registry server from the dropdown. You will need to click on _Save_ for the registration to take effect. It may take a few minutes to apply the change and restart your instance.
+Navigate to the _Artifacts_ blade under _Data transformation_ in your Azure API for FHIR instance. You will see the list of currently registered ACR servers. Select _Add_ and then select your registry server from the drop-down . You will need to select _Save_ for the registration to take effect. It may take a few minutes to apply the change and restart your instance.
#### Registering the ACR server using CLI
-You can register up to twenty ACR servers in the Azure API for FHIR.
+You can register up to 20 ACR servers in the Azure API for FHIR.
Install the healthcareapis CLI from Azure PowerShell if needed:
az healthcareapis acr add --login-servers "fhiracr2021.azurecr.io" --resource-gr
```powershell az healthcareapis acr add --login-servers "fhiracr2021.azurecr.io fhiracr2020.azurecr.io" --resource-group fhir-test --resource-name fhirtest2021 ```
+### Configure ACR firewall
+
+Select **Networking** of the Azure storage account from the portal.
+
+ :::image type="content" source="media/convert-data/networking-container-registry.png" alt-text="Container registry.":::
++
+Select **Selected networks**.
+
+Under the **Firewall** section, specify the IP address in the **Address range** box. Add IP ranges to allow access from the internet or your on-premises networks.
+
+In the table below, you'll find the IP address for the Azure region where the Azure API for FHIR service is provisioned.
+
+|**Azure Region** |**Public IP Address** |
+|:-|:-|
+| Australia East | 20.53.44.80 |
+| Canada Central | 20.48.192.84 |
+| Central US | 52.182.208.31 |
+| East US | 20.62.128.148 |
+| East US 2 | 20.49.102.228 |
+| East US 2 EUAP | 20.39.26.254 |
+| Germany North | 51.116.51.33 |