Updates from: 06/01/2022 01:13:00
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md
Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md). +
+## May 2022
+
+### Updated articles
+
+- [Set redirect URLs to b2clogin.com for Azure Active Directory B2C](b2clogin.md)
+- [Enable custom domains for Azure Active Directory B2C](custom-domain.md)
+- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md)
+- [UserJourneys](userjourneys.md)
+- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md)
+ ## April 2022 ### New articles
active-directory Tutorial Enable Cloud Sync Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md
Previously updated : 10/25/2021 Last updated : 05/31/2022
With password writeback enabled in Azure AD Connect cloud sync, now verify, and
To verify and enable password writeback in SSPR, complete the following steps:
-1. Sign into the Azure portal using a global administrator account.
+1. Sign into the Azure portal using a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) account.
1. Navigate to Azure Active Directory, select **Password reset**, then choose **On-premises integration**. 1. Verify the Azure AD Connect cloud sync agent set up is complete. 1. Set **Write back passwords to your on-premises directory?** to **Yes**.
To verify and enable password writeback in SSPR, complete the following steps:
If you no longer want to use the SSPR password writeback functionality you have configured as part of this document, complete the following steps:
-1. Sign into the Azure portal using a global administrator account.
+1. Sign into the Azure portal using a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) account.
1. Search for and select Azure Active Directory, select **Password reset**, then choose **On-premises integration**. 1. Set **Write back passwords to your on-premises directory?** to **No**. 1. Set **Allow users to unlock accounts without resetting their password?** to **No**.
-From your Azure AD Connect cloud sync server, run `Set-AADCloudSyncPasswordWritebackConfiguration` using global administrator credentials to disable password writeback with Azure AD Connect cloud sync.
+From your Azure AD Connect cloud sync server, run `Set-AADCloudSyncPasswordWritebackConfiguration` using Hybrid Identity Administrator credentials to disable password writeback with Azure AD Connect cloud sync.
```powershell Import-Module ΓÇÿC:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dllΓÇÖ
active-directory Tutorial Enable Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
Previously updated : 11/11/2021 Last updated : 05/31/2022
To complete this tutorial, you need the following resources and privileges:
* A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled. * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * For more information, see [Licensing requirements for Azure AD SSPR](concept-sspr-licensing.md).
-* An account with *global administrator* privileges.
+* An account with [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
* Azure AD configured for self-service password reset. * If needed, [complete the previous tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md). * An existing on-premises AD DS environment configured with a current version of Azure AD Connect.
With password writeback enabled in Azure AD Connect, now configure Azure AD SSPR
To enable password writeback in SSPR, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) using a global administrator account.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Hybrid Identity Administrator account.
1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**. 1. Set the option for **Write back passwords to your on-premises directory?** to *Yes*. 1. Set the option for **Allow users to unlock accounts without resetting their password?** to *Yes*.
active-directory All Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/all-reports.md
+
+ Title: View a list and description of all system reports available in Permissions Management reports
+description: View a list and description of all system reports available in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View a list and description of system reports
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some of the information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Permissions Management has various types of system reports that capture specific sets of data. These reports allow management, auditors, and administrators to:
+
+- Make timely decisions.
+- Analyze trends and system/user performance.
+- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency.
+
+This article provides you with a list and description of the system reports available in Permissions Management. Depending on the report, you can download it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+## Download a system report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
+1. In the **Report Name** column, find the report you want, and then select the down arrow to the right of the report name to download the report.
+
+ Or, from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully Started To Generate On Demand Report.**
++
+## Summary of available system reports
+
+| Report name | Type of the report | File format | Description | Availability | Collated report? |
+|-|--|--|| -|-|
+| Access Key Entitlements and Usage Report | Summary </p>Detailed | CSV | This report displays: </p> - Access key age, last rotation date, and last usage date availability in the summary report. Use this report to decide when to rotate access keys. </p> - Granted task and Permissions creep index (PCI) score. This report provides supporting information when you want to take the action on the keys. | AWS</p>Azure</p>GCP | Yes |
+| All Permissions for Identity | Detailed | CSV | This report lists all the assigned permissions for the selected identities. | Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) | N/A |
+| Group Entitlements and Usage | Summary | CSV | This report tracks all group level entitlements and the permission assignment, PCI. The number of members is also listed as part of this report. | AWS, Azure, or GCP | Yes |
+| Identity Permissions | Summary | CSV | This report tracks any, or specific, task usage per **User**, **Group**, **Role**, or **App**. | AWS, Azure, or GCP | No |
+| NIST 800-53 | Detailed </p>Summary </p>Dashboard | CSV </p>PDF | **Dashboard**: This report helps track the overall progress of the NIST 800-53 benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |
+| PCI DSS | Detailed </p>Summary </p>Dashboard | CSV | **Dashboard**: This report helps track the overall progress of the PCI-DSS benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |
+| PCI History | Summary | CSV | This report helps track **Monthly PCI History** for each authorized system. It can be used to plot the trend of the PCI. | AWS, Azure, or GCP | Yes |
+| Permissions Analytics Report (PAR) | Summary | PDF | This report helps monitor the **Identity Privilege** related activity across the authorized systems. It captures any Identity permission change. </p>This report has the following main sections: **User Summary**, **Group Summary**, **Role Summary & Delete Task Summary**. </p>The **User Summary** lists the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-days durations. There are subsections for newly added or deleted users, users with PCI change, high-risk active/inactive users. </p>The **Group Summary** lists the administrator level groups with the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-day durations. There are subsections for newly added or deleted groups, groups with PCI change, High-risk active/inactive groups. </p>The **Role Summary** and the **Group Summary** list similar details. </p>The **Delete Task** summary section lists the number of times the **Delete Task** has been executed in the given period. | AWS, Azure, or GCP | No |
+| Permissions Analytics Report (PAR) | Detailed | CSV | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions. | AWS, Azure, or GCP | Yes |
+| Role/Policy Details | Summary | CSV | This report captures **Assigned/Unassigned** and **Custom/system policy with used/unused condition** for specific or all AWS accounts. </p>Similar data can be captured for Azure and GCP for assigned and unassigned roles. | AWS, Azure, or GCP | No |
+| User Entitlements and Usage | Detailed <p>Summary | CSV | This report provides a summary and details of **User entitlements and usage**. </p>**Data displayed on Usage Analytics** screen is downloaded as part of the **Summary** report. </p>**Detailed permissions usage per User** is listed in the Detailed report. | AWS, Azure, or GCP | Yes |
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md).
+- For information about how to create and view a custom report, see [Generate and view a custom report](report-create-custom-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md).
active-directory Cloudknox Onboard Enable Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-onboard-enable-tenant.md
- Title: Enable CloudKnox Permissions Management in your organization
-description: How to enable CloudKnox Permissions Management in your organization.
------- Previously updated : 04/20/2022---
-# Enable CloudKnox in your organization
-
-> [!IMPORTANT]
-> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
-> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
--
-> [!NOTE]
-> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU).
---
-This article describes how to enable CloudKnox Permissions Management (CloudKnox) in your organization. Once you've enabled CloudKnox, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.
-
-> [!NOTE]
-> To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable CloudKnox as a user from other tenant who has signed in via B2B or via Azure Lighthouse.
-
-## Prerequisites
-
-To enable CloudKnox in your organization:
--- You must have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).-- You must be eligible for or have an active assignment to the global administrator role as a user in that tenant.-
-> [!NOTE]
-> During public preview, CloudKnox doesn't perform a license check.
-
-## View a training video on enabling CloudKnox
--- To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).-- To view a video on how to configure and onboard AWS accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).-- To view a video on how to configure and onboard GCP accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).--
-## How to enable CloudKnox on your Azure AD tenant
-
-1. In your browser:
- 1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
- 1. If you aren't already authenticated, sign in as a global administrator user.
- 1. If needed, activate the global administrator role in your Azure AD tenant.
- 1. In the Azure AD portal, select **Features highlights**, and then select **CloudKnox Permissions Management**.
-
- 1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant.
-
- The **Welcome to CloudKnox Permissions Management** screen appears, displaying information on how to enable CloudKnox on your tenant.
-
-1. To provide access to the CloudKnox application, create a service principal.
-
- An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.
-
- > [!NOTE]
- > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell.
-
- - To create a service principal that points to the CloudKnox application via Cloud Shell:
-
- 1. Copy the script on the **Welcome** screen:
-
- `az ad sp create --id b46c3ac5-9da6-418f-a849-0a07a10b3c6c`
-
- 1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar.
- If you don't have an Azure subscription, open a command prompt on a Windows Server.
- 1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**.
-
- - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
-
- - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true).
-
- - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true).
-
- 1. After the script runs successfully, the service principal attributes for CloudKnox display. Confirm the attributes.
-
- The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**.
-
-1. Return to the **Welcome to CloudKnox** screen and select **Enable CloudKnox Permissions Management**.
-
- You have now completed enabling CloudKnox on your tenant. CloudKnox launches with the **Data Collectors** dashboard.
-
-## Configure data collection settings
-
-Use the **Data Collectors** dashboard in CloudKnox to configure data collection settings for your authorization system.
-
-1. If the **Data Collectors** dashboard isn't displayed when CloudKnox launches:
-
- - In the CloudKnox home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
-
-1. Select the authorization system you want: **AWS**, **Azure**, or **GCP**.
-
-1. For information on how to onboard an AWS account, Azure subscription, or GCP project into CloudKnox, select one of the following articles and follow the instructions:
-
- - [Onboard an AWS account](cloudknox-onboard-aws.md)
- - [Onboard an Azure subscription](cloudknox-onboard-azure.md)
- - [Onboard a GCP project](cloudknox-onboard-gcp.md)
-
-## Next steps
--- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md)-- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md).-- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
active-directory Cloudknox Product Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-reports.md
- Title: View system reports in the Reports dashboard in CloudKnox Permissions Management
-description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management.
------- Previously updated : 02/23/2022---
-# View system reports in the Reports dashboard
-
-> [!IMPORTANT]
-> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
-> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to:
--- Make timely decisions.-- Analyze trends and system/user performance.-- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency.-
-## Explore the Reports dashboard
-
-The **Reports** dashboard provides a table of information with both system reports and custom reports. The **Reports** dashboard defaults to the **System Reports** tab, which has the following details:
--- **Report Name**: The name of the report.-- **Category**: The type of report. For example, **Permission**.-- **Authorization Systems**: Displays which authorizations the custom report applies to.-- **Format**: Displays the output format the report can be generated in. For example, comma-separated values (CSV) format, portable document format (PDF), or Microsoft Excel Open XML Spreadsheet (XLSX) format.-
- - To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
-
- The following message displays across the top of the screen in green if the download is successful: **Successfully Started To Generate On Demand Report**.
-
-## Available system reports
-
-CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis:
--- **Access Key Entitlements And Usage**:
- - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date.
- - **Applies to**: Amazon Web Services (AWS) and Microsoft Azure
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Summary** or **Detailed**
- - **Use cases**:
- - The access key age, last rotation date, and last usage date is available in the summary report to help with key rotation.
- - The granted task and Permissions creep index (PCI) score to take action on the keys.
--- **User Entitlements And Usage**:
- - **Summary of report**: Provides information about the identities' permissions, for example, entitlement, usage, and PCI.
- - **Applies to**: AWS, Azure, and Google Cloud Platform (GCP)
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Summary** or **Detailed**
- - **Use cases**:
- - The data displayed on the **Usage Analytics** screen is downloaded as part of the **Summary** report. The user's detailed permissions usage is listed in the **Detailed** report.
--- **Group Entitlements And Usage**:
- - **Summary of report**: Provides information about the group's permissions, for example, entitlement, usage, and PCI.
- - **Applies to**: AWS, Azure, and GCP
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Summary**
- - **Use cases**:
- - All group level entitlements and permission assignments, PCIs, and the number of members are listed as part of this report.
--- **Identity Permissions**:
- - **Summary of report**: Report on identities that have specific permissions, for example, identities that have permission to delete any S3 buckets.
- - **Applies to**: AWS, Azure, and GCP
- - **Report output type**: CSV
- - **Ability to collate report**: No
- - **Type of report**: **Summary**
- - **Use cases**:
- - Any task usage or specific task usage via User/Group/Role/App can be tracked with this report.
--- **Identity privilege activity report**
- - **Summary of report**: Provides information about permission changes that have occurred in the selected duration.
- - **Applies to**: AWS, Azure, and GCP
- - **Report output type**: PDF
- - **Ability to collate report**: No
- - **Type of report**: **Summary**
- - **Use cases**:
- - Any identity permission change can be captured using this report.
- - The **Identity Privilege Activity** report has the following main sections: **User Summary**, **Group Summary**, **Role Summary**, and **Delete Task Summary**.
- - The **User** summary lists the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted users, users with PCI change, and High-risk active/inactive users.
- - The **Group** summary lists the administrator level groups with the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted groups, groups with PCI change, and High-risk active/inactive groups.
- - The **Role summary** lists similar details as **Group Summary**.
- - The **Delete Task summary** section lists the number of times the **Delete task** has been executed in the given time period.
--- **Permissions Analytics Report**
- - **Summary of report**: Provides information about the violation of key security best practices.
- - **Applies to**: AWS, Azure, and GCP
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Detailed**
- - **Use cases**:
- - This report lists the different key findings in the selected auth systems. The key findings include super identities, inactive identities, over provisioned active identities, storage bucket hygiene, and access key age (for AWS only). The report helps administrators to visualize the findings across the organization.
-
- For more information about this report, see [Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
--- **Role/Policy Details**
- - **Summary of report**: Provides information about roles and policies.
- - **Applies to**: AWS, Azure, GCP
- - **Report output type**: CSV
- - **Ability to collate report**: No
- - **Type of report**: **Summary**
- - **Use cases**:
- - Assigned/Unassigned, custom/system policy, and the used/unused condition is captured in this report for any specific, or all, AWS accounts. Similar data can be captured for Azure/GCP for the assigned/unassigned roles.
--- **PCI History**
- - **Summary of report**: Provides a report of privilege creep index (PCI) history.
- - **Applies to**: AWS, Azure, GCP
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Summary**
- - **Use cases**:
- - This report plots the trend of the PCI by displaying the monthly PCI history for each authorization system.
--- **All Permissions for Identity**
- - **Summary of report**: Provides results of all permissions for identities.
- - **Applies to**: AWS, Azure, GCP
- - **Report output type**: CSV
- - **Ability to collate report**: Yes
- - **Type of report**: **Detailed**
- - **Use cases**:
- - This report lists all the assigned permissions for the selected identities.
----
-## Next steps
--- For a detailed overview of available system reports, see [View a list and description of system reports](cloudknox-all-reports.md).-- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](cloudknox-report-view-system-report.md).-- For information about how to create and view a custom report, see [Generate and view a custom report](cloudknox-report-create-custom-report.md).-- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](cloudknox-product-permissions-analytics-reports.md).
active-directory Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md
+
+ Title: Frequently asked questions (FAQs) about CloudKnox Permissions Management
+description: Frequently asked questions (FAQs) about CloudKnox Permissions Management.
+++++++ Last updated : 04/20/2022+++
+# Frequently asked questions (FAQs)
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!NOTE]
+> The CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU).
++
+This article answers frequently asked questions (FAQs) about CloudKnox Permissions Management (CloudKnox).
+
+## What's CloudKnox Permissions Management?
+
+CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). CloudKnox detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle.
++
+## What are the prerequisites to use CloudKnox?
+
+CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox.
+
+## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that aren't yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?
+
+Yes, a customer can detect, mitigate, and monitor the risk of 'backdoor' accounts that are local to AWS IAM, GCP, or from other identity providers such as Okta or AWS IAM.
+
+## Where can customers access CloudKnox?
+
+Customers can access the CloudKnox interface with a link from the Azure AD extension in the Azure portal.
+
+## Can non-cloud customers use CloudKnox on-premises?
+
+No, CloudKnox is a hosted cloud offering.
+
+## Can non-Azure customers use CloudKnox?
+
+Yes, non-Azure customers can use our solution. CloudKnox is a multi-cloud solution so even customers who have no subscription to Azure can benefit from it.
+
+## Is CloudKnox available for tenants hosted in the European Union (EU)?
+
+No, the CloudKnox Permissions Management (CloudKnox) PREVIEW is currently not available for tenants hosted in the European Union (EU).
+
+## If I'm already using Azure AD Privileged Identity Management (PIM) for Azure, what value does CloudKnox provide?
+
+CloudKnox complements Azure AD PIM. Azure AD PIM provides just-in-time access for admin roles in Azure (as well as Microsoft Online Services and apps that use groups), while CloudKnox allows multi-cloud discovery, remediation, and monitoring of privileged access across Azure, AWS, and GCP.
+
+## What languages does CloudKnox support?
+
+CloudKnox currently supports English.
+
+## What public cloud infrastructures are supported by CloudKnox?
+
+CloudKnox currently supports the three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
+
+## Does CloudKnox support hybrid environments?
+
+CloudKnox currently doesn't support hybrid environments.
+
+## What types of identities are supported by CloudKnox?
+
+CloudKnox supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions).
+
+<!## Is CloudKnox General Data Protection Regulation (GDPR) compliant?
+
+CloudKnox is currently not GDPR compliant.>
+
+## Is CloudKnox available in Government Cloud?
+
+No, CloudKnox is currently not available in Government clouds.
+
+## Is CloudKnox available for sovereign clouds?
+
+No, CloudKnox is currently not available in sovereign Clouds.
+
+## How does CloudKnox collect insights about permissions usage?
+
+CloudKnox has a data collector that collects access permissions assigned to various identities, activity logs, and resources metadata. This gathers full visibility into permissions granted to all identities to access the resources and details on usage of granted permissions.
+
+## How does CloudKnox evaluate cloud permissions risk?
+
+CloudKnox offers granular visibility into all identities and their permissions granted versus used, across cloud infrastructures to uncover any action performed by any identity on any resource. This isn't limited to just user identities, but also workload identities such as virtual machines, access keys, containers, and scripts. The dashboard gives an overview of permission profile to locate the riskiest identities and resources.
+
+## What is the Permissions Creep Index?
+
+The Permissions Creep Index (PCI) is a quantitative measure of risk associated with an identity or role determined by comparing permissions granted versus permissions exercised. It allows users to instantly evaluate the level of risk associated with the number of unused or over-provisioned permissions across identities and resources. It measures how much damage identities can cause based on the permissions they have.
+
+## How can customers use CloudKnox to delete unused or excessive permissions?
+
+CloudKnox allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed.
+
+## How can customers grant permissions on-demand with CloudKnox?
+
+For any break-glass or one-off scenarios where an identity needs to perform a specific set of actions on a set of specific resources, the identity can request those permissions on-demand for a limited period with a self-service workflow. Customers can either use the built-in workflow engine or their IT service management (ITSM) tool. The user experience is the same for any identity type, identity source (local, enterprise directory, or federated) and cloud.
+
+## What is the difference between permissions on-demand and just-in-time access?
+
+Just-in-time (JIT) access is a method used to enforce the principle of least privilege to ensure identities are given the minimum level of permissions to perform the task at hand. Permissions on-demand are a type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis.
+
+## How can customers monitor permissions usage with CloudKnox?
+
+Customers only need to track the evolution of their Permission Creep Index to monitor permissions usage. They can do this in the "Analytics" tab in their CloudKnox dashboard where they can see how the PCI of each identity or resource is evolving over time.
+
+## Can customers generate permissions usage reports?
+
+Yes, CloudKnox has various types of system report available that capture specific data sets. These reports allow customers to:
+- Make timely decisions.
+- Analyze usage trends and system/user performance.
+- Identify high-risk areas.
+
+For information about permissions usage reports, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md).
+
+## Does CloudKnox integrate with third-party ITSM (Information Technology Security Management) tools?
+
+CloudKnox integrates with ServiceNow.
++
+## How is CloudKnox being deployed?
+
+Customers with Global Admin role have first to onboard CloudKnox on their Azure AD tenant, and then onboard their AWS accounts, GCP projects, and Azure subscriptions. More details about onboarding can be found in our product documentation.
+
+## How long does it take to deploy CloudKnox?
+
+It depends on each customer and how many AWS accounts, GCP projects, and Azure subscriptions they have.
+
+## Once CloudKnox is deployed, how fast can I get permissions insights?
+
+Once fully onboarded with data collection set up, customers can access permissions usage insights within hours. Our machine-learning engine refreshes the Permission Creep Index every hour so that customers can start their risk assessment right away.
+
+## Is CloudKnox collecting and storing sensitive personal data?
+
+No, CloudKnox doesn't have access to sensitive personal data.
+
+## Where can I find more information about CloudKnox?
+
+You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo.
+
+## Resources
+
+- [Public Preview announcement blog](https://www.aka.ms/CloudKnox-Public-Preview-Blog)
+- [CloudKnox Permissions Management web page](https://microsoft.com/security/business/identity-access-management/permissions-management)
+++
+## Next steps
+
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](overview.md).
+- For information on how to onboard CloudKnox in your organization, see [Enable CloudKnox in your organization](onboard-enable-tenant.md).
active-directory How To Add Remove Role Task https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-role-task.md
+
+ Title: Add and remove roles and tasks for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management
+description: How to attach and detach permissions for groups, users, and service accounts for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities
++
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management (Entra) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+## View permissions
+
+1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP**.
+1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns.
+1. Select **Apply**.
+ Entra displays a list of groups, users, and service accounts that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a Group Name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the **Username** **Domain/Account**, **Source**, **Resource** and **Current Role**.
++
+## Add a role
+
+1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To attach a role, select **Add role**.
+1. In the **Add Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list.
+1. When you have finished adding roles, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Remove a role
+
+1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To remove a role, select **Remove Role**.
+1. In the **Remove Role** page, from the **Available Roles** list, select the plus sign **(+)** to move the role to the **Selected Roles** list.
+1. When you have finished selecting roles, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Add a task
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To attach a role, select **Add Tasks**.
+1. In the **Add Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list.
+1. When you have finished adding tasks, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Remove a task
+
+1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To remove a task, select **Remove Tasks**.
+1. In the **Remove Tasks** page, from the **Available Tasks** list, select the plus sign **(+)** to move the task to the **Selected Tasks** list.
+1. When you have finished selecting tasks, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
active-directory How To Attach Detach Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-attach-detach-permissions.md
+
+ Title: Attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in Permissions Management
+description: How to attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Attach and detach policies for Amazon Web Services (AWS) identities
++
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can attach and detach permissions for users, roles, and groups for Amazon Web Services (AWS) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+## View permissions
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **AWS**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **Role**.
+1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns.
+1. Select **Apply**.
+ Permissions Management displays a list of users, roles, or groups that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a group name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the related **Username** **Domain/Account**, **Source** and **Policy Name**.
++
+## Attach policies
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **AWS**.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a Group Name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+1. To attach a policy, select **Attach Policies**.
+1. In the **Attach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list.
+1. When you have finished adding policies, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Detach policies
+
+1. On the Permissions Management Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **AWS**.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a Group Name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+1. To remove a policy, select **Detach Policies**.
+1. In the **Detach Policies** page, from the **Available policies** list, select the plus sign **(+)** to move the policy to the **Selected policies** list.
+1. When you have finished selecting policies, select **Submit**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
active-directory How To Audit Trail Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-audit-trail-results.md
+
+ Title: Generate an on-demand report from a query in the Audit dashboard in Permissions Management
+description: How to generate an on-demand report from a query in the **Audit** dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate an on-demand report from a query
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can generate an on-demand report from a query in the **Audit** dashboard in Permissions Management. You can:
+
+- Run a report on-demand.
+- Schedule and run a report as often as you want.
+- Share a report with other members of your team and management.
+
+## Generate a custom report on-demand
+
+1. In the Permissions Management home page, select the **Audit** tab.
+
+ Permissions Management displays the query options available to you.
+1. In the **Audit** dashboard, select **Search** to run the query.
+1. Select **Export**.
+
+ Permissions Management generates the report and exports it in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+<!
+## Create a schedule to automatically generate and share a report
+
+1. In the **Audit** tab, load the query you want to use to generate your report.
+2. Select **Settings** (the gear icon).
+3. In **Repeat on**, select on which days of the week you want the report to run.
+4. In **Date**, select the date when you want the query to run.
+5. In **hh mm** (time), select the time when you want the query to run.
+6. In **Request file format**, select the file format you want for your report.
+7. In **Share report with people**, enter email addresses for people to whom you want to send the report.
+8. Select **Schedule**.
+
+ Permissions Management generates the report as set in Steps 3 to 6, and emails it to the recipients you specified in Step 7.
++
+## Delete the schedule for a report
+
+1. In the **Audit** tab, load the query whose report schedule you want to delete.
+2. Select the ellipses menu **(…)** on the far right, and then select **Delete schedule**.
+
+ Permissions Management deletes the schedule for running the query. The query itself isn't deleted.
+>
++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md).
+- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md).
+- For information on how to create a query,see [Create a custom query](how-to-create-custom-queries.md).
active-directory How To Clone Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-clone-role-policy.md
+
+ Title: Clone a role/policy in the Remediation dashboard in Permissions Management
+description: How to clone a role/policy in the Just Enough Permissions (JEP) Controller.
+++++++ Last updated : 02/23/2022+++
+# Clone a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in Permissions Management to clone roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Clone a role/policy
+
+1. On the Permissions Management Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Select the role/policy you want to clone, and from the **Actions** column, select **Clone**.
+1. **(AWS Only)** In the **Clone** box, the **Clone Resources** and **Clone Conditions** checkboxes are automatically selected.
+ Deselect the boxes if the resources and conditions are different from what is displayed.
+1. Enter a name for each authorization system that was selected in the **Policy Name** boxes, and then select **Next**.
+
+1. If the data collector hasn't been given controller privileges, the following message displays: **Only online/controller-enabled authorization systems can be submitted for cloning.**
+
+ To clone this role manually, download the script and JSON file.
+
+1. Select **Submit**.
+1. Refresh the **Role/Policies** tab to see the role/policy you cloned.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory How To Create Alert Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md
+
+ Title: Create and view activity alerts and alert triggers in Permissions Management
+description: How to create and view activity alerts and alert triggers in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view activity alerts and alert triggers
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and view activity alerts and alert triggers in Permissions Management.
+
+## Create an activity alert trigger
+
+1. In the Permissions Management home page, select **Activity Triggers** (the bell icon).
+1. In the **Activity** tab, select **Create Activity Trigger**.
+1. In the **Alert Name** box, enter a name for your alert.
+1. In **Authorization System Type**, select your authorization system: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. In **Authorization System**, select **Is** or **In**, and then select one or more accounts and folders.
+1. From the **Select a Type** dropdown, select: **Access Key ID**, **Identity Tag Key**, **Identity Tag Key Value**, **Resource Name**, **Resource Tag Key**, **Resource Tag Key Value**, **Role Name**, **Role Session Name**, **State**, **Task Name**, or **Username**.
+1. From the **Operator** dropdown, select an option:
+
+ - **Is**/**Is Not**: Select in the value field to view a list of all available values. You can either select or enter the required value.
+ - **Contains**/**Not Contains**: Enter any text that the query parameter should or shouldn't contain, for example *Permissions Management*.
+ - **In**/**Not In**: Select in the value field to view list of all available values. Select the required multiple values.
+
+1. To add another parameter, select the plus sign **(+)**, then select an operator, and then enter a value.
+
+ To remove a parameter, select the minus sign **(-)**.
+1. To add another activity type, select **Add**, and then enter your parameters.
+1. To save your alert, select **Save**.
+
+ A message displays to confirm your activity trigger has been created.
+
+ The **Triggers** table in the **Alert Triggers** subtab displays your alert trigger.
+
+## View an activity alert
+
+1. In the Permissions Management home page, select **Activity Triggers** (the bell icon).
+1. In the **Activity** tab, select the **Alerts** subtab.
+1. From the **Alert Name** dropdown, select an alert.
+1. From the **Date** dropdown, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**.
+
+ If you select **Custom Range**, select date and time settings, and then select **Apply**.
+1. To view the alert, select **Apply**
+
+ The **Alerts** table displays information about your alert.
+++
+## View activity alert triggers
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. In the **Activity** tab, select the **Alert Triggers** subtab.
+1. From the **Status** dropdown, select **All**, **Activated** or **Deactivated**, then select **Apply**.
+
+ The **Triggers** table displays the following information:
+
+ - **Alerts**: The name of the alert trigger.
+ - **# of users subscribed**: The number of users who have subscribed to a specific alert trigger.
+
+ - Select a number in this column to view information about the user.
+
+ - **Created By**: The email address of the user who created the alert trigger.
+ - **Modified By**: The email address of the user who last modified the alert trigger.
+ - **Last Updated**: The date and time the alert trigger was last updated.
+ - **Subscription**: A switch that displays if the alert is **On** or **Off**.
+
+ - If the column displays **Off**, the current user isn't subscribed to that alert. Switch the toggle to **On** to subscribe to the alert.
+ - The user who creates an alert trigger is automatically subscribed to the alert, and will receive emails about the alert.
+
+1. To see only activated or only deactivated triggers, from the **Status** dropdown, select **Activated** or **Deactivated**, and then select **Apply**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options.
+
+ If the **Subscription** is **On**, the following options are available:
+
+ - **Edit**: Enables you to modify alert parameters
+
+ > [!NOTE]
+ > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+
+ - **Duplicate**: Create a duplicate of the alert called "**Copy of XXX**".
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger and their **User Status**.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
++++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md).
active-directory How To Create Approve Privilege Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-approve-privilege-request.md
+
+ Title: Create or approve a request for permissions in the Remediation dashboard in Permissions Management
+description: How to create or approve a request for permissions in the Remediation dashboard.
+++++++ Last updated : 02/23/2022+++
+# Create or approve a request for permissions
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create or approve a request for permissions in the **Remediation** dashboard in Permissions Management. You can create and approve requests for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+The **Remediation** dashboard has two privilege-on-demand (POD) workflows you can use:
+- **New Request**: The workflow used by a user to create a request for permissions for a specified duration.
+- **Approver**: The workflow used by an approver to review and approve or reject a user's request for permissions.
++
+> [!NOTE]
+> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+## Create a request for permissions
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **My Requests** subtab.
+
+ The **My Requests** subtab displays the following options:
+ - **Pending**: A list of requests you've made but haven't yet been reviewed.
+ - **Approved**: A list of requests that have been reviewed and approved by the approver. These requests have either already been activated or are in the process of being activated.
+ - **Processed**: A summary of the requests you've created that have been approved (**Done**), **Rejected**, and requests that have been **Canceled**.
+
+1. To create a request for permissions, select **New Request**.
+1. In the **Roles/Tasks** page:
+ 1. From the **Authorization System Type** dropdown, select the authorization system type you want to access: **AWS**, **Azure** or **GCP**.
+ 1. From the **Authorization System** dropdown, select the accounts you want to access.
+ 1. From the **Identity** dropdown, select the identity on whose behalf you're requesting access.
+
+ - If the identity you select is a Security Assertions Markup Language (SAML) user, and since a SAML user accesses the system through assumption of a role, select the user's role in **Role**.
+
+ - If the identity you select is a local user, to select the policies you want:
+ 1. Select **Request Policy(s)**.
+ 1. In **Available Policies**, select the policies you want.
+ 1. To select a specific policy, select the plus sign, and then find and select the policy you want.
+
+ The policies you've selected appear in the **Selected policies** box.
+
+ - If the identity you select is a local user, to select the tasks you want:
+ 1. Select **Request Task(s)**.
+ 1. In **Available Tasks**, select the tasks you want.
+ 1. To select a specific task, select the plus sign, and then select the task you want.
+
+ The tasks you've selected appear in the **Selected Tasks** box.
+
+ If the user already has existing policies, they're displayed in **Existing Policies**.
+1. Select **Next**.
+
+1. If you selected **AWS**, the **Scope** page appears.
+
+ 1. In **Select Scope**, select:
+ - **All Resources**
+ - **Specific Resources**, and then select the resources you want.
+ - **No Resources**
+ 1. In **Request Conditions**:
+ 1. Select **JSON** to add a JSON block of code.
+ 1. Select **Done** to accept the code you've entered, or **Clear** to delete what you've entered and start again.
+ 1. In **Effect**, select **Allow** or **Deny.**
+ 1. Select **Next**.
+
+1. The **Confirmation** page appears.
+1. In **Request Summary**, enter a summary for your request.
+1. Optional: In **Note**, enter a note for the approver.
+1. In **Schedule**, select when (how quickly) you want your request to be processed:
+ - **ASAP**
+ - **Once**
+ - In **Create Schedule**, select the **Frequency**, **Date**, **Time**, and **For** the required duration, then select **Schedule**.
+ - **Daily**
+ - **Weekly**
+ - **Monthly**
+1. Select **Submit**.
+
+ The following message appears: **Your Request Has Been Successfully Submitted.**
+
+ The request you submitted is now listed in **Pending Requests**.
+
+## Approve or reject a request for permissions
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **My requests** subtab.
+1. To view a list of requests that haven't yet been reviewed, select **Pending Requests**.
+1. In the **Request Summary** list, select the ellipses **(…)** menu on the right of a request, and then select:
+
+ - **Details** to view the details of the request.
+ - **Approve** to approve the request.
+ - **Reject** to reject the request.
+
+1. (Optional) add a note to the requestor, and then select **Confirm.**
+
+ The **Approved** subtab displays a list of requests that have been reviewed and approved by the approver. These requests have either already been activated or are in the process of being activated.
+ The **Processed** subtab displays a summary of the requests that have been approved or rejected, and requests that have been canceled.
++
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for Amazon Web Services (AWS) identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to add and remove roles and tasks for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Add and remove roles and tasks for Azure and GCP identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
active-directory How To Create Custom Queries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md
+
+ Title: Create a custom query in Permissions Management
+description: How to create a custom query in the Audit dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a custom query
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Audit** dashboard in Permissions Management to create custom queries that you can modify, save, and run as often as you want.
+
+## Open the Audit dashboard
+
+- In the Permissions Management home page, select the **Audit** tab.
+
+ Permissions Management displays the query options available to you.
+
+## Create a custom query
+
+1. In the **Audit** dashboard, in the **New Query** subtab, select **Authorization System Type**, and then select the authorization systems you want to search: Amazon Web Services (**AWS**), Microsoft **Azure**, Google Cloud Platform (**GCP**), or Platform (**Platform**).
+1. Select the authorization systems you want to search from the **List** and **Folders** box, and then select **Apply**.
+
+1. In the **New Query** box, enter your query parameters, and then select **Add**.
+ For example, to query by a date, select **Date** in the first box. In the second and third boxes, select the down arrow, and then select one of the date-related options.
+
+1. To add parameters, select **Add**, select the down arrow in the first box to display a dropdown of available selections. Then select the parameter you want.
+1. To add more parameters to the same query, select **Add** (the plus sign), and from the first box, select **And** or **Or**.
+
+ Repeat this step for the second and third box to complete entering the parameters.
+1. To change your query as you're creating it, select **Edit** (the pencil icon), and then change the query parameters.
+1. To change the parameter options, select the down arrow in each box to display a dropdown of available selections. Then select the option you want.
+1. To discard your selections, select **Reset Query** for the parameter you want to change, and then make your selections again.
+1. When you're ready to run your query, select **Search**.
+1. To save the query, select **Save**.
+
+ Permissions Management saves the query and adds it to the **Saved Queries** list.
+
+## Save the query under a new name
+
+1. In the **Audit** dashboard, select the ellipses menu **(…)** on the far right and select **Save As**.
+2. Enter a new name for the query, and then select **Save**.
+
+ Permissions Management saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list.
+
+## View a saved query
+
+1. In the **Audit** dashboard, select the down arrow next to **Saved Queries**.
+
+ A list of saved queries appears.
+2. Select the query you want to open.
+3. To open the query with the authorization systems you saved with the query, select **Load with the saved authorization systems**.
+4. To open the query with the authorization systems you have currently selected (which may be different from the ones you originally saved), select **Load with the currently selected authorization systems**.
+5. Select **Load Queries**.
+
+ Permissions Management displays details of the query in the **Activity** table. Select a query to see its details:
+
+ - The **Identity Details**.
+ - The **Domain** name.
+ - The **Resource Name** and **Resource Type**.
+ - The **Task Name**.
+ - The **Date**.
+ - The **IP Address**.
+ - The **Authorization System**.
+
+## View a raw events summary
+
+1. In the **Audit** dashboard, select **View** (the eye icon) to open the **Raw Events Summary** box.
+
+ The **Raw Events Summary** box displays **Username or Role Session Name**, the **Task name**, and the script for your query.
+1. Select **Copy** to copy the script.
+1. Select **X** to close the **Raw events summary** box.
++
+## Run a saved query
+
+1. In the **Audit** dashboard, select the query you want to run.
+
+ Permissions Management displays the results of the query in the **Activity** table.
+
+## Delete a query
+
+1. In the **Audit** dashboard, load the query you want to delete.
+2. Select **Delete**.
+
+ Permissions Management deletes the query. Deleted queries don't display in the **Saved Queries** list.
+
+## Rename a query
+
+1. In the **Audit** dashboard, load the query you want to rename.
+2. Select the ellipses menu **(…)** on the far right, and select **Rename**.
+3. Enter a new name for the query, and then select **Save**.
+
+ Permissions Management saves the query under the new name. Both the new query and the original query display in the **Saved Queries** list.
+
+## Duplicate a query
+
+1. In the **Audit** dashboard, load the query you want to duplicate.
+2. Select the ellipses menu **(…)** on the far right, and then select **Duplicate**.
+
+ CloudKnox creates a copy of the query. Both the copy of the query and the original query display in the **Saved Queries** list.
+
+ You can rename the original or copy of the query, change it, and save it without changing the other query.
+++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md).
+- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md).
active-directory How To Create Group Based Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-group-based-permissions.md
+
+ Title: Select group-based permissions settings in Permissions Management with the User management dashboard
+description: How to select group-based permissions settings in Permissions Management with the User management dashboard.
+++++++ Last updated : 02/23/2022+++
+# Select group-based permissions settings
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and manage group-based permissions in Permissions Management with the User management dashboard.
+
+[!NOTE] The Permissions Management Administrator for all authorization systems will be able to create the new group based permissions.
+
+## Select administrative permissions settings for a group
+
+1. To display the **User Management** dashboard, select **User** (your initials) in the upper right of the screen, and then select **User Management**.
+1. Select the **Groups** tab, and then press the **Create Permission** button in the upper right of the table.
+1. In the **Set Group Permission** box, begin typing the name of an **Azure Active Directory Security Group** in your tenant.
+
+1. Select the permission setting you want:
+2.
+ - **Admin for all Authorization System Types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected Authorization System Types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** allows you to set **View**, **Control**, and **Approve** permissions for the authorization system types that you select.
+1. Select **Next**
+
+1. If you selected **Admin for all Authorization System Types**
+ - Select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. If you selected **Admin for selected Authorization System Types**
+ - Select **Viewer**, **Controller**, or **Approver** for the **Authorization System Types** you want.
+ - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. If you select **Custom**, select the **Authorization System Types** you want.
+ - Select **Viewer**, **Controller**, or **Approver** for the **Authorization Systems** you want.
+ - Select **Next** and then select Identities for each Authorization System that you would like members of this group to Request on.
+
+1. Select **Save**, The following message appears: **New Group Has been Created Successfully.**
+1. To see the group you created in the **Groups** table, refresh the page.
+
+## Next steps
+
+- For information about how to manage user information, see [Manage users and groups with the User management dashboard](ui-user-management.md).
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md).
+- For information about how to view personal and organization information, see [View personal and organization information](product-account-settings.md).
active-directory How To Create Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-role-policy.md
+
+ Title: Create a role/policy in the Remediation dashboard in Permissions Management
+description: How to create a role/policy in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in Permissions Management to create roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Create a policy for AWS
+
+1. On the Entra home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create Policy**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, make a selection from the dropdown.
+1. Under **How Would You Like To Create The Policy**, select the required option:
+
+ - **Activity of User(s)**: Allows you to create a policy based on user activity.
+ - **Activity of Group(s)**: Allows you to create a policy based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of Resource(s)**: Allows you to create a policy based on the activity of a resource, for example, an EC2 instance.
+ - **Activity of Role**: Allows you to create a policy based on the aggregated activity of all the users that assumed the role.
+ - **Activity of Tag(s)**: Allows you to create a policy based on the aggregated activity of all the tags.
+ - **Activity of Lambda Function**: Allows you to create a new policy based on the Lambda function.
+ - **From Existing Policy**: Allows you to create a new policy based on an existing policy.
+ - **New Policy**: Allows you to create a new policy from scratch.
+1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. Depending on your preference, select or deselect **Include Access Advisor data.**
+1. In **Settings**, from the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
+
+1. On the **Tasks** page, from the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. In **Resources**, select **All Resources** or **Specific Resources**.
+
+ If you select **Specific Resources**, a list of available resources appears. Find the resources you want to add, and then select **Add**.
+1. In **Request Conditions**, select **JSON** .
+1. In **Effect**, select **Allow** or **Deny**, and then select **Next**.
+1. In **Policy name:**, enter a name for your policy.
+1. To add another statement to your policy, select **Add Statement**, and then, from the list of **Statements**, select a statement.
+1. Review your **Task**, **Resources**, **Request Conditions**, and **Effect** settings, and then select **Next**.
++
+1. On the **Preview** page, review the script to confirm it's what you want.
+1. If your controller isn't enabled, select **Download JSON** or **Download Script** to download the code and run it yourself.
+
+ If your controller is enabled, skip this step.
+1. Select **Split Policy**, and then select **Submit**.
+
+ A message confirms that your policy has been submitted for creation
+
+1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right.
+ - The **Active** tab displays a list of the policies Permissions Management is currently processing.
+ - The **Completed** tab displays a list of the policies Permissions Management has completed.
+1. Refresh the **Role/Policies** tab to see the policy you created.
+++
+## Create a role for Azure
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create Role**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, select the box and make a selection from the dropdown.
+1. Under **How Would You Like To Create The Role?**, select the required option:
+
+ - **Activity of User(s)**: Allows you to create a role based on user activity.
+ - **Activity of Group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of App(s)**: Allows you to create a role based on the aggregated activity of all apps.
+ - **From Existing Role**: Allows you to create a new role based on an existing role.
+ - **New Role**: Allows you to create a new role from scratch.
+
+1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. Depending on your preference:
+ - Select or deselect **Ignore Non-Microsoft Read Actions**.
+ - Select or deselect **Include Read-Only Tasks**.
+1. In **Settings**, from the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
+
+1. On the **Tasks** page, in **Role name:**, enter a name for your role.
+1. From the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. Select **Next**.
+
+1. On the **Preview** page, review:
+ - The list of selected **Actions** and **Not Actions**.
+ - The **JSON** or **Script** to confirm it's what you want.
+1. If your controller isn't enabled, select **Download JSON** or **Download Script** to download the code and run it yourself.
+
+ If your controller is enabled, skip this step.
+
+1. Select **Submit**.
+
+ A message confirms that your role has been submitted for creation
+
+1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right.
+ - The **Active** tab displays a list of the policies Permissions Management is currently processing.
+ - The **Completed** tab displays a list of the policies Permissions Management has completed.
+1. Refresh the **Role/Policies** tab to see the role you created.
+
+## Create a role for GCP
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Use the dropdown lists to select the **Authorization System Type** and **Authorization System**.
+1. Select **Create Role**.
+1. On the **Details** page, the **Authorization System Type** and **Authorization System** are pre-populated from your previous settings.
+ - To change the settings, select the box and make a selection from the dropdown.
+1. Under **How Would You Like To Create The Role?**, select the required option:
+
+ - **Activity of User(s)**: Allows you to create a role based on user activity.
+ - **Activity of Group(s)**: Allows you to create a role based on the aggregated activity of all the users belonging to the group(s).
+ - **Activity of Service Account(s)**: Allows you to create a role based on the aggregated activity of all service accounts.
+ - **From Existing Role**: Allows you to create a new role based on an existing role.
+ - **New Role**: Allows you to create a new role from scratch.
+
+1. In **Tasks performed in last**, select the duration: **90 days**, **60 days**, **30 days**, **7 days**, or **1 day**.
+1. If you selected **Activity Of Service Account(s)** in the previous step, select or deselect **Collect activity across all GCP Authorization Systems.**
+1. From the **Available** column, select the plus sign **(+)** to move the identity into the **Selected** column, and then select **Next**.
++
+1. On the **Tasks** page, in **Role name:**, enter a name for your role.
+1. From the **Available** column, select the plus sign **(+)** to move the task into the **Selected** column.
+ - To add a whole category, select a category.
+ - To add individual items from a category, select the down arrow on the left of the category name, and then select individual items.
+1. Select **Next**.
+
+1. On the **Preview** page, review:
+ - The list of selected **Actions**.
+ - The **YAML** or **Script** to confirm it's what you want.
+1. If your controller isn't enabled, select **Download YAML** or **Download Script** to download the code and run it yourself.
+1. Select **Submit**.
+ A message confirms that your role has been submitted for creation
+
+1. The [**Permissions Management Tasks**](ui-tasks.md) pane appears on the right.
+
+ - The **Active** tab displays a list of the policies Permissions Management is currently processing.
+ - The **Completed** tab displays a list of the policies Permissions Management has completed.
+1. Refresh the **Role/Policies** tab to see the role you created.
++
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to modify a role/policy, see [Modify a role/policy](how-to-modify-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory How To Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-rule.md
+
+ Title: Create a rule in the Autopilot dashboard in Permissions Management
+description: How to create a rule in the Autopilot dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create a rule in the Autopilot dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create a rule in the Permissions Management **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator.
+
+## Create a rule
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select **New Rule**.
+1. In the **Rule Name** box, enter a name for your rule.
+1. Select **AWS**, **Azure**, **GCP**, and then select **Next**.
+
+1. Select **Authorization Systems**, and then select **All** or the account names that you want.
+1. From the **Folders** dropdown, select a folder, and then select **Apply**.
+
+ To change your folder settings, select **Reset**.
+
+ - The **Status** column displays if the authorization system is **Online** or **Offline**.
+ - The **Controller** column displays if the controller is **Enabled** or **Not Enabled**.
++
+1. Select **Configure** , and then select the following parameters for your rule:
+
+ - **Role Created On Is**: Select the duration in days.
+ - **Role Last Used On Is**: Select the duration in days when the role was last used.
+ - **Cross Account Role**: Select **True** or **False**.
+
+1. Select **Mode**, and then, if you want recommendations to be generated and applied manually, select **On-Demand**.
+1. Select **Save**
+
+ The following information displays in the **Autopilot Rules** table:
+
+ - **Rule Name**: The name of the rule.
+ - **State**: The status of the rule: idle (not being use) or active (being used).
+ - **Rule Type**: The type of rule being applied.
+ - **Mode**: The status of the mode: on-demand or not.
+ - **Last Generated**: The date and time the rule was last generated.
+ - **Created By**: The email address of the user who created the rule.
+ - **Last Modified On**: The date and time the rule was last modified.
+ - **Subscription**: Provides an **On** or **Off** switch that allows you to receive email notifications when recommendations have been generated, applied, or unapplied.
++++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md).
active-directory How To Delete Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-delete-role-policy.md
+
+ Title: Delete a role/policy in the Remediation dashboard in Permissions Management
+description: How to delete a role/policy in the Just Enough Permissions (JEP) Controller.
+++++++ Last updated : 02/23/2022+++
+# Delete a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in Permissions Management to delete roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** dashboard, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Delete a role/policy
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** subtab.
+1. Select the role/policy you want to delete, and from the **Actions** column, select **Delete**.
+
+ You can only delete a role/policy if it isn't assigned to an identity.
+
+ You can't delete system roles/policies.
+
+1. On the **Preview** page, review the role/policy information to make sure you want to delete it, and then select **Submit**.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory How To Modify Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-modify-role-policy.md
+
+ Title: Modify a role/policy in the Remediation dashboard in Permissions Management
+description: How to modify a role/policy in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Modify a role/policy in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can use the **Remediation** dashboard in Permissions Management to modify roles/policies for the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Modify a role/policy
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** tab.
+1. Select the role/policy you want to modify, and from the **Actions** column, select **Modify**.
+
+ You can't modify **System** policies and roles.
+
+1. On the **Statements** page, make your changes to the **Tasks**, **Resources**, **Request conditions**, and **Effect** sections as required, and then select **Next**.
+
+1. Review the changes to the JSON or script on the **Preview** page, and then select **Submit**.
+
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory How To Notifications Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-notifications-rule.md
+
+ Title: View notification settings for a rule in the Autopilot dashboard in Permissions Management
+description: How to view notification settings for a rule in the Autopilot dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View notification settings for a rule in the Autopilot dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to view notification settings for a rule in the Permissions Management **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator.
+
+## View notification settings for a rule
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+1. To view notification settings for a rule, select **Notification Settings**.
+
+ Permissions Management displays a list of subscribed users. These users are signed up to receive notifications for the selected rule.
+
+1. To close the **Notification Settings** box, select **Close**.
++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md).
+- For information about creating rules, see [Create a rule](how-to-create-rule.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md).
active-directory How To Recommendations Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-recommendations-rule.md
+
+ Title: Generate, view, and apply rule recommendations in the Autopilot dashboard in Permissions Management
+description: How to generate, view, and apply rule recommendations in the Autopilot dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate, view, and apply rule recommendations in the Autopilot dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and view rule recommendations in the Permissions Management **Autopilot** dashboard.
+
+> [!NOTE]
+> Only users with **Administrator** permissions can view and make changes on the Autopilot tab. If you don't have these permissions, contact your system administrator.
+
+## Generate rule recommendations
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**.
+1. To generate recommendations for each user and the authorization system, select **Generate Recommendations**.
+
+ Only the user who created the selected rule can generate a recommendation.
+1. View your recommendations in the **Recommendations** subtab.
+1. Select **Close** to close the **Recommendations** subtab.
+
+## View rule recommendations
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View Recommendations**.
+
+ Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. Select **Close** to close the **Recommendations** subtab.
+
+## Apply rule recommendations
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View Recommendations**.
+
+ Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. To apply a recommendation, select the **Apply Recommendations** subtab, and then select a recommendation.
+1. Select **Close** to close the **Recommendations** subtab.
+
+## Unapply rule recommendations
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want, and then select **Apply**.
+1. In the **Autopilot** dashboard, select a rule.
+1. In the far right of the row, select the ellipses **(...)**
+
+1. To view recommendations for each user and the authorization system, select **View Recommendations**.
+
+ Permissions Management displays the recommendations for each user and authorization system in the **Recommendations** subtab.
+
+1. To remove a recommendation, select the **Unapply Recommendations** subtab, and then select a recommendation.
+1. Select **Close** to close the **Recommendations** subtab.
++
+## Next steps
+
+- For more information about viewing rules, see [View roles in the Autopilot dashboard](ui-autopilot.md).
+- For information about creating rules, see [Create a rule](how-to-create-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md).
active-directory How To Revoke Task Readonly Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-revoke-task-readonly-status.md
+
+ Title: Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management
+description: How to revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Revoke access to high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities
++
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can revoke high-risk and unused tasks or assign read-only status for Microsoft Azure and Google Cloud Platform (GCP) identities using the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** tab, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+## View an identity's permissions
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**.
+1. To search for more parameters, you can make a selection from the **User States**, **Permission Creep Index**, and **Task Usage** dropdowns.
+1. Select **Apply**.
+
+ Permissions Management displays a list of groups, users, and service accounts that match your criteria.
+1. In **Enter a username**, enter or select a user.
+1. In **Enter a Group Name**, enter or select a group, then select **Apply**.
+1. Make a selection from the results list.
+
+ The table displays the **Username** **Domain/Account**, **Source**, **Resource** and **Current Role**.
++
+## Revoke an identity's access to unused tasks
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's access to tasks they aren't using, select **Revoke Unused Tasks**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Revoke an identity's access to high-risk tasks
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's access to high-risk tasks, select **Revoke High-Risk Tasks**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Revoke an identity's ability to delete tasks
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search For** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To revoke an identity's ability to delete tasks, select **Revoke Delete Tasks**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
+
+## Assign read-only status to an identity
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Permissions** subtab.
+1. From the **Authorization System Type** dropdown, select **Azure** or **GCP**.
+1. From the **Authorization System** dropdown, select the accounts you want to access.
+1. From the **Search for** dropdown, select **Group**, **User**, or **APP/Service Account**, and then select **Apply**.
+1. Make a selection from the results list.
+
+1. To assign read-only status to an identity, select **Assign Read-Only Status**.
+1. When the following message displays: **Are you sure you want to change permission?**, select:
+ - **Generate Script** to generate a script where you can manually add/remove the permissions you selected.
+ - **Execute** to change the permission.
+ - **Close** to cancel the action.
++
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to add and remove roles and tasks for Azure and GCP identities, see [Add and remove roles and tasks for Azure and GCP identities](how-to-attach-detach-permissions.md).
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
active-directory How To View Role Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-view-role-policy.md
+
+ Title: View information about roles/ policies in the Remediation dashboard in Permissions Management
+description: How to view and filter information about roles/ policies in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about roles/ policies in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Remediation** dashboard in Permissions Management enables system administrators to view, adjust, and remediate excessive permissions based on a user's activity data. You can use the **Roles/Policies** subtab in the dashboard to view information about roles and policies in the Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) authorization systems.
+
+> [!NOTE]
+> To view the **Remediation dashboard** tab, you must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this tab, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other Cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
++
+## View information about roles/policies
+
+1. On the Permissions Management home page, select the **Remediation** tab, and then select the **Role/Policies** subtab.
+
+ The **Role/Policies list** displays a list of existing roles/policies and the following information about each role/policy
+ - **Role/Policy Name**: The name of the roles/policies available to you.
+ - **Role/Policy Type**: **Custom**, **System**, or **Permissions Management Only**
+ - **Actions**: The type of action you can perform on the role/policy, **Clone**, **Modify**, or **Delete**
++
+1. To display details about the role/policy and view its assigned tasks and identities, select the arrow to the left of the role/policy name.
+
+ The **Tasks** list appears, displaying:
+ - A list of **Tasks**.
+ - **For AWS:**
+ - The **Users**, **Groups**, and **Roles** the task is **Directly Assigned To**.
+ - The **Group Members** and **Role Identities** the task is **Indirectly Accessible By**.
+
+ - **For Azure:**
+ - The **Users**, **Groups**, **Enterprise Applications** and **Managed Identities** the task is **Directly Assigned To**.
+ - The **Group Members** the task is **Indirectly Accessible By**.
+
+ - **For GCP:**
+ - The **Users**, **Groups**, and **Service Accounts** the task is **Directly Assigned To**.
+ - The **Group Members** the task is **Indirectly Accessible By**.
+
+1. To close the role/policy details, select the arrow to the left of the role/policy name.
+
+## Export information about roles/policies
+
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported Successfully.**
+
+ - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
++++
+## Filter information about roles/policies
+
+1. On the Permissions Management home page, select the **Remediation** dashboard, and then select the **Role/Policies** tab.
+1. To filter the roles/policies, select from the following options:
+
+ - **Authorization System Type**: Select **AWS**, **Azure**, or **GCP**.
+ - **Authorization System**: Select the accounts you want.
+ - **Role/Policy Type**: Select from the following options:
+
+ - **All**: All managed roles/policies.
+ - **Custom**: A customer-managed role/policy.
+ - **System**: A cloud service provider-managed role/policy.
+ - **Permissions Management Only**: A role/policy created by Permissions Management.
+
+ - **Role/Policy Status**: Select **All**, **Assigned**, or **Unassigned**.
+ - **Role/Policy Usage**: Select **All** or **Unused**.
+1. Select **Apply**.
+
+ To discard your changes, select **Reset Filter**.
++
+## Next steps
+
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- For information on how to attach and detach permissions AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory Integration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/integration-api.md
+
+ Title: Set and view configuration settings in Permissions Management
+description: How to view the Permissions Management API integration settings and create service accounts and roles.
+++++++ Last updated : 02/23/2022+++
+# Set and view configuration settings
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic describes how to view configuration settings, create and delete a service account, and create a role in Permissions Management.
+
+## View configuration settings
+
+The **Integrations** dashboard displays the authorization systems available to you.
+
+1. To display the **Integrations** dashboard, select **User** (your initials) in the upper right of the screen, and then select **Integrations.**
+
+ The **Integrations** dashboard displays a tile for each available authorization system.
+
+1. Select an authorization system tile to view the following integration information:
+
+ 1. To find out more about the Permissions Management API, select **Permissions Management API**, and then select documentation.
+ <!Add Link: [documentation](https://developer.cloudknox.io/)>
+
+ 1. To view information about service accounts, select **Integration**:
+ - **Email**: Lists the email address of the user who created the integration.
+ - **Created By**: Lists the first and last name of the user who created the integration.
+ - **Created On**: Lists the date and time the integration was created.
+ - **Recent Activity**: Lists the date and time the integration was last used, or notes if the integration was never used.
+ - **Service Account ID**: Lists the service account ID.
+ - **Access Key**: Lists the access key code.
+
+ 1. To view settings information, select **Settings**:
+ - **Roles can create service account**: Lists the type of roles you can create.
+ - **Access Key Rotation Policy**: Lists notifications and actions you can set.
+ - **Access Key Usage Policy**: Lists notifications and actions you can set.
+
+## Create a service account
+
+1. On the **Integrations** dashboard, select **User**, and then select **Integrations.**
+2. Click **Create Service Account**. The following information is pre-populated on the page:
+ - **API Endpoint**
+ - **Service Account ID**
+ - **Access Key**
+ - **Secret Key**
+
+3. To copy the codes, select the **Duplicate** icon next to the respective information.
+
+ > [!NOTE]
+ > The codes are time sensitive and will regenerate after the box is closed.
+
+4. To regenerate the codes, at the bottom of the column, select **Regenerate**.
+
+## Delete a service account
+
+1. On the **Integrations** dashboard, select **User**, and then select **Integrations.**
+
+1. On the right of the email address, select **Delete Service Account**.
+
+ On the **Validate OTP To Delete [Service Name] Integration** box, a message displays asking you to check your email for a code sent to the email address on file.
+
+ If you don't receive the code, select **Resend OTP**.
+
+1. In the **Enter OTP** box, enter the code from the email.
+
+1. Click **Verify**.
+
+## Create a role
+
+1. On the **Integrations** dashboard, select **User**, and then select **Settings**.
+2. Under **Roles can create service account**, select the role you want:
+ - **Super Admin**
+ - **Viewer**
+ - **Controller**
+
+3. In the **Access Key Rotation Policy** column, select options for the following:
+
+ - **How often should the users rotate their access keys?**: Select **30 days**, **60 days**, **90 days**, or **Never**.
+ - **Notification**: Enter a whole number in the blank space within **Notify "X" days before the selected period**, or select **Don't Notify**.
+ - **Action (after the key rotation period ends)**: Select **Disable Action Key** or **No Action**.
+
+4. In the **Access Key Usage Policy** column, select options for the following:
+
+ - **How often should the users go without using their access keys?**: Select **30 days**, **60 days**, **90 days**, or **Never**.
+ - **Notification**: Enter a whole number in the blank space within **Notify "X" days before the selected period**, or select **Don't Notify**.
+ - **Action (after the key rotation period ends)**: Select **Disable Action Key** or **No Action**.
+
+5. Click **Save**.
+
+<!## Next steps>
+
+<!View integrated authorization systems](product-integrations)>
+<![Installation overview](installation.md)>
+<![Sign up and deploy FortSentry registration](fortsentry-registration.md)>
active-directory Multi Cloud Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/multi-cloud-glossary.md
+
+ Title: Permissions Management glossary
+description: Permissions Management glossary
+++++++ Last updated : 02/23/2022+++
+# The Permissions Management glossary
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This glossary provides a list of some of the commonly used cloud terms in Permissions Management. These terms will help Permissions Management users navigate through cloud-specific terms and cloud-generic terms.
+
+## Commonly-used acronyms and terms
+
+| Term | Definition |
+|--|--|
+| ACL | Access control list. A list of files or resources that contain information about which users or groups have permission to access those resources or modify those files. |
+| ARN | Azure Resource Notification |
+| Authorization System | CIEM supports AWS accounts, Azure Subscriptions, GCP projects as the Authorization systems |
+| Authorization System Type | Any system which provides the authorizations by assigning the permissions to the identities, resources. CIEM supports AWS, Azure, GCP as the Authorization System Types |
+| Cloud security | A form of cybersecurity that protects data stored online on cloud computing platforms from theft, leakage, and deletion. Includes firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and avoiding public internet connections. |
+| Cloud storage | A service model in which data is maintained, managed, and backed up remotely. Available to users over a network. |
+| CIAM | Cloud Infrastructure Access Management |
+| CIEM | Cloud Infrastructure Entitlement Management. The next generation of solutions for enforcing least privilege in the cloud. It addresses cloud-native security challenges of managing identity access management in cloud environments. |
+| CIS | Cloud infrastructure security |
+| CWP | Cloud Workload Protection. A workload-centric security solution that targets the unique protection requirements of workloads in modern enterprise environments. |
+| CNAPP | Cloud-Native Application Protection. The convergence of cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), and cloud applications security broker (CASB). An integrated security approach that covers the entire lifecycle of cloud-native applications. |
+| CSPM | Cloud Security Posture Management. Addresses risks of compliance violations and misconfigurations in enterprise cloud environments. Also focuses on the resource level to identify deviations from best practice security settings for cloud governance and compliance. |
+| CWPP | Cloud Workload Protection Platform |
+| Data Collector | Virtual entity which stores the data collection configuration |
+| Delete task | A high-risk task that allows users to permanently delete a resource. |
+| ED | Enterprise directory |
+| Entitlement | An abstract attribute that represents different forms of user permissions in a range of infrastructure systems and business applications.|
+| Entitlement management | Technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (that is, authorizations, privileges, access rights, permissions and rules). Its purpose is to execute IT access policies to structured/unstructured data, devices, and services. It can be delivered by different technologies, and is often different across platforms, applications, network components, and devices. |
+| High-risk task | A task in which a user can cause data leakage, service disruption, or service degradation. |
+| Hybrid cloud | Sometimes called a cloud hybrid. A computing environment that combines an on-premises data center (a private cloud) with a public cloud. It allows data and applications to be shared between them. |
+| hybrid cloud storage | A private or public cloud used to store an organization's data. |
+| ICM | Incident Case Management |
+| IDS | Intrusion Detection Service |
+| Identity analytics | Includes basic monitoring and remediation, dormant and orphan account detection and removal, and privileged account discovery. |
+| Identity lifecycle management | Maintain digital identities, their relationships with the organization, and their attributes during the entire process from creation to eventual archiving, using one or more identity life cycle patterns. |
+| IGA | Identity governance and administration. Technology solutions that conduct identity management and access governance operations. IGA includes the tools, technologies, reports, and compliance activities required for identity lifecycle management. It includes every operation from account creation and termination to user provisioning, access certification, and enterprise password management. It looks at automated workflow and data from authoritative sources capabilities, self-service user provisioning, IT governance, and password management. |
+| ITSM | Information Technology Security Management. Tools that enable IT operations organizations (infrastructure and operations managers), to better support the production environment. Facilitate the tasks and workflows associated with the management and delivery of quality IT services. |
+| JEP | Just Enough Permissions |
+| JIT | Just in Time access can be seen as a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. It also ensures that privileged activities are conducted in accordance with an organization's Identity Access Management (IAM), IT Service Management (ITSM), and Privileged Access Management (PAM) policies, with its entitlements and workflows. JIT access strategy enables organizations to maintain a full audit trail of privileged activities so they can easily identify who or what gained access to which systems, what they did at what time, and for how long. |
+| Least privilege | Ensures that users only gain access to the specific tools they need to complete a task. |
+| Multi-tenant | A single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. |
+| OIDC | OpenID Connect. An authentication protocol that verifies user identity when a user is trying to access a protected HTTPs end point. OIDC is an evolutionary development of ideas implemented earlier in OAuth. |
+| PAM | Privileged access management. Tools that offer one or more of these features: discover, manage, and govern privileged accounts on multiple systems and applications; control access to privileged accounts, including shared and emergency access; randomize, manage, and vault credentials (password, keys, etc.) for administrative, service, and application accounts; single sign-on (SSO) for privileged access to prevent credentials from being revealed; control, filter, and orchestrate privileged commands, actions, and tasks; manage and broker credentials to applications, services, and devices to avoid exposure; and monitor, record, audit, and analyze privileged access, sessions, and actions. |
+| PASM | Privileged accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. Privileged session management (PSM) functions establish sessions with possible credential injection and full session recording. Passwords and other credentials for privileged accounts are actively managed and changed at definable intervals or upon the occurrence of specific events. PASM solutions may also provide application-to-application password management (AAPM) and zero-install remote privileged access features for IT staff and third parties that don't require a VPN. |
+| PEDM | Specific privileges are granted on the managed system by host-based agents to logged-in users. PEDM tools provide host-based command control (filtering); application allow, deny, and isolate controls; and/or privilege elevation. The latter is in the form of allowing particular commands to be run with a higher level of privileges. PEDM tools execute on the actual operating system at the kernel or process level. Command control through protocol filtering is explicitly excluded from this definition because the point of control is less reliable. PEDM tools may also provide file integrity monitoring features. |
+| Permission | Rights and privileges. Details given by users or network administrators that define access rights to files on a network. Access controls attached to a resource dictating which identities can access it and how. Privileges are attached to identities and are the ability to perform certain actions. An identity having the ability to perform an action on a resource. |
+| POD | Permission on Demand. A type of JIT access that allows the temporary elevation of permissions, enabling identities to access resources on a by-request, timed basis. |
+| Permissions creep index (PCI) | A number from 0 to 100 that represents the incurred risk of users with access to high-risk privileges. PCI is a function of users who have access to high-risk privileges but aren't actively using them. |
+| Policy and role management | Maintain rules that govern automatic assignment and removal of access rights. Provides visibility of access rights for selection in access requests, approval processes, dependencies, and incompatibilities between access rights, and more. Roles are a common vehicle for policy management. |
+| Privilege | The authority to make changes to a network or computer. Both people and accounts can have privileges, and both can have different levels of privilege. |
+| Privileged account | A login credential to a server, firewall, or other administrative account. Often referred to as admin accounts. Comprised of the actual username and password; these two things together make up the account. A privileged account is allowed to do more things than a normal account. |
+| Public Cloud | Computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. |
+| Resource | Any entity that uses compute capabilities can be accessed by users and services to perform actions. |
+| Role | An IAM identity that has specific permissions. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role doesn't have standard long-term credentials such as a password or access keys associated with. |
+| SCIM | System for CrossΓÇôdomain Identity Management |
+| SIEM | Security Information and Event Management. Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting). |
+| SOAR | Security orchestration, automation and response (SOAR). Technologies that enable organizations to take inputs from various sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These workflows can be orchestrated via integrations with other technologies and automated to achieve the desired outcome and greater visibility. Other capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes. |
+| Super user / Super identity | A powerful account used by IT system administrators that can be used to make configurations to a system or application, add or remove users, or delete data. |
+| Tenant | A dedicated instance of the services and organization data stored within a specific default location. |
+| UUID | Universally unique identifier. A 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used.|
+| Zero trust security | The three foundational principles: explicit verification, breach assumption, and least privileged access.|
+| ZTNA | Zero trust network access. A product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. It removes application assets from public visibility and significantly reduces the surface area for attack.|
+
+## Next steps
+
+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md).
active-directory Onboard Add Account After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-add-account-after-onboarding.md
+
+ Title: Add an account /subscription/ project to Permissions Management after onboarding is complete
+description: How to add an account/ subscription/ project to Permissions Management after onboarding is complete.
+++++++ Last updated : 02/23/2022+++
+# Add an account/ subscription/ project after onboarding is complete
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to add an Amazon Web Services (AWS) account, Microsoft Azure subscription, or Google Cloud Platform (GCP) project in Microsoft Permissions Management after you've completed the onboarding process.
+
+## Add an AWS account after onboarding is complete
+
+1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **AWS**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **Permissions Management Onboarding - Summary** page displays.
+
+1. Go to **AWS Account IDs**, and then select **Edit** (the pencil icon).
+
+ The **Permissions Management Onboarding - AWS Member Account Details** page displays.
+
+1. Go to **Enter Your AWS Account IDs**, and then select **Add** (the plus **+** sign).
+1. Copy your account ID from AWS and paste it into the **Enter Account ID** box.
+
+ The AWS account ID is automatically added to the script.
+
+ If you want to add more account IDs, repeat steps 5 and 6 to add up to a total of 10 account IDs.
+
+1. Copy the script.
+1. Go to AWS and start the Cloud Shell.
+1. Create a new script for the new account and press the **Enter** key.
+1. Paste the script you copied.
+1. Locate the account line, delete the original account ID (the one that was previously added), and then run the script.
+1. Return to Permissions Management, and the new account ID you added will be added to the list of account IDs displayed in the **Permissions Management Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
++
+## Add an Azure subscription after onboarding is complete
+
+1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **Azure**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **Permissions Management Onboarding - Summary** page displays.
+
+1. Go to **Azure subscription IDs**, and then select **Edit** (the pencil icon).
+1. Go to **Enter your Azure Subscription IDs**, and then select **Add subscription** (the plus **+** sign).
+1. Copy and paste your subscription ID from Azure and paste it into the subscription ID box.
+
+ The subscription ID is automatically added to the subscriptions line in the script.
+
+ If you want to add more subscription IDs, repeat steps 4 and 5 to add up to a total of 10 subscriptions.
+
+1. Copy the script.
+1. Go to Azure and start the Cloud Shell.
+1. Create a new script for the new subscription and press enter.
+1. Paste the script you copied.
+1. Locate the subscription line and delete the original subscription ID (the one that was previously added), and then run the script.
+1. Return to Permissions Management, and the new subscription ID you added will be added to the list of subscription IDs displayed in the **Permissions Management Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+
+## Add a GCP project after onboarding is complete
+
+1. In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data collectors** tab.
+1. On the **Data collectors** dashboard, select **GCP**.
+1. Select the ellipses **(...)** at the end of the row, and then select **Edit Configuration**.
+
+ The **Permissions Management Onboarding - Summary** page displays.
+
+1. Go to **GCP Project IDs**, and then select **Edit** (the pencil icon).
+1. Go to **Enter your GCP Project IDs**, and then select **Add Project ID** (the plus **+** sign).
+1. Copy and paste your project ID from Azure and paste it into the **Project ID** box.
+
+ The project ID is automatically added to the **Project ID** line in the script.
+
+ If you want to add more project IDs, repeat steps 4 and 5 to add up to a total of 10 project IDs.
+
+1. Copy the script.
+1. Go to GCP and start the Cloud Shell.
+1. Create a new script for the new project ID and press enter.
+1. Paste the script you copied.
+1. Locate the project ID line and delete the original project ID (the one that was previously added), and then run the script.
+1. Return to Permissions Management, and the new project ID you added will be added to the list of project IDs displayed in the **Permissions Management Onboarding - Summary** page.
+1. Select **Verify now & save**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](onboard-aws.md).
+ - For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md).
active-directory Onboard Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md
+
+ Title: Onboard an Amazon Web Services (AWS) account on Permissions Management
+description: How to onboard an Amazon Web Services (AWS) account on Permissions Management.
+++++++ Last updated : 04/20/2022+++
+# Onboard an Amazon Web Services (AWS) account
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!NOTE]
+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
++
+This article describes how to onboard an Amazon Web Services (AWS) account on Permissions Management.
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
++
+## View a training video on configuring and onboarding an AWS account
+
+To view a video on how to configure and onboard AWS accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).
+
+## Onboard an AWS account
+
+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
+
+ - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.
+
+### 1. Create an Azure AD OIDC App
+
+1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure app name**.
+
+ This app is used to set up an OpenID Connect (OIDC) connection to your AWS account. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated on this page create the app of this specified name in your Azure AD tenant with the right configuration.
+
+1. To create the app registration, copy the script and run it in your Azure command-line app.
+
+ > [!NOTE]
+ > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
+ > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**.
+
+### 2. Set up an AWS OIDC account
+
+1. In the **Permissions Management Onboarding - AWS OIDC Account Setup** page, enter the **AWS OIDC account ID** where the OIDC provider is created. You can change the role name to your requirements.
+1. Open another browser window and sign in to the AWS account where you want to create the OIDC provider.
+1. Select **Launch Template**. This link takes you to the **AWS CloudFormation create stack** page.
+1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create Stack.**
+
+ This AWS CloudFormation stack creates an OIDC Identity Provider (IdP) representing Azure AD STS and an AWS IAM role with a trust policy that allows external identities from Azure AD to assume it via the OIDC IdP. These entities are listed on the **Resources** page.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS OIDC Account Setup** page, select **Next**.
+
+### 3. Set up an AWS master account (Optional)
+
+1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the master account connection in the **Permissions Management Onboarding - AWS Master Account Details** page.
+
+ Setting up the master account connection allows Permissions Management to auto-detect and onboard any AWS member accounts that have the correct Permissions Management role.
+
+ - In the **Permissions Management Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**.
+
+1. Open another browser window and sign in to the AWS console for your master account.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Master Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page.
+
+1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a role in the master account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization.
+
+ A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to Permissions Management, and in **Permissions Management Onboarding - AWS Master Account Details**, select **Next**.
+
+### 4. Set up an AWS Central logging account (Optional but recommended)
+
+1. If your organization has a central logging account where logs from some or all of your AWS account are stored, in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, set up the logging account connection.
+
+ In the **Permissions Management Onboarding - AWS Central Logging Account Details** page, enter the **Logging Account ID** and **Logging Account Role**.
+
+1. In another browser window, sign in to the AWS console for the AWS account you use for central logging.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. Review the information in the template, make changes, if necessary, then scroll to the bottom of the page.
+
+1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**, and then select **Create stack**.
+
+ This AWS CloudFormation stack creates a role in the logging account with the necessary permissions (policies) to read S3 buckets used for central logging. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Central Logging Account Details** page, select **Next**.
+
+### 5. Set up an AWS member account
+
+1. In the **Permissions Management Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**.
+
+ You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs.
+
+ > [!NOTE]
+ > Perform the next 6 steps for each account ID you add.
+
+1. Open another browser window and sign in to the AWS console for the member account.
+
+1. Return to the **Permissions Management Onboarding - AWS Member Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+
+1. In the **CloudTrailBucketName** page, enter a name.
+
+ You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS.
+
+ > [!NOTE]
+ > A *cloud bucket* collects all the activity in a single account that Permissions Management monitors. Enter the name of a cloud bucket here to provide Permissions Management with the access required to collect activity data.
+
+1. From the **Enable Controller** dropdown, select:
+
+ - **True**, if you want the controller to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically.
+ - **False**, if you want the controller to provide Permissions Management with read-only access.
+
+1. Scroll to the bottom of the page, and in the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection.
+
+ A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Member Account Details** page, select **Next**.
+
+ This step completes the sequence of required connections from Azure AD STS to the OIDC connection account and the AWS member account.
+
+### 6. Review and save
+
+1. In **Permissions Management Onboarding ΓÇô Summary**, review the information you've added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully created configuration.**
+
+ On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding AWS, and Permissions Management has started collecting and processing your data.
+
+### 7. View the data
+
+1. To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process may take some time, depending on the size of the account and how much data is available for collection.
++
+## Next steps
+
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md).
active-directory Onboard Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md
+
+ Title: Onboard a Microsoft Azure subscription in Permissions Management
+description: How to a Microsoft Azure subscription on Permissions Management.
+++++++ Last updated : 04/20/2022+++
+# Onboard a Microsoft Azure subscription
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management (Permissions Management) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!NOTE]
+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
+
+This article describes how to onboard a Microsoft Azure subscription or subscriptions on Permissions Management (Permissions Management). Onboarding a subscription creates a new authorization system to represent the Azure subscription in Permissions Management.
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
+
+## Prerequisites
+
+To add Permissions Management to your Azure AD tenant:
+- You must have an Azure AD user account and an Azure command-line interface (Azure CLI) on your system, or an Azure subscription. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).
+- You must have **Microsoft.Authorization/roleAssignments/write** permission at the subscription or management group scope to perform these tasks. If you don't have this permission, you can ask someone who has this permission to perform these tasks for you.
++
+## View a training video on enabling Permissions Management in your Azure AD tenant
+
+To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
+
+## How to onboard an Azure subscription
+
+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
+
+ - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.
+
+### 1. Add Azure subscription details
+
+1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription IDs** that you want to onboard.
+
+ > [!NOTE]
+ > To locate the Azure subscription IDs, open the **Subscriptions** page in Azure.
+ > You can enter up to 10 subscriptions IDs. Select the plus sign **(+)** icon next to the text box to enter more subscriptions.
+
+1. From the **Scope** dropdown, select **Subscription** or **Management Group**. The script box displays the role assignment script.
+
+ > [!NOTE]
+ > Select **Subscription** if you want to assign permissions separately for each individual subscription. The generated script has to be executed once per subscription.
+ > Select **Management Group** if all of your subscriptions are under one management group. The generated script must be executed once for the management group.
+
+1. To give this role assignment to the service principal, copy the script to a file on your system where Azure CLI is installed and execute it.
+
+ You can execute the script once for each subscription, or once for all the subscriptions in the management group.
+
+1. From the **Enable Controller** dropdown, select:
+
+ - **True**, if you want the controller to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically.
+ - **False**, if you want the controller to provide Permissions Management with read-only access.
+
+1. Return to **Permissions Management Onboarding - Azure Subscription Details** page and select **Next**.
+
+### 2. Review and save.
+
+- In **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+ On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding Azure, and Permissions Management has started collecting and processing your data.
+
+### 3. View the data.
+
+- To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process will take some time, depending on the size of the account and how much data is available for collection.
++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a Google Cloud Platform (GCP) project](onboard-gcp.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md).
+- For an overview on Permissions Management, see [What's Permissions Management?](overview.md).
+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Onboard Enable Controller After Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md
+
+ Title: Enable or disable the controller in Permissions Management after onboarding is complete
+description: How to enable or disable the controller in Permissions Management after onboarding is complete.
+++++++ Last updated : 02/23/2022+++
+# Enable or disable the controller after onboarding is complete
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to enable or disable the controller in Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.
+
+This article also describes how to enable the controller in Amazon Web Services (AWS) if you disabled it during onboarding. You can only enable the controller in AWS at this time; you can't disable it.
+
+## Enable the controller in AWS
+
+> [!NOTE]
+> You can only enable the controller in AWS; you can't disable it at this time.
+
+1. Sign in to the AWS console of the member account in a separate browser window.
+1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.
+1. On the **Permissions Management Onboarding - AWS Member Account Details** page, select **Launch Template**.
+
+ The **AWS CloudFormation create stack** page opens, displaying the template.
+1. In the **CloudTrailBucketName** box, enter a name.
+
+ You can copy and paste the **CloudTrailBucketName** name from the **Trails** page in AWS.
+
+ > [!NOTE]
+ > A *cloud bucket* collects all the activity in a single account that Permissions Management monitors. Enter the name of a cloud bucket here to provide Permissions Management with the access required to collect activity data.
+
+1. In the **EnableController** box, from the drop-down list, select **True** to provide Permissions Management with read and write access so that any remediation you want to do from the Permissions Management platform can be done automatically.
+
+1. Scroll to the bottom of the page, and in the **Capabilities** box and select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**.
+
+ This AWS CloudFormation stack creates a collection role in the member account with necessary permissions (policies) for data collection. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack.
+
+1. Return to Permissions Management, and on the Permissions Management **Onboarding - AWS Member Account Details** page, select **Next**.
+1. On **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully created configuration.**
+
+## Enable or disable the controller in Azure
++
+1. In Azure, open the **Access control (IAM)** page.
+1. In the **Check access** section, in the **Find** box, enter **Cloud Infrastructure Entitlement Management**.
+
+ The **Cloud Infrastructure Entitlement Management assignments** page appears, displaying the roles assigned to you.
+
+ - If you have read-only permission, the **Role** column displays **Reader**.
+ - If you have administrative permission, the **Role** column displays **User Access Administrative**.
+
+1. To add the administrative role assignment, return to the **Access control (IAM)** page, and then select **Add role assignment**.
+1. Add or remove the role assignment for Cloud Infrastructure Entitlement Management.
+
+1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.
+1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**.
+1. On **Permissions Management Onboarding ΓÇô Summary** page, review the controller permissions, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
++
+## Enable or disable the controller in GCP
+
+1. Execute the **gcloud auth login**.
+1. Follow the instructions displayed on the screen to authorize access to your Google account.
+1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account.
+1. Execute the **sh mciem-member-projects.sh** to give Permissions Management permissions to access each of the member projects.
+
+ - If you want to manage permissions through Permissions Management, select **Y** to **Enable controller**.
+ - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**.
+
+1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs.
+
+1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+1. On the **Data Collectors** dashboard, select **GCP**, and then select **Create Configuration**.
+1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, select **Next**.
+1. On the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project Number** and **OIDC Project ID**, and then select **Next**.
+1. On the **Permissions Management Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**.
+1. On the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an AWS account](onboard-aws.md).
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md).
+- For information on how to onboard a Google Cloud Platform (GCP) project, see [Onboard a GCP project](onboard-gcp.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md).
active-directory Onboard Enable Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md
+
+ Title: Enable Permissions Management in your organization
+description: How to enable Permissions Management in your organization.
+++++++ Last updated : 04/20/2022+++
+# Enable Permissions Management in your organization
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
++
+> [!NOTE]
+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
+++
+This article describes how to enable Permissions Management in your organization. Once you've enabled Permissions Management, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.
+
+> [!NOTE]
+> To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable Permissions Management as a user from other tenant who has signed in via B2B or via Azure Lighthouse.
+
+## Prerequisites
+
+To enable Permissions Management in your organization:
+
+- You must have an Azure AD tenant. If you don't already have one, [create a free account](https://azure.microsoft.com/free/).
+- You must be eligible for or have an active assignment to the global administrator role as a user in that tenant.
+
+> [!NOTE]
+> During public preview, Permissions Management doesn't perform a license check.
+
+## View a training video on enabling Permissions Management
+
+- To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
+- To view a video on how to configure and onboard AWS accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).
+- To view a video on how to configure and onboard GCP accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).
++
+## How to enable Permissions Management on your Azure AD tenant
+
+1. In your browser:
+ 1. Go to [Azure services](https://portal.azure.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).
+ 1. If you aren't already authenticated, sign in as a global administrator user.
+ 1. If needed, activate the global administrator role in your Azure AD tenant.
+ 1. In the Azure AD portal, select **Features highlights**, and then select **Permissions Management**.
+
+ 1. If you're prompted to select a sign in account, sign in as a global administrator for a specified tenant.
+
+ The **Welcome to Permissions Management** screen appears, displaying information on how to enable Permissions Management on your tenant.
+
+1. To provide access to the Permissions Management application, create a service principal.
+
+ An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.
+
+ > [!NOTE]
+ > To complete this step, you must have Azure CLI or Azure PowerShell on your system, or an Azure subscription where you can run Cloud Shell.
+
+ - To create a service principal that points to the Permissions Management application via Cloud Shell:
+
+ 1. Copy the script on the **Welcome** screen:
+
+ `az ad sp create --id b46c3ac5-9da6-418f-a849-0a07a10b3c6c`
+
+ 1. If you have an Azure subscription, return to the Azure AD portal and select **Cloud Shell** on the navigation bar.
+ If you don't have an Azure subscription, open a command prompt on a Windows Server.
+ 1. If you have an Azure subscription, paste the script into Cloud Shell and press **Enter**.
+
+ - For information on how to create a service principal through the Azure portal, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
+
+ - For information on the **az** command and how to sign in with the no subscriptions flag, see [az login](/cli/azure/reference-index?view=azure-cli-latest#az-login&preserve-view=true).
+
+ - For information on how to create a service principal via Azure PowerShell, see [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps?view=azps-7.1.0&preserve-view=true).
+
+ 1. After the script runs successfully, the service principal attributes for Permissions Management display. Confirm the attributes.
+
+ The **Cloud Infrastructure Entitlement Management** application displays in the Azure AD portal under **Enterprise applications**.
+
+1. Return to the **Welcome to Permissions Management** screen and select **Enable Permissions Management**.
+
+ You have now completed enabling Permissions Management on your tenant. Permissions Management launches with the **Data Collectors** dashboard.
+
+## Configure data collection settings
+
+Use the **Data Collectors** dashboard in Permissions Management to configure data collection settings for your authorization system.
+
+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
+
+ - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. Select the authorization system you want: **AWS**, **Azure**, or **GCP**.
+
+1. For information on how to onboard an AWS account, Azure subscription, or GCP project into Permissions Management, select one of the following articles and follow the instructions:
+
+ - [Onboard an AWS account](onboard-aws.md)
+ - [Onboard an Azure subscription](onboard-azure.md)
+ - [Onboard a GCP project](onboard-gcp.md)
+
+## Next steps
+
+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md)
+- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md).
+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Onboard Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md
+
+ Title: Onboard a Google Cloud Platform (GCP) project in Permissions Management
+description: How to onboard a Google Cloud Platform (GCP) project on Permissions Management.
+++++++ Last updated : 04/20/2022+++
+# Onboard a Google Cloud Platform (GCP) project
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
++
+> [!NOTE]
+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
++
+This article describes how to onboard a Google Cloud Platform (GCP) project on Permissions Management.
+
+> [!NOTE]
+> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
+
+## View a training video on configuring and onboarding a GCP account
+
+To view a video on how to configure and onboard GCP accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).
++
+## Onboard a GCP project
+
+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
+
+ - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.
+
+1. On the **Data Collectors** tab, select **GCP**, and then select **Create Configuration**.
+
+### 1. Create an Azure AD OIDC app.
+
+1. On the **Permissions Management Onboarding - Azure AD OIDC App Creation** page, enter the **OIDC Azure App Name**.
+
+ This app is used to set up an OpenID Connect (OIDC) connection to your GCP project. OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. The scripts generated will create the app of this specified name in your Azure AD tenant with the right configuration.
+
+1. To create the app registration, copy the script and run it in your command-line app.
+
+ > [!NOTE]
+ > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
+ > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account.
+
+ 1. Return to Permissions Management, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**.
+
+### 2. Set up a GCP OIDC project.
+
+1. In the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements.
+
+ > [!NOTE]
+ > You can find the **Project number** and **Project ID** of your GCP project on the GCP **Dashboard** page of your project in the **Project info** panel.
+
+1. You can change the **OIDC Workload Identity Pool Id**, **OIDC Workload Identity Pool Provider Id** and **OIDC Service Account Name** to meet your requirements.
+
+ Optionally, specify **G-Suite IDP Secret Name** and **G-Suite IDP User Email** to enable G-Suite integration.
+
+ You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described [later in this article](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed).
+1. Select **Next**.
+
+### 3. Set up GCP member projects.
+
+1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**.
+
+ You can enter up to 10 GCP project IDs. Select the plus icon next to the text box to insert more project IDs.
+
+1. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell, as described in the [next step](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed).
+
+### 4. Run scripts in Cloud Shell. (Optional if not already executed)
+
+1. In the **Permissions Management Onboarding - GCP Project Ids** page, select **Launch SSH**.
+1. To copy all your scripts into your current directory, in **Open in Cloud Shell**, select **Trust repo**, and then select **Confirm**.
+
+ The Cloud Shell provisions the Cloud Shell machine and makes a connection to your Cloud Shell instance.
+
+ > [!NOTE]
+ > Follow the instructions in the browser as they may be different from the ones given here.
+
+ The **Welcome to Permissions Management GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project.
+
+### 5. Paste the environment vars from the Permissions Management portal.
+
+1. Return to Permissions Management and select **Copy export variables**.
+1. In the GCP Onboarding shell editor, paste the variables you copied, and then press **Enter**.
+1. Execute the **gcloud auth login**.
+1. Follow instructions displayed on the screen to authorize access to your Google account.
+1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account.
+1. Execute the **sh mciem-member-projects.sh** to give Permissions Management permissions to access each of the member projects.
+
+ - If you want to manage permissions through Permissions Management, select **Y** to **Enable controller**.
+
+ - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**.
+
+1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs.
+
+1. Return to **Permissions Management Onboarding - GCP Project Ids**, and then select **Next**.
+
+### 6. Review and save.
+
+1. In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.
+
+ The following message appears: **Successfully Created Configuration.**
+
+ On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**
+
+ You have now completed onboarding GCP, and Permissions Management has started collecting and processing your data.
+
+### 7. View the data.
+
+- To view the data, select the **Authorization Systems** tab.
+
+ The **Status** column in the table displays **Collecting Data.**
+
+ The data collection process may take some time, depending on the size of the account and how much data is available for collection.
+++
+## Next steps
+
+- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md).
+- For information on how to onboard a Microsoft Azure subscription, see [Onboard a Microsoft Azure subscription](onboard-azure.md).
+- For information on how to enable or disable the controller after onboarding is complete, see [Enable or disable the controller](onboard-enable-controller-after-onboarding.md).
+- For information on how to add an account/subscription/project after onboarding is complete, see [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md).
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/overview.md
+
+ Title: What's Permissions Management?
+description: An introduction to Permissions Management.
+++++++ Last updated : 04/20/2022+++
+# What's Permissions Management?
++
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+> [!NOTE]
+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).
+
+## Overview
+
+Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+
+Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions.
+
+Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure:
+
+- Organizations are increasingly adopting multi-cloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions.
+- With the proliferation of identities and cloud services, the number of high-risk cloud permissions is exploding, expanding the attack surface for organizations.
+- IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant.
+- The inconsistency of cloud providers' native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment.
++
+## Key use cases
+
+Permissions Management allows customers to address three key use cases: *discover*, *remediate*, and *monitor*.
+
+### Discover
+
+Customers can assess permission risks by evaluating the gap between permissions granted and permissions used.
+
+- Cross-cloud permissions discovery: Granular and normalized metrics for key cloud platforms: AWS, Azure, and GCP.
+- Permission Creep Index (PCI): An aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across your identities and resources. It measures how much damage identities can cause based on the permissions they have.
+- Permission usage analytics: Multi-dimensional view of permissions risk for all identities, actions, and resources.
+
+### Remediate
+
+Customers can right-size permissions based on usage, grant new permissions on-demand, and automate just-in-time access for cloud resources.
+
+- Automated deletion of permissions unused for the past 90 days.
+- Permissions on-demand: Grant identities permissions on-demand for a time-limited period or an as-needed basis.
++
+### Monitor
+
+Customers can detect anomalous activities with machine language-powered (ML-powered) alerts and generate detailed forensic reports.
+
+- ML-powered anomaly detections.
+- Context-rich forensic reports around identities, actions, and resources to support rapid investigation and remediation.
+
+Permissions Management deepens Zero Trust security strategies by augmenting the least privilege access principle, allowing customers to:
+
+- Get comprehensive visibility: Discover which identity is doing what, where, and when.
+- Automate least privilege access: Use access analytics to ensure identities have the right permissions, at the right time.
+- Unify access policies across infrastructure as a service (IaaS) platforms: Implement consistent security policies across your cloud infrastructure.
+++
+## Next steps
+
+- For information on how to onboard Permissions Management for your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md).
+- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md).
active-directory Product Account Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-explorer.md
+
+ Title: View roles and identities that can access account information from an external account
+description: How to view information about identities that can access accounts from an external account in Permissions Management.
+++++ Last updated : 02/23/2022+++
+# View roles and identities that can access account information from an external account
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+You can view information about users, groups, and resources that can access account information from an external account in Permissions Management.
+
+## Display information about users, groups, or tasks
+
+1. In Permissions Management, select the **Usage analytics** tab, and then, from the dropdown, select one of the following:
+
+ - **Users**
+ - **Group**
+ - **Active resources**
+ - **Active tasks**
+ - **Active resources**
+ - **Serverless functions**
+
+1. To choose an account from your authorization system, select the lock icon in the left panel.
+1. In the **Authorization systems** pane, select an account, then select **Apply**.
+1. To choose a user, role, or group, select the person icon.
+1. Select a user or group, then select **Apply**.
+1. To choose an account from your authorization system, select it from the Authorization Systems menu.
+1. In the user type filter, user, role, or group.
+1. In the **Task** filter, select **All** or **High-risk tasks**, then select **Apply**.
+1. To delete a task, select **Delete**, then select **Apply**.
+
+## Export information about users, groups, or tasks
+
+To export the data in comma-separated values (CSV) file format, select **Export** from the top-right hand corner of the table.
+
+## View users and roles
+1. To view users and roles, select the lock icon, and then select the person icon to open the **Users** pane.
+1. To view the **Role summary**, select the "eye" icon to the right of the role name.
+
+ The following details display:
+ - **Policies**: A list of all the policies attached to the role.
+ - **Trusted entities**: The identities from external accounts that can assume this role.
+
+1. To view all the identities from various accounts that can assume this role, select the down arrow to the left of the role name.
+1. To view a graph of all the identities that can access the specified account and through which role(s), select the role name.
+
+ If Permissions Management is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section.
+
+ **Connecting roles**: Lists the following roles for each account:
+ - *Direct roles* that are trusted by the account role.
+ - *Intermediary roles* that aren't directly trusted by the account role but are assumable by identities through role-chaining.
+
+1. To view all the roles from that account that are used to access the specified account, select the down arrow to the left of the account name.
+1. To view the trusted identities declared by the role, select the down arrow to the left of the role name.
+
+ The trusted identities for the role are listed only if the account is being monitored by Permissions Management.
+
+1. To view the role definition, select the "eye" icon to the right of the role name.
+
+ When you select the down arrow and expand details, a search box is displayed. Enter your criteria in this box to search for specific roles.
+
+ **Identities with access**: Lists the identities that come from external accounts:
+ - To view all the identities from that account can access the specified account, select the down arrow to the left of the account name.
+ - To view the **Role summary** for EC2 instances and Lambda functions, select the "eye" icon to the right of the identity name.
+ - To view a graph of how the identity can access the specified account and through which role(s), select the identity name.
+
+1. The **Info** tab displays the **Privilege creep index** and **Service control policy (SCP)** information about the account.
+
+For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Product Account Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-account-settings.md
+
+ Title: View personal and organization information in Permissions Management
+description: How to view personal and organization information in the Account settings dashboard in Permissions Management.
+++++ Last updated : 02/23/2022+++
+# View personal and organization information
+
+> [!IMPORTANT]
+> Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Account settings** dashboard in Permissions Management allows you to view personal information, passwords, and account preferences.
+This information can't be modified because the user information is pulled from Azure AD. Only **User Session Time(min)**
+
+## View personal information
+
+1. In the Permissions Management home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**.
+
+ The **Personal Information** box displays your **First Name**, **Last Name**, and the **Email Address** that was used to register your account on Permissions Management.
+
+## View current organization information
+
+1. In the Permissions Management home page, select the down arrow to the right of the **User** (your initials) menu, and then select **Account Settings**.
+
+ The **Current Organization Information** displays the **Name** of your organization, the **Tenant ID** box, and the **User Session Timeout (min)**.
+
+1. To change duration of the **User Session Timeout (min)**, select **Edit** (the pencil icon), and then enter the number of minutes before you want a user session to time out.
+1. Select the check mark to confirm your new setting.
++
+## Next steps
+
+- For information about how to manage user information, see [Manage users and groups with the User management dashboard](ui-user-management.md).
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md).
+- For information about how to select group-based permissions settings, see [Select group-based permissions settings](how-to-create-group-based-permissions.md).
active-directory Product Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-audit-trail.md
+
+ Title: Filter and query user activity in Permissions Management
+description: How to filter and query user activity in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Filter and query user activity
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Audit** dashboard in Permissions Management details all user activity performed in your authorization system. It captures all high risk activity in a centralized location, and allows system administrators to query the logs. The **Audit** dashboard enables you to:
+
+- Create and save new queries so you can access key data points easily.
+- Query across multiple authorization systems in one query.
+
+## Filter information by authorization system
+
+If you haven't used filters before, the default filter is the first authorization system in the filter list.
+
+If you have used filters before, the default filter is last filter you selected.
+
+1. To display the **Audit** dashboard, on the Permissions Management home page, select **Audit**.
+
+1. To select your authorization system type, in the **Authorization System Type** box, select Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), Google Cloud Platform (**GCP**), or Platform (**Platform**).
+
+1. To select your authorization system, in the **Authorization System** box:
+
+ - From the **List** subtab, select the accounts you want to use.
+ - From the **Folders** subtab, select the folders you want to use.
+
+1. To view your query results, select **Apply**.
+
+## Create, view, modify, or delete a query
+
+There are several different query parameters you can configure individually or in combination. The query parameters and corresponding instructions are listed in the following sections.
+
+- To create a new query, select **New Query**.
+- To view an existing query, select **View** (the eye icon).
+- To edit an existing query, select **Edit** (the pencil icon).
+- To delete a function line in a query, select **Delete** (the minus sign **-** icon).
+- To create multiple queries at one time, select **Add New Tab** to the right of the **Query** tabs that are displayed.
+
+ You can open a maximum number of six query tab pages at the same time. A message will appear when you've reached the maximum.
+
+## Create a query with specific parameters
+
+### Create a query with a date
+
+1. In the **New Query** section, the default parameter displayed is **Date In "Last day"**.
+
+ The first-line parameter always defaults to **Date** and can't be deleted.
+
+1. To edit date details, select **Edit** (the pencil icon).
+
+ To view query details, select **View** (the eye icon).
+
+1. Select **Operator**, and then select an option:
+ - **In**: Select this option to set a time range from the past day to the past year.
+ - **Is**: Select this option to choose a specific date from the calendar.
+ - **Custom**: Select this option to set a date range from the **From** and **To** calendars.
+
+1. To run the query on the current selection, select **Search**.
+
+1. To save your query, select **Save**.
+
+ To clear the recent selections, select **Reset**.
+
+### View operator options for identities
+
+The **Operator** menu displays the following options depending on the identity you select in the first dropdown:
+
+- **Is** / **Is Not**: View a list of all available usernames. You can either select or enter a username in the box.
+- **Contains** / **Not Contains**: Enter text that the **Username** should or shouldn't contain, for example, *Permissions Management*.
+- **In** / **Not In**: View a list all available usernames and select multiple usernames.
+
+### Create a query with a username
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Username**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+ You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with the username **Test**.
+
+1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *Permissions Management*.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a resource name
+
+1. In the **New query** section, select **Add**.
+
+1. From the menu, select **Resource Name**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+ You can change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource name **Test**.
+
+1. Select the plus (**+**) sign, select **Or** with **Contains**, and then enter a username, for example, *Permissions Management*.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a resource type
+
+1. In the **New Query** section, select **Add**.
+
+1. From the menu, select **Resource Type**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with resource type **s3::bucket**.
+
+1. Select the plus (**+**) sign, select **Or** with **Is**, and then enter or select `ec2::instance`.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
++
+### Create a query with a task name
+
+1. In the **New Query** section, select **Add**.
+
+1. From the menu, select **Task Name**.
+
+1. From the **Operator** menu, select the required option.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with task name **s3:CreateBucket**.
+
+1. Select **Add**, select **Or** with **Is**, and then enter or select `ec2:TerminateInstance`.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a state
+
+1. In the **New Query** section, select **Add**.
+
+1. From the menu, select **State**.
+
+1. From the **Operator** menu, select the required option.
+
+ - **Is** / **Is not**: Allows a user to select in the value field and select **Authorization Failure**, **Error**, or **Success**.
+
+1. To add criteria to this section, select **Add**.
+
+1. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** with State **Authorization Failure**.
+
+1. Select the **Add** icon, select **Or** with **Is**, and then select **Success**.
+
+1. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+1. To run the query on the current selection, select **Search**.
+
+1. To clear the recent selections, select **Reset**.
+
+### Create a query with a role name
+
+1. In the **New query** section, select **Add**.
+
+2. From the menu, select **Role Name**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**.
+
+6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *Permissions Management*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a role session name
+
+1. In the **New Query** section, select **Add**.
+
+2. From the menu, select **Role Session Name**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free text **Test**.
+
+6. Select the **Add** icon, select **Or** with **Contains**, and then enter your criteria, for example *Permissions Management*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with an access key ID
+
+1. In the **New Query** section, select **Add**.
+
+2. From the menu, select **Access Key ID**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Contains** with free `AKIAIFXNDW2Z2MPEH5OQ`.
+
+6. Select the **Add** icon, select **Or** with **Not** **Contains**, and then enter `AKIAVP2T3XG7JUZRM7WU`.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a tag key
+
+1. In the **New Query** section, select **Add**.
+
+2. From the menu, select **Tag Key**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**.
+
+6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *Permissions Management*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### Create a query with a tag key value
+
+1. In the **New Query** section, select **Add**.
+
+2. From the menu, select **Tag Key Value**.
+
+3. From the **Operator** menu, select the required option.
+
+4. To add criteria to this section, select **Add**.
+
+5. Change the operation between **And** / **Or** statements, and select other criteria. For example, the first set of criteria selected can be **Is** and type in, or select **Test**.
+
+6. Select the **Add** icon, select **Or** with **Is**, and then enter your criteria, for example *Permissions Management*.
+
+7. To remove a row of criteria, select **Remove** (the minus sign **-** icon).
+
+8. To run the query on the current selection, select **Search**.
+
+9. To clear the recent selections, select **Reset**.
+
+### View query results
+
+1. In the **Activity** table, your query results display in columns.
+
+ The results display all executed tasks that aren't read-only.
+
+1. To sort each column by ascending or descending value, select the up or down arrows next to the column name.
+
+ - **Identity Details**: The name of the identity, for example the name of the role session performing the task.
+
+ - To view the **Raw Events Summary**, which displays the full details of the event, next to the **Name** column, select **View**.
+
+ - **Resource Name**: The name of the resource on which the task is being performed.
+
+ If the column displays **Multiple**, it means multiple resources are listed in the column.
+
+1. To view a list of all resources, hover over **Multiple**.
+
+ - **Resource Type**: Displays the type of resource, for example, *Key* (encryption key) or *Bucket* (storage).
+ - **Task Name**: The name of the task that was performed by the identity.
+
+ An exclamation mark (**!**) next to the task name indicates that the task failed.
+
+ - **Date**: The date when the task was performed.
+
+ - **IP Address**: The IP address from where the user performed the task.
+
+ - **Authorization System**: The authorization system name in which the task was performed.
+
+1. To download the results in comma-separated values (CSV) file format, select **Download**.
+
+## Save a query
+
+1. After you complete your query selections from the **New Query** section, select **Save**.
+
+2. In the **Query Name** box, enter a name for your query, and then select **Save**.
+
+3. To save a query with a different name, select the ellipses (**...**) next to **Save**, and then select **Save As**.
+
+4. Make your query selections from the **New Query** section, select the ellipses (**...**), and then select **Save As**.
+
+5. To save a new query, in the **Save Query** box, enter the name for the query, and then select **Save**.
+
+6. To save an existing query you've modified, select the ellipses (**...**).
+
+ - To save a modified query under the same name, select **Save**.
+ - To save a modified query under a different name, select **Save As**.
+
+### View a saved query
+
+1. Select **Saved Queries**, and then select a query from the **Load Queries** list.
+
+ A message box opens with the following options: **Load with the saved authorization system** or **Load with the currently selected authorization system**.
+
+1. Select the appropriate option, and then select **Load Queries**.
+
+1. View the query information:
+
+ - **Query Name**: Displays the name of the saved query.
+ - **Query Type**: Displays whether the query is a *System* query or a *Custom* query.
+ - **Schedule**: Displays how often a report will be generated. You can schedule a one-time report or a monthly report.
+ - **Next On**: Displays the date and time the next report will be generated.
+ - **Format**: Displays the output format for the report, for example, CSV.
+ - **Last Modified On**: Displays the date in which the query was last modified on.
+
+1. To view or set schedule details, select the gear icon, select **Create Schedule**, and then set the details.
+
+ If a schedule has already been created, select the gear icon to open the **Edit Schedule** box.
+
+ - **Repeat**: Sets how often the report should repeat.
+ - **Start On**: Sets the date when you want to receive the report.
+ - **At**: Sets the specific time when you want to receive the report.
+ - **Report Format**: Select the output type for the file, for example, CSV.
+ - **Share Report With**: The email address of the user who is creating the schedule is displayed in this field. You can add other email addresses.
+
+1. After selecting your options, select **Schedule**.
++
+### Save a query under a different name
+
+- Select the ellipses (**...**).
+
+ System queries have only one option:
+
+ - **Duplicate**: Creates a duplicate of the query and names the file *Copy of XXX*.
+
+ Custom queries have the following options:
+
+ - **Rename**: Enter the new name of the query and select **Save**.
+ - **Delete**: Delete the saved query.
+
+ The **Delete Query** box opens, asking you to confirm that you want to delete the query. Select **Yes** or **No**.
+
+ - **Duplicate**: Creates a duplicate of the query and names it *Copy of XXX*.
+ - **Delete Schedule**: Deletes the schedule details for this query.
+
+ This option isn't available if you haven't yet saved a schedule.
+
+ The **Delete Schedule** box opens, asking you to confirm that you want to delete the schedule. Select **Yes** or **No**.
++
+## Export the results of a query as a report
+
+- To export the results of the query, select **Export**.
+
+ Permissions Management exports the results in comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
++
+## Next steps
+
+- For information on how to view how users access information, see [Use queries to see how users access information](ui-audit-trail.md).
+- For information on how to create a query, see [Create a custom query](how-to-create-custom-queries.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md).
active-directory Product Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-dashboard.md
+
+ Title: View data about the activity in your authorization system in Permissions Management
+description: How to view data about the activity in your authorization system in the Permissions Management Dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++++
+# View data about the activity in your authorization system
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The Permissions Management **Dashboard** provides an overview of the authorization system and account activity being monitored. You can use this dashboard to view data collected from your Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) authorization systems.
+
+## View data about your authorization system
+
+1. In the Permissions Management home page, select **Dashboard**.
+1. From the **Authorization systems type** dropdown, select **AWS**, **Azure**, or **GCP**.
+1. Select the **Authorization System** box to display a **List** of accounts and **Folders** available to you.
+1. Select the accounts and folders you want, and then select **Apply**.
+
+ The **Permission Creep Index (PCI)** chart updates to display information about the accounts and folders you selected. The number of days since the information was last updated displays in the upper right corner.
+
+1. In the Permission Creep Index (PCI) graph, select a bubble.
+
+ The bubble displays the number of identities that are considered high-risk.
+
+ *High-risk* refers to the number of users who have permissions that exceed their normal or required usage.
+
+1. Select the box to display detailed information about the identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**.
+
+1. The **Highest PCI change** displays the authorization system name with the PCI number and the change number for the last seven days, if applicable.
+
+ - To view all the changes and PCI ratings in your authorization system, select **View all**.
+
+1. To return to the PCI graph, select the **Graph** icon in the upper right of the list box.
+
+For more information about the Permissions Management **Dashboard**, see [View key statistics and data about your authorization system](ui-dashboard.md).
+
+## View user data on the PCI heat map
+
+The **Permission Creep Index (PCI)** heat map shows the incurred risk of users with access to high-risk privileges. The distribution graph displays all the users who contribute to the privilege creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14.
+
+- To view detailed data about a user, select the number.
+
+ The PCI trend graph shows you the historical trend of the PCI score over the last 90 days.
+
+- To download the **PCI History** report, select **Download** (the down arrow icon).
++
+## View information about users, roles, resources, and PCI trends
+
+To view specific information about the following, select the number displayed on the heat map.
+
+- **Users**: Displays the total number of users and how many fall into the high, medium, and low categories.
+- **Roles**: Displays the total number of roles and how many fall into the high, medium, and low categories.
+- **Resources**: Displays the total number of resources and how many fall into the high, medium, and low categories.
+- **PCI trend**: Displays a line graph of the PCI trend over the last several weeks.
+
+## View identity findings
+
+The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on.
+
+- To expand the full list of identity findings, select **All findings**.
+
+## View resource findings
+
+The **Resource** section below the heat map on the right side of the page shows all the relevant findings about your resources. It includes unencrypted S3 buckets, open security groups, managed keys, and so on.
+
+## Next steps
+
+- For more information about how to view key statistics and data in the Dashboard, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Product Data Inventory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md
+
+ Title: Display an inventory of created resources and licenses for your authorization system
+description: How to display an inventory of created resources and licenses for your authorization system in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Display an inventory of created resources and licenses for your authorization system
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+You can use the **Inventory** dashboard in Permissions Management to display an inventory of created resources and licensing information for your authorization system and its associated accounts.
+
+## View resources created for your authorization system
+
+1. To access your inventory information, in the Permissions Management home page, select **Settings** (the gear icon).
+1. Select the **Inventory** tab, select the **Inventory** subtab, and then select your authorization system type:
+
+ - **AWS** for Amazon Web Services.
+ - **Azure** for Microsoft Azure.
+ - **GCP** for Google Cloud Platform.
+
+ The **Inventory** tab displays information pertinent to your authorization system type.
+
+1. To change the columns displayed in the table, select **Columns**, and then select the information you want to display.
+
+ - To discard your changes, select **Reset to default**.
+
+## View the number of licenses associated with your authorization system
+
+1. To access licensing information about your data sources, in the Permissions Management home page, select **Settings** (the gear icon).
+
+1. Select the **Inventory** tab, select the **Licensing** subtab, and then select your authorization system type.
+
+ The **Licensing** table displays the following information pertinent to your authorization system type:
+
+ - The names of your accounts in the **Authorization system** column.
+ - The number of **Compute** licenses.
+ - The number of **Serverless** licenses.
+ - The number of **Compute containers**.
+ - The number of **Databases**.
+ - The **Total number of licenses**.
++
+## Next steps
+
+- For information about viewing and configuring settings for collecting data from your authorization system and its associated accounts, see [View and configure settings for data collection](product-data-sources.md).
active-directory Product Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-sources.md
+
+ Title: View and configure settings for data collection from your authorization system in Permissions Management
+description: How to view and configure settings for collecting data from your authorization system in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View and configure settings for data collection
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
++
+You can use the **Data Collectors** dashboard in Permissions Management to view and configure settings for collecting data from your authorization systems. It also provides information about the status of the data collection.
+
+## Access and view data sources
+
+1. To access your data sources, in the Permissions Management home page, select **Settings** (the gear icon). Then select the **Data Collectors** tab.
+
+1. On the **Data Collectors** dashboard, select your authorization system type:
+
+ - **AWS** for Amazon Web Services.
+ - **Azure** for Microsoft Azure.
+ - **GCP** for Google Cloud Platform.
+
+1. To display specific information about an account:
+
+ 1. Enter the following information:
+
+ - **Uploaded on**: Select **All** accounts, **Online** accounts, or **Offline** accounts.
+ - **Transformed on**: Select **All** accounts, **Online** accounts, or **Offline** accounts.
+ - **Search**: Enter an ID or Internet Protocol (IP) address to find a specific account.
+
+ 1. Select **Apply** to display the results.
+
+ Select **Reset Filter** to discard your settings.
+
+1. The following information displays:
+
+ - **ID**: The unique identification number for the data collector.
+ - **Data types**: Displays the data types that are collected:
+ - **Entitlements**: The permissions of all identities and resources for all the configured authorization systems.
+ - **Recently uploaded on**: Displays whether the entitlement data is being collected.
+
+ The status displays *ONLINE* if the data collection has no errors and *OFFLINE* if there are errors.
+ - **Recently transformed on**: Displays whether the entitlement data is being processed.
+
+ The status displays *ONLINE* if the data processing has no errors and *OFFLINE* if there are errors.
+ - The **Tenant ID**.
+ - The **Tenant name**.
+
+## Modify a data collector
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Edit Configuration**.
+
+ The **Permissions Management Onboarding - Summary** box displays.
+
+1. Select **Edit** (the pencil icon) for each field you want to change.
+1. Select **Verify now & save**.
+
+ To verify your changes later, select **Save & verify later**.
+
+ When your changes are saved, the following message displays: **Successfully updated configuration.**
+
+## Delete a data collector
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Delete Configuration**.
+
+ The **Permissions Management Onboarding - Summary** box displays.
+1. Select **Delete**.
+1. Check your email for a one time password (OTP) code, and enter it in **Enter OTP**.
+
+ If you don't receive an OTP, select **Resend OTP**.
+
+ The following message displays: **Successfully deleted configuration.**
+
+## Start collecting data from an authorization system
+
+1. Select the **Authorization Systems** tab, and then select your authorization system type.
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. Select **Collect Data**.
+
+ A message displays to confirm data collection has started.
+
+## Stop collecting data from an authorization system
+
+1. Select the ellipses **(...)** at the end of the row in the table.
+1. To delete your authorization system, select **Delete**.
+
+ The **Validate OTP To Delete Authorization System** box displays.
+
+1. Enter the OTP code
+1. Select **Verify**.
+
+## Next steps
+
+- For information about viewing an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](product-data-inventory.md)
active-directory Product Define Permission Levels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-define-permission-levels.md
+
+ Title: Define and manage users, roles, and access levels in Permissions Management
+description: How to define and manage users, roles, and access levels in Permissions Management User management dashboard.
+++++++ Last updated : 02/23/2022+++
+# Define and manage users, roles, and access levels
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+In Permissions Management, a key component of the interface is the User management dashboard. This topic describes how system administrators can define and manage users, their roles, and their access levels in the system.
+
+## The User management dashboard
+
+The Permissions Management User management dashboard provides a high-level overview of:
+
+- Registered and invited users.
+- Permissions allowed for each user within a given system.
+- Recent user activity.
+
+It also provides the functionality to invite or delete a user, edit, view, and customize permissions settings.
++
+## Manage users for customers without SAML integration
+
+Follow this process to invite users if the customer hasn't enabled SAML integration with the Permissions Management application.
+
+### Invite a user to Permissions Management
+
+Inviting a user to Permissions Management adds the user to the system and allows system administrators to assign permissions to those users. Follow the steps below to invite a user to Permissions Management.
+
+1. To invite a user to Permissions Management, select the down caret icon next to the **User** icon on the right of the screen, and then select **User Management**.
+2. From the **Users** tab, select **Invite User**.
+3. From the **Set User Permission** window, in the **User** text box, enter the user's email address.
+4. Under **Permission**, select the applicable option.
+
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+
+ 1. Select **Next**.
+ 2. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select the **Add** icon and the **Users** icon to request access for all their accounts.
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+
+ 1. Select **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in **Auth System Types**.
+
+ 1. Select **Next**.
+
+ The default view displays the **List** section.
+ 2. Select the appropriate boxes for **Viewer**, **Controller**, or **Approver**.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+ 1. Select **Next**.
+ 1. Select **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+5. Select **Save**.
+
+ The following message displays in green at the top of the screen: **New User Has Been Invited Successfully**.
+++
+## Manage users for customers with SAML integration
+
+Follow this process to invite users if the customer has enabled SAML integration with the Permissions Management application.
+
+### Create a permission in Permissions Management
+
+Creating a permission directly in Permissions Management allows system administrators to assign permissions to specific users. The following steps help you to create a permission.
+
+- On the right side of the screen, select the down caret icon next to **User**, and then select **User management**.
+
+- For **Users**:
+ 1. To create permissions for a specific user, select the **Users** tab, and then select **Permission.**
+ 2. From the **Set User Permission** window, enter the user's email address in the **User** text box.
+ 3. Under **Permission**, select the applicable button. Then expand menu to view instructions for each option.
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+ 1. Select **Next**.
+ 2. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+ 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in **Auth System Types**.
+
+ 1. Select **Next**.
+
+ The default view displays the **List** tab, which displays individual authorization systems.
+ - To view groups of authorization systems organized into folder, select the **Folder** tab.
+ 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver**.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+ 3. Select **Next**.
+ 4. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user can have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ 4. Select **Save**.
+
+ The following message displays in green at the top of the screen:
+ **New User Has Been Created Successfully**.
+ 5. The new user receives an email invitation to log in to Permissions Management.
+
+### The Pending tab
+
+1. To view the created permission, select the **Pending** tab. The system administrator can view the following details:
+ - **Email Address**: Displays the email address of the invited user.
+ - **Permissions**: Displays each service account and if the user has permissions as a **Viewer**, **Controller**, **Approver**, or **Requestor**.
+ - **Invited By**: Displays the email address of the person who sent the invitation.
+ - **Sent**: Displays the date the invitation was sent to the user.
+2. To make changes to the following, select the ellipses **(...)** in the far right column.
+ - **View Permissions**: Displays a list of accounts for which the user has permissions.
+ - **Edit Permissions**: System administrators can edit a user's permissions.
+ - **Delete**: System administrators can delete a permission
+ - **Reinvite**: System administrator can reinvite the permission if the user didn't receive the email invite
+
+ When a user registers with Permissions Management, they move from the **Pending** tab to the **Registered** tab.
+
+### The Registered tab
+
+- For **Users**:
+
+ 1. The **Registered** tab provides a high-level overview of user details to system administrators:
+ - The **Name/Email Address** column lists the name and email address of the user.
+ - The **Permissions** column lists each authorization system, and each type of permission.
+
+ If a user has all permissions for all authorization systems, **Admin for All Authorization Types** display across all columns. If a user only has some permissions, numbers display in each column they have permissions for. For example, if the number "3" is listed in the **Viewer** column, the user has viewer permission for three accounts within that authorization system.
+ - The **Joined On** column records when the user registered for Permissions Management.
+ - The **Recent Activity** column displays the date when a user last performed an activity.
+ - The **Search** button allows a system administrator to search for a user by name and all users who match the criteria displays.
+ - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays.
+
+ To display all authorization system accounts,Select **All**. Then select the appropriate boxes for the accounts that need to be viewed.
+ 2. To make the changes to the following changes, select the ellipses **(...)** in the far right column:
+ - **View Permissions**: Displays a list of accounts for which the user has permissions.
+ - **Edit Permissions**: System administrators can edit the accounts for which a user has permissions.
+ - **Remove Permissions**: System administrators can remove permissions from a user.
+
+- For **Groups**:
+ 1. To create permissions for a specific user, select the **Groups** tab, and then select **Permission**.
+ 2. From the **Set Group Permission** window, enter the name of the group in the **Group Name** box.
+
+ The identity provider creates groups.
+
+ Some users may be part of multiple groups. In this case, the user's overall permissions is a union of the permissions assigned the various groups the user is a member of.
+ 3. Under **Permission**, select the applicable button and expand the menu to view instructions for each option.
+
+ - **Admin for All Authorization System Types**: **View**, **Control**, and **Approve** permissions for all Authorization System Types.
+ 1. Select **Next**.
+ 2. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 3. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 4. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Admin for Selected Authorization System Types**: **View**, **Control**, and **Approve** permissions for selected Authorization System Types.
+ 1. Check **Viewer**, **Controller**, or **Approver** for the appropriate authorization system(s).
+ 2. Select **Next**.
+ 3. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+ 4. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 5. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ - **Custom**: **View**, **Control**, and **Approve** permissions for specific accounts in Auth System Types.
+ 1. Select **Next**.
+
+ The default view displays the **List** section.
+
+ 2. Check the appropriate boxes for **Viewer**, **Controller**, or **Approver.
+
+ For access to all authorization system types, select **All (Current and Future)**.
+
+ 3. Select **Next**.
+
+ 4. Check **Requestor for User** for each authorization system, if applicable.
+
+ A user must have an account with a valid email address in the authorization system to select **Requestor for User**. If a user doesn't exist in the authorization system, **Requestor for User** is grayed out.
+
+ 5. Optional: To request access for multiple other identities, under **Requestor for Other Users**, select **Add**, and then select **Users**.
+
+ For example, a user may have various roles in different authorization systems, so they can select **Add**, and then select **Users** to request access for all their accounts.
+
+ 6. On the **Add Users** screen, enter the user's name or ID in the **User Search** box and select all applicable users. Then select **Add**.
+
+ 4. Select **Save**.
+
+ The following message displays in green at the top of the screen: **New Group Has Been Created Successfully**.
+
+### The Groups tab
+
+1. The **Groups** tab provides a high-level overview of user details to system administrators:
+
+ - The **Name** column lists the name of the group.
+ - The **Permissions** column lists each authorization system, and each type of permission.
+
+ If a group has all permissions for all authorization systems, **Admin for All Authorization Types** displays across all columns.
+
+ If a group only has some permissions, the corresponding columns display numbers for the groups.
+
+ For example, if the number "3" is listed in the **Viewer** column, then the group has viewer permission for three accounts within that authorization system.
+ - The **Modified By** column records the email address of the person who created the group.
+ - The **Modified On** column records the date the group was last modified on.
+ - The **Search** button allows a system administrator to search for a group by name and all groups who match the criteria displays.
+ - The **Filters** option allows a system administrator to filter by specific details. When the filter option is selected, the **Authorization System** box displays.
+
+ To display all authorization system accounts, select **All**. Then select the appropriate boxes for the accounts that need to be viewed.
+
+2. To make changes to the following, select the ellipses **(...)** in the far right column:
+ - **View Permissions**: Displays a list of the accounts for which the group has permissions.
+ - **Edit Permissions**: System administrators can edit a group's permissions.
+ - **Duplicate**: System administrators can duplicate permissions from one group to another.
+ - **Delete**: System administrators can delete permissions from a group.
++
+## Next steps
+
+- For information about how to view user management information, see [Manage users with the User management dashboard](ui-user-management.md).
+- For information about how to create group-based permissions, see [Create group-based permissions](how-to-create-group-based-permissions.md).
active-directory Product Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md
+
+ Title: View integration information about an authorization system in CloudKnox Permissions Management
+description: View integration information about an authorization system in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View integration information about an authorization system
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Integrations** dashboard in CloudKnox Permissions Management (CloudKnox) allows you to view all your authorization systems in one place, and to ensure all applications are functioning as one. This information helps improve quality and performance as a whole.
+
+## Display integration information about an authorization system
+
+Refer to the **Integration** subpages in CloudKnox for information about available authorization systems for integration.
+
+1. To display the **Integrations** dashboard, select **User** (your initials) in the upper right of the screen, and then select **Integrations.**
+
+ The **Integrations** dashboard displays a tile for each available authorization system.
+
+1. Select an authorization system tile to view its integration information.
+
+## Available integrated authorization systems
+
+The following authorization systems may be listed in the **Integrations** dashboard, depending on which systems are integrated into the CloudKnox application.
+
+- **ServiceNow**: Manages digital workflows for enterprise operations, and the CloudKnox integration allows you to request and approve permissions through the ServiceNow ticketing workflow.
+- **Splunk**: Searches, monitors, and analyzes machine-generated data, and the CloudKnox integration enables exporting usage analytics data, alerts, and logs.
+- **HashiCorp Terraform**: CloudKnox enables the generation of least-privilege policies through the Hashi Terraform provider.
+- **CloudKnox API**: The CloudKnox application programming interface (API) provides access to CloudKnox features.
+- **Saviynt**: Enables you to view Identity entitlements and usage inside the Saviynt console.
+- **Securonix**: Enables exporting usage analytics data, alerts, and logs.
++++
+<!## Next steps>
+
+<![Installation overview](cloudknox-installation.md)>
+<![Configure integration with the CloudKnox API](cloudknox-integration-api.md)>
+<![Sign up and deploy FortSentry in your organization](cloudknox-fortsentry-registration.md)>
active-directory Product Permission Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md
+
+ Title: Create and view permission analytics triggers in Permissions Management
+description: How to create and view permission analytics triggers in the Permission analytics tab in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view permission analytics triggers
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how you can create and view permission analytics triggers in Permissions Management.
+
+## View permission analytics triggers
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Permission Analytics**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert Name**: Lists the name of the alert.
+ - To view the name, ID, role, domain, authorization system, statistical condition, anomaly date, and observance period, select **Alert name**.
+ - To expand the top information found with a graph of when the anomaly occurred, select **Details**.
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of Occurrences**: Displays how many times the alert trigger has occurred.
+ - **Task**: Displays how many tasks are affected by the alert
+ - **Resources**: Displays how many resources are affected by the alert
+ - **Identity**: Displays how many identities are affected by the alert
+ - **Authorization System**: Displays which authorization systems the alert applies to
+ - **Date/Time**: Displays the date and time of the alert.
+ - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
+
+1. To filter the alerts, select the appropriate alert name or, from the **Alert Name** menu,select **All**.
+
+ - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and then select **Apply**.
+
+ If you select **Custom range**, select date and time settings, and then select **Apply**. - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
+
+1. To view the following details, select the ellipses (**...**):
+
+ - **Details**: Displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria.
+1. To view specific matches, select **Resources**, **Tasks**, or **Identities**.
+
+ The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
+
+## Create a permission analytics trigger
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Permission Analytics**, select the **Alerts** subtab, and then select **Create Permission Analytics Trigger**.
+1. In the **Alert Name** box, enter a name for the alert.
+1. Select the **Authorization System**.
+1. Select **Identity performed high number of tasks**, and then select **Next**.
+1. On the **Authorization Systems** tab, select the appropriate accounts and folders, or select **All**.
+
+ This screen defaults to the **List** view but can also be changed to the **Folder** view, and the applicable folder can be selected instead of individually by system.
+
+ - The **Status** column displays if the authorization system is online or offline
+ - The **Controller** column displays if the controller is enabled or disabled.
+
+1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
+1. Select **Save**.
+
+## View permission analytics alert triggers
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Permission Analytics**, and then select the **Alert Triggers** subtab.
+
+ The **Alert triggers** subtab displays the following information:
+
+ - **Alert**: Lists the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of users subscribed**: Displays the number of users subscribed to the alert.
+ - **Created By**: Displays the email address of the user who created the alert.
+ - **Last modified By**: Displays the email address of the user who last modified the alert.
+ - **Last Modified On**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Toggle the button to **On** or **Off**.
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
+
+1. To view other options available to you, select the ellipses (**...**), and then make a selection from the available options:
+
+ - **Details** displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria.
+ - To view the specific matches, select **Resources**, **Tasks**, or **Identities**.
+ - The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md).
active-directory Product Permissions Analytics Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md
+
+ Title: Generate and download the Permissions analytics report in CloudKnox Permissions Management
+description: How to generate and download the Permissions analytics report in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate and download the Permissions analytics report
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and download the **Permissions analytics report** in CloudKnox Permissions Management (CloudKnox).
+
+> [!NOTE]
+> This topic applies only to Amazon Web Services (AWS) users.
+
+## Generate the Permissions analytics report
+
+1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
+
+ The **Systems Reports** subtab displays a list of reports the **Reports** table.
+1. Find **Permissions Analytics Report** in the list, and to download the report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully Started To Generate On Demand Report.**
+
+1. For detailed information in the report, select the right arrow next to one of the following categories. Or, select the required category under the **Findings** column.
+
+ - **AWS**
+ - Inactive Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Inactive Groups
+ - Super Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Over-Provisioned Active Identities
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - PCI Distribution
+ - Privilege Escalation
+ - Users
+ - Roles
+ - Resources
+ - S3 Bucket Encryption
+ - Unencrypted Buckets
+ - SSE-S3 Buckets
+ - S3 Buckets Accessible Externally
+ - EC2 S3 Buckets Accessibility
+ - Open Security Groups
+ - Identities That Can Administer Security Tools
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Identities That Can Access Secret Information
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Cross-Account Access
+ - External Accounts
+ - Roles That Allow All Identities
+ - Hygiene: MFA Enforcement
+ - Hygiene: IAM Access Key Age
+ - Hygiene: Unused IAM Access Keys
+ - Exclude From Reports
+ - Users
+ - Roles
+ - Resources
+ - Serverless Functions
+ - Groups
+ - Security Groups
+ - S3 Buckets
++
+1. Select a category and view the following columns of information:
+
+ - **User**, **Role**, **Resource**, **Serverless Function Name**: Displays the name of the identity.
+ - **Authorization System**: Displays the authorization system to which the identity belongs.
+ - **Domain**: Displays the domain name to which the identity belongs.
+ - **Permissions**: Displays the maximum number of permissions that the identity can be granted.
+ - **Used**: Displays how many permissions that the identity has used.
+ - **Granted**: Displays how many permissions that the identity has been granted.
+ - **PCI**: Displays the permission creep index (PCI) score of the identity.
+ - **Date Last Active On**: Displays the date that the identity was last active.
+ - **Date Created On**: Displays the date when the identity was created.
+++
+<!## Add and remove tags in the Permissions analytics report
+
+1. Select **Tags**.
+1. Select one of the categories from the **Permissions Analytics Report**.
+1. Select the identity name to which you want to add a tag. Then, select the checkbox at the top to select all identities.
+1. Select **Add Tag**.
+1. In the **Tag** column:
+ - To select from the available options from the list, select **Select a Tag**.
+ - To search for a tag, enter the tag name.
+ - To create a new custom tag, select **New Custom Tag**.
+ - To create a new tag, enter a name for the tag and select **Create**.
+ - To remove a tag, select **Delete**.
+
+1. In the **Value (optional)** box, enter a value, if necessary.
+1. Select **Save**.>
+
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md).
+- For information about how to generate and view a system report, see [Generate and view a system report](report-view-system-report.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md).
active-directory Product Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-reports.md
+
+ Title: View system reports in the Reports dashboard in CloudKnox Permissions Management
+description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View system reports in the Reports dashboard
+
+> [!IMPORTANT]
+> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to:
+
+- Make timely decisions.
+- Analyze trends and system/user performance.
+- Identify trends in data and high risk areas so that management can address issues more quickly and improve their efficiency.
+
+## Explore the Reports dashboard
+
+The **Reports** dashboard provides a table of information with both system reports and custom reports. The **Reports** dashboard defaults to the **System Reports** tab, which has the following details:
+
+- **Report Name**: The name of the report.
+- **Category**: The type of report. For example, **Permission**.
+- **Authorization Systems**: Displays which authorizations the custom report applies to.
+- **Format**: Displays the output format the report can be generated in. For example, comma-separated values (CSV) format, portable document format (PDF), or Microsoft Excel Open XML Spreadsheet (XLSX) format.
+
+ - To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays across the top of the screen in green if the download is successful: **Successfully Started To Generate On Demand Report**.
+
+## Available system reports
+
+CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis:
+
+- **Access Key Entitlements And Usage**:
+ - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date.
+ - **Applies to**: Amazon Web Services (AWS) and Microsoft Azure
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary** or **Detailed**
+ - **Use cases**:
+ - The access key age, last rotation date, and last usage date is available in the summary report to help with key rotation.
+ - The granted task and Permissions creep index (PCI) score to take action on the keys.
+
+- **User Entitlements And Usage**:
+ - **Summary of report**: Provides information about the identities' permissions, for example, entitlement, usage, and PCI.
+ - **Applies to**: AWS, Azure, and Google Cloud Platform (GCP)
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary** or **Detailed**
+ - **Use cases**:
+ - The data displayed on the **Usage Analytics** screen is downloaded as part of the **Summary** report. The user's detailed permissions usage is listed in the **Detailed** report.
+
+- **Group Entitlements And Usage**:
+ - **Summary of report**: Provides information about the group's permissions, for example, entitlement, usage, and PCI.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - All group level entitlements and permission assignments, PCIs, and the number of members are listed as part of this report.
+
+- **Identity Permissions**:
+ - **Summary of report**: Report on identities that have specific permissions, for example, identities that have permission to delete any S3 buckets.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Any task usage or specific task usage via User/Group/Role/App can be tracked with this report.
+
+- **Identity privilege activity report**
+ - **Summary of report**: Provides information about permission changes that have occurred in the selected duration.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: PDF
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Any identity permission change can be captured using this report.
+ - The **Identity Privilege Activity** report has the following main sections: **User Summary**, **Group Summary**, **Role Summary**, and **Delete Task Summary**.
+ - The **User** summary lists the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted users, users with PCI change, and High-risk active/inactive users.
+ - The **Group** summary lists the administrator level groups with the current granted permissions and high-risk permissions and resources accessed in 1 day, 7 days, or 30 days. There are subsections for newly added or deleted groups, groups with PCI change, and High-risk active/inactive groups.
+ - The **Role summary** lists similar details as **Group Summary**.
+ - The **Delete Task summary** section lists the number of times the **Delete task** has been executed in the given time period.
+
+- **Permissions Analytics Report**
+ - **Summary of report**: Provides information about the violation of key security best practices.
+ - **Applies to**: AWS, Azure, and GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Detailed**
+ - **Use cases**:
+ - This report lists the different key findings in the selected auth systems. The key findings include super identities, inactive identities, over provisioned active identities, storage bucket hygiene, and access key age (for AWS only). The report helps administrators to visualize the findings across the organization.
+
+ For more information about this report, see [Permissions analytics report](product-permissions-analytics-reports.md).
+
+- **Role/Policy Details**
+ - **Summary of report**: Provides information about roles and policies.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: No
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - Assigned/Unassigned, custom/system policy, and the used/unused condition is captured in this report for any specific, or all, AWS accounts. Similar data can be captured for Azure/GCP for the assigned/unassigned roles.
+
+- **PCI History**
+ - **Summary of report**: Provides a report of privilege creep index (PCI) history.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Summary**
+ - **Use cases**:
+ - This report plots the trend of the PCI by displaying the monthly PCI history for each authorization system.
+
+- **All Permissions for Identity**
+ - **Summary of report**: Provides results of all permissions for identities.
+ - **Applies to**: AWS, Azure, GCP
+ - **Report output type**: CSV
+ - **Ability to collate report**: Yes
+ - **Type of report**: **Detailed**
+ - **Use cases**:
+ - This report lists all the assigned permissions for the selected identities.
++++
+## Next steps
+
+- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md).
+- For information about how to create and view a custom report, see [Generate and view a custom report](report-create-custom-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md).
active-directory Product Rule Based Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-rule-based-anomalies.md
+
+ Title: Create and view rule-based anomalies and anomaly triggers in Permissions Management
+description: How to create and view rule-based anomalies and anomaly triggers in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view rule-based anomaly alerts and anomaly triggers
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Rule-based anomalies identify recent activity in Permissions Management that is determined to be unusual based on explicit rules defined in the activity trigger. The goal of rule-based anomaly is high precision detection.
+
+## View rule-based anomaly alerts
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-Based Anomaly**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert Name**: Lists the name of the alert.
+
+ - To view the specific identity, resource, and task names that occurred during the alert collection period, select the **Alert Name**.
+
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of Occurrences**: How many times the alert trigger has occurred.
+ - **Task**: How many tasks performed are triggered by the alert.
+ - **Resources**: How many resources accessed are triggered by the alert.
+ - **Identity**: How many identities performing unusual behavior are triggered by the alert.
+ - **Authorization System**: Displays which authorization systems the alert applies to, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+ - **Date/Time**: Lists the date and time of the alert.
+ - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
++
+1. To filter alerts:
+
+ - From the **Alert Name** dropdown, select **All** or the appropriate alert name.
+ - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and select **Apply**.
+
+ - If you select **Custom Range**, also enter **From** and **To** duration settings.
+1. To view details that match the alert criteria, select the ellipses (**...**).
+
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+ - **Details**: Displays details about **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, **Identities**, and **Activity**
+ - **Activity**: Displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date/Time**, **Inactive For**, and **IP Address**. Selecting the "eye" icon displays the **Raw Events Summary**
+
+## Create a rule-based anomaly trigger
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-Based Anomaly**, and then select the **Alerts** subtab.
+1. Select **Create Anomaly Trigger**.
+
+1. In the **Alert Name** box, enter a name for the alert.
+1. Select the **Authorization System**, **AWS**, **Azure**, or **GCP**.
+1. Select one of the following conditions:
+ - **Any Resource Accessed for the First Time**: The identity accesses a resource for the first time during the specified time interval.
+ - **Identity Performs a Particular Task for the First Time**: The identity does a specific task for the first time during the specified time interval.
+ - **Identity Performs a Task for the First Time**: The identity performs any task for the first time during the specified time interval
+1. Select **Next**.
+1. On the **Authorization Systems** tab, select the available authorization systems and folders, or select **All**.
+
+ This screen defaults to **List** view, but you can change it to **Folders** view. You can select the applicable folder instead of individually selecting by authorization system.
+
+ - The **Status** column displays if the authorization system is online or offline.
+ - The **Controller** column displays if the controller is enabled or disabled.
+
+1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
+1. Select **Save**.
+
+## View a rule-based anomaly trigger
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Rule-Based Anomaly**, and then select the **Alert Triggers** subtab.
+
+ The **Alert Triggers** subtab displays the following information:
+
+ - **Alerts**: Displays the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the selected rule when creating the alert.
+ - **# of Users Subscribed**: Displays the number of users subscribed to the alert.
+ - **Created By**: Displays the email address of the user who created the alert.
+ - **Last Modified By**: Displays the email address of the user who last modified the alert.
+ - **Last Modified On**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Subscribes you to receive alert emails. Switches between **On** and **Off**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
+
+ If the **Subscription** is **On**, the following options are available:
+
+ - **Edit**: Enables you to modify alert parameters.
+
+ Only the user who created the alert can edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
+++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md).
active-directory Product Statistical Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-statistical-anomalies.md
+
+ Title: Create and view statistical anomalies and anomaly triggers in Permissions Management
+description: How to create and view statistical anomalies and anomaly triggers in the Statistical Anomaly tab in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create and view statistical anomalies and anomaly triggers
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Statistical anomalies can detect outliers in an identity's behavior if recent activity is determined to be unusual based on models defined in an activity trigger. The goal of this anomaly trigger is a high recall rate.
+
+## View statistical anomalies in an identity's behavior
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical Anomaly**, and then select the **Alerts** subtab.
+
+ The **Alerts** subtab displays the following information:
+
+ - **Alert Name**: Lists the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of Occurrences**: Displays how many times the alert trigger has occurred.
+ - **Authorization System**: Displays which authorization systems the alert applies to.
+ - **Date/Time**: Lists the day of the outlier occurring.
+ - **Date/Time (UTC)**: Lists the day of the outlier occurring in Coordinated Universal Time (UTC).
++
+1. To filter the alerts based on name, select the appropriate alert name or choose **All** from the **Alert Name** dropdown menu, and select **Apply**.
+1. To filter the alerts based on alert time, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range** from the **Date** dropdown menu, and select **Apply**.
+1. If you select the ellipses (**...**) and select:
+ - **Details**, this brings you to an Alert Summary view with **Authorization System**, **Statistical Model** and **Observance Period** displayed along with a table with a row per identity triggering this alert. From here you can click:
+ - **Details**: Displays graph(s) highlighting the anomaly with context, and up to the top 3 actions performed on the day of the anomaly
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+ - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+
+## Create a statistical anomaly trigger
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical Anomaly**, select the **Alerts** subtab, and then select **Create Alert Trigger**.
+1. Enter a name for the alert in the **Alert Name** box.
+1. Select the **Authorization System**, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. Select one of the following conditions:
+
+ - **Identity Performed High Number of Tasks**: The identity performs higher than their usual volume of tasks. For example, an identity typically performs 25 tasks per day, and now it is performing 100 tasks per day.
+ - **Identity Performed Low Number of Tasks**: The identity performs lower than their usual volume of tasks. For example, an identity typically performs 100 tasks per day, and now it is performing 25 tasks per day.
+ - **Identity Performed Tasks with Unusual Results**: The identity performing an action gets a different result than usual, such as most tasks end in a successful result and are now ending in a failed result or vice versa.
+ - **Identity Performed Tasks with Unusual Timing**: The identity does tasks at unusual times as established by their baseline in the observance period. Times are grouped by the following UTC 4 hour windows.
+ - 12AM-4AM UTC
+ - 4AM-8AM UTC
+ - 8AM-12PM UTC
+ - 12PM-4PM UTC
+ - 4PM-8PM UTC
+ - 8PM-12AM UTC
+ - **Identity Performed Tasks with Unusual Types**: The identity performs unusual types of tasks as established by their baseline in the observance period. For example, an identity performs read, write, or delete tasks they wouldn't ordinarily perform.
+ - **Identity Performed Tasks with Multiple Unusual Patterns**: The identity has several unusual patterns in the tasks performed by the identity as established by their baseline in the observance period.
+1. Select **Next**.
+
+1. On the **Authorization Systems** tab, select the appropriate systems, or, to select all systems, select **All**.
+
+ The screen defaults to the **List** view but you can switch to **Folder** view using the menu, and then select the applicable folder instead of individually by system.
+
+ - The **Status** column displays if the authorization system is online or offline.
+
+ - The **Controller** column displays if the controller is enabled or disabled.
++
+1. On the **Configuration** tab, to update the **Time Interval**, from the **Time Range** dropdown, select **90 Days**, **60 Days**, or **30 Days**, and then select **Save**.
+
+## View statistical anomaly triggers
+
+1. In the Permissions Management home page, select **Activity triggers** (the bell icon).
+1. Select **Statistical Anomaly**, and then select the **Alert Triggers** subtab.
+
+ The **Alert Triggers** subtab displays the following information:
+
+ - **Alert**: Displays the name of the alert.
+ - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert.
+ - **# of users subscribed**: Displays the number of users subscribed to the alert.
+ - **Created By**: Displays the email address of the user who created the alert.
+ - **Last Modified By**: Displays the email address of the user who last modified the alert.
+ - **Last Modified On**: Displays the date and time the trigger was last modified.
+ - **Subscription**: Subscribes you to receive alert emails. Toggle the button to **On** or **Off**.
+
+1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
+
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
+
+ If the **Subscription** is **On**, the following options are available:
+ - **Edit**: Enables you to modify alert parameters
+
+ > [!NOTE]
+ > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+ - **Rename**: Enter the new name of the query, and then select **Save.**
+ - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+ - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+ - **Notification Settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Delete**: Delete the alert.
+
+ If the **Subscription** is **Off**, the following options are available:
+ - **View**: View details of the alert trigger.
+ - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+ - **Duplicate**: Create a duplicate copy of the selected alert trigger.
++
+1. Select **Apply**.
+++
+## Next steps
+
+- For an overview on activity triggers, see [View information about activity triggers](ui-triggers.md).
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md).
active-directory Report Create Custom Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/report-create-custom-report.md
+
+ Title: Create, view, and share a custom report a custom report in Permissions Management
+description: How to create, view, and share a custom report in the Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Create, view, and share a custom report
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to create, view, and share a custom report in Permissions Management.
+
+## Create a custom report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab.
+1. Select **New Custom Report**.
+1. In the **Report Name** box, enter a name for your report.
+1. From the **Report Based on** list:
+ 1. To view which authorization systems the report applies to, hover over each report name.
+ 1. To view a description of a report, select the report.
+1. Select a report you want to use as the base for your custom report, and then select **Next**.
+1. In the **MyReport** box, select the **Authorization System** you want: Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), or Google Cloud Platform (**GCP**).
+
+1. To add specific accounts, select the **List** subtab, and then select **All** or the account names.
+1. To add specific folders, select the **Folders** subtab, and then select **All** or the folder names.
+
+1. Select the **Report Format** subtab, and then select the format for your report: comma-separated values (**CSV**) file, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) file.
+1. Select the **Schedule** tab, and then select the frequency for your report, from **None** up to **Monthly**.
+
+ - For **Hourly** and **Daily** options, set the start date by choosing from the **Calendar** dropdown, and can input a specific time of the day they want to receive the report.
+
+ In addition to date and time, the **Weekly** and **Biweekly** provide options for you to select on which day(s)of the week the report should repeat.
+
+1. Select **Save**.
+
+ The following message displays across the top of the screen in green if the download is successful: **Report has been created**.
+The report name appears in the **Reports** table.
+
+## View a custom report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab.
+
+ The **Custom Reports** tab displays the following information in the **Reports** table:
+
+ - **Report Name**: The name of the report.
+ - **Category**: The type of report: **Permission**.
+ - **Authorization System**: The authorization system in which you can view the report: AWS, Azure, and GCP.
+ - **Format**: The format of the report, **CSV**, **PDF**, or **XLSX** format.
+
+1. To view a report, from the **Report Name** column, select the report you want.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
+
+## Share a custom report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab.
+1. In the **Reports** table, select a report and then select the ellipses (**...**) icon.
+1. In the **Report Settings** box, select **Share with**.
+1. In the **Search Email to add** box, enter the name of other Permissions Management user(s).
+
+ You can only share reports with other Permissions Management users.
+1. Select **Save**.
+
+## Search for a custom report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab.
+1. On the **Custom Reports** tab, select **Search**.
+1. In the **Search** box, enter the name of the report you want.
+
+ The **Custom Reports** tab displays a list of reports that match your search criteria.
+1. Select the report you want.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
++
+## Modify a saved or scheduled custom report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Custom Reports** subtab.
+1. Hover over the report name on the **Custom Reports** tab.
+
+ - To rename the report, select **Edit** (the pencil icon), and enter a new name.
+ - To change the settings for your report, select **Settings** (the gear icon). Make your changes, and then select **Save**.
+
+ - To download a copy of the report, select the **Down arrow** icon.
+
+1. To perform other actions to the report, select the ellipses (**...**) icon:
+
+ - **Download**: Downloads a copy of the report.
+
+ - **Report Settings**: Displays the settings for the report, including scheduling, sharing the report, and so on.
+
+ - **Duplicate**: Creates a duplicate of the report called **"Copy of XXX"**. Any reports not created by the current user are listed as **Duplicate**.
+
+ When you select **Duplicate**, a box appears asking if you're sure you want to create a duplicate. Select **Confirm**.
+
+ When the report is successfully duplicated, the following message displays: **Report generated successfully**.
+
+ - **API Settings**: Download the report using your Application Programming Interface (API) settings.
+
+ When this option is selected, the **API Settings** window opens and displays the **Report ID** and **Secret Key**. Select **Generate New Key**.
+
+ - **Delete**: Select this option to delete the report.
+
+ After selecting **Delete**, a pop-up box appears asking if the user is sure they want to delete the report. Select **Confirm**.
+
+ **Report is deleted successfully** appears across the top of the screen in green if successfully deleted.
+
+ - **Unsubscribe**: Unsubscribe the user from receiving scheduled reports and notifications.
+
+ This option is only available after a report has been scheduled.
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md).
+- For information about how to generate and view a system report, see [Generate and view a system report](report-view-system-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md).
active-directory Report View System Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/report-view-system-report.md
+
+ Title: Generate and view a system report in Permissions Management
+description: How to generate and view a system report in the Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Generate and view a system report
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to generate and view a system report in Permissions Management.
+
+## Generate a system report
+
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
+ The **Systems Reports** subtab displays the following options in the **Reports** table:
+
+ - **Report Name**: The name of the report.
+ - **Category**: The type of report: **Permission**.
+ - **Authorization System**: The authorization system activity in the report: Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP).
+ - **Format**: The format in which the report is available: comma-separated values (**CSV**) format, portable document format (**PDF**), or Microsoft Excel Open XML Spreadsheet (**XLSX**) format.
+
+1. In the **Report Name** column, find the report you want, and then select the down arrow to the right of the report name to download the report.
+
+ Or, from the ellipses **(...)** menu, select **Download**.
+
+ The following message displays: **Successfully Started To Generate On Demand Report.**
+
+ > [!NOTE]
+ > If you select one authorization system, the report includes a summary. If you select more than one authorization system, the report does not include a summary.
+
+1. To refresh the list of reports, select **Reload**.
+
+## Search for a system report
+
+1. On the **Systems Reports** subtab, select **Search**.
+1. In the **Search** box, enter the name of the report you want.
+
+ The **Systems Reports** subtab displays a list of reports that match your search criteria.
+1. Select a report from the **Report Name** column.
+1. To download a report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
+1. To refresh the list of reports, select **Reload**.
++
+## Next steps
+
+- For information on how to view system reports in the **Reports** dashboard, see [View system reports in the Reports dashboard](product-reports.md).
+- For a detailed overview of available system reports, see [View a list and description of system reports](all-reports.md).
+- For information about how to create, view, and share a system report, see [Create, view, and share a custom report](report-view-system-report.md).
+- For information about how to create and view the Permissions analytics report, see [Generate and download the Permissions analytics report](product-permissions-analytics-reports.md).
active-directory Training Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/training-videos.md
+
+ Title: CloudKnox Permissions Management training videos
+description: CloudKnox Permissions Management training videos.
+++++++ Last updated : 04/20/2022+++
+# CloudKnox Permissions Management training videos
+
+To view step-by-step training videos on how to use CloudKnox Permissions Management (CloudKnox) features, select a link below.
+
+## Onboard CloudKnox in your organization
++
+### Enable CloudKnox in your Azure Active Directory (Azure AD) tenant
+
+To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
+
+### Configure and onboard Amazon Web Services (AWS) accounts
+
+To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).
+
+### Configure and onboard Google Cloud Platform (GCP) accounts
+
+To view a video on how to configure and onboard Google Cloud Platform (GCP) accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).
++++
+## Next steps
+
+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](overview.md)
+- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](faqs.md).
+- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/troubleshoot.md
+
+ Title: Troubleshoot issues with Permissions Management
+description: Troubleshoot issues with Permissions Management
+++++++ Last updated : 02/23/2022+++
+# Troubleshoot issues with Permissions Management
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This section answers troubleshoot issues with Permissions Management.
+
+## One time passcode (OTP) email
+
+### The user didn't receive the OTP email.
+
+- Check your junk or Spam mail folder for the email.
+
+## Reports
+
+### The individual files are generated according to the authorization system (subscription/account/project).
+
+- Select the **Collate** option in the **Custom Report** screen in the Permissions Management **Reports** tab.
+
+## Data collection in AWS
+
+### Data collection > AWS Authorization system data collection status is offline. Upload and transform is also offline.
+
+- Check the Permissions Management-related role that exists in these accounts.
+- Validate the trust relationship with the OpenID Connect (OIDC) role.
+
+<!Next steps>
active-directory Ui Audit Trail https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-audit-trail.md
+
+ Title: Use queries to see how users access information in an authorization system in Permissions Management
+description: How to use queries to see how users access information in an authorization system in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Use queries to see how users access information
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Audit** dashboard in Permissions Management provides an overview of queries a Permissions Management user has created to review how users access their authorization systems and accounts.
+
+This article provides an overview of the components of the **Audit** dashboard.
+
+## View information in the Audit dashboard
++
+1. In Permissions Management, select the **Audit** tab.
+
+ Permissions Management displays the query options available to you.
+
+1. The following options display at the top of the **Audit** dashboard:
+
+ - A tab for each existing query. Select the tab to see details about the query.
+ - **New Query**: Select the tab to create a new query.
+ - **New tab (+)**: Select the tab to add a **New Query** tab.
+ - **Saved Queries**: Select to view a list of saved queries.
+
+1. To return to the main page, select **Back to Audit Trail**.
++
+## Use a query to view information
+
+1. In Permissions Management, select the **Audit** tab.
+1. The **New query** tab displays the following options:
+
+ - **Authorization Systems Type**: A list of your authorization systems: Amazon Web Services (**AWS**), Microsoft Azure (**Azure**), Google Cloud Platform (**GCP**), or Platform (**Platform**).
+
+ - **Authorization System**: A **List** of accounts and **Folders** in the authorization system.
+
+ - To display a **List** of accounts and **Folders** in the authorization system, select the down arrow, and then select **Apply**.
+
+1. To add an **Audit Trail Condition**, select **Conditions** (the eye icon), select the conditions you want to add, and then select **Close**.
+
+1. To edit existing parameters, select **Edit** (the pencil icon).
+
+1. To add the parameter that you created to the query, select **Add**.
+
+1. To search for activity data that you can add to the query, select **Search** .
+
+1. To save your query, select **Save**.
+
+1. To save your query under a different name, select **Save As** (the ellipses **(...)** icon).
+
+1. To discard your work and start creating a query again, select **Reset Query**.
+
+1. To delete a query, select the **X** to the right of the query tab.
+++
+## Next steps
+
+- For information on how to filter and view user activity, see [Filter and query user activity](product-audit-trail.md).
+- For information on how to create a query,see [Create a custom query](how-to-create-custom-queries.md).
+- For information on how to generate an on-demand report from a query, see [Generate an on-demand report from a query](how-to-audit-trail-results.md).
active-directory Ui Autopilot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-autopilot.md
+
+ Title: View rules in the Autopilot dashboard in Permissions Management
+description: How to view rules in the Autopilot dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View rules in the Autopilot dashboard
+
+> [!IMPORTANT]
+> Micorosft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Autopilot** dashboard in Permissions Management provides a table of information about **Autopilot rules** for administrators.
++
+> [!NOTE]
+> Only users with the **Administrator** role can view and make changes on this tab.
+
+## View a list of rules
+
+1. In the Permissions Management home page, select the **Autopilot** tab.
+1. In the **Autopilot** dashboard, from the **Authorization system types** dropdown, select the authorization system types you want: Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
+1. From the **Authorization System** dropdown, in the **List** and **Folders** box, select the account and folder names that you want.
+1. Select **Apply**.
+
+ The following information displays in the **Autopilot Rules** table:
+
+ - **Rule Name**: The name of the rule.
+ - **State**: The status of the rule: idle (not being use) or active (being used).
+ - **Rule Type**: The type of rule being applied.
+ - **Mode**: The status of the mode: on-demand or not.
+ - **Last Generated**: The date and time the rule was last generated.
+ - **Created By**: The email address of the user who created the rule.
+ - **Last Modified**: The date and time the rule was last modified.
+ - **Subscription**: Provides an **On** or **Off** subscription that allows you to receive email notifications when recommendations have been generated, applied, or unapplied.
+
+## View other available options for rules
+
+- Select the ellipses **(...)**
+
+ The following options are available:
+
+ - **View Rule**: Select to view details of the rule.
+ - **Delete Rule**: Select to delete the rule. Only the user who created the selected rule can delete the rule.
+ - **Generate Recommendations**: Creates recommendations for each user and the authorization system. Only the user who created the selected rule can create recommendations.
+ - **View Recommendations**: Displays the recommendations for each user and authorization system.
+ - **Notification Settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to be notified.
+
+You can also select:
+
+- **Reload**: Select to refresh the displayed list of roles/policies.
+- **Search**: Select to search for a specific role/policy.
+- **Columns**: From the dropdown list, select the columns you want to display.
+ - Select **Reset to default** to return to the system defaults.
+- **New Rule**: Select to create a new rule. For more information, see [Create a rule](how-to-create-rule.md).
+++
+## Next steps
+
+- For information about creating rules, see [Create a rule](how-to-create-rule.md).
+- For information about generating, viewing, and applying rule recommendations for rules, see [Generate, view, and apply rule recommendations for rules](how-to-recommendations-rule.md).
+- For information about notification settings for rules, see [View notification settings for a rule](how-to-notifications-rule.md).
active-directory Ui Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-dashboard.md
+
+ Title: View key statistics and data about your authorization system in Permissions Management
+description: How to view statistics and data about your authorization system in the Permissions Management.
+++++++ Last updated : 02/23/2022++++
+# View key statistics and data about your authorization system
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Permissions Management provides a summary of key statistics and data about your authorization system regularly. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
+
+## View metrics related to avoidable risk
+
+The data provided by Permissions Management includes metrics related to avoidable risk. These metrics allow the Permissions Management administrator to identify areas where they can reduce risks related to the principle of least permissions.
+
+You can view the following information in Entra:
+
+- The **Permission Creep Index (PCI)** heat map on the Permissions Management **Dashboard** identifies:
+ - The number of users who have been granted high-risk permissions but aren't using them.
+ - The number of users who contribute to the permission creep index (PCI) and where they are on the scale.
+
+- The [**Analytics** dashboard](usage-analytics-home.md) provides a snapshot of permission metrics within the last 90 days.
++
+## Components of the Permissions Management Dashboard
+
+The Permissions Management **Dashboard** displays the following information:
+
+- **Authorization system types**: A dropdown list of authorization system types you can access: AWS, Azure, and GCP.
+
+- **Authorization System**: Displays a **List** of accounts and **Folders** in the selected authorization system you can access.
+
+ - To add or remove accounts and folders, from the **Name** list, select or deselect accounts and folders, and then select **Apply**.
+
+- **Permission Creep Index (PCI)**: The graph displays the **# of identities contributing to PCI**.
+
+ The PCI graph may display one or more bubbles. Each bubble displays the number of identities that are considered high risk. *High-risk* refers to the number of users who have permissions that exceed their normal or required usage.
+ - To display a list of the number of identities contributing to the **Low PCI**, **Medium PCI**, and **High PCI**, select the **List** icon in the upper right of the graph.
+ - To display the PCI graph again, select the **Graph** icon in the upper right of the list box.
+
+- **Highest PCI change**: Displays a list of your accounts and information about the **PCI** and **Change** in the index over the past 7 days.
+ - To download the list, select the down arrow in the upper right of the list box.
+
+ The following message displays: **We'll email you a link to download the file.**
+ - Check your email for the message from the Permissions Management Customer Success Team. The email contains a link to the **PCI history** report in Microsoft Excel format.
+ - The email also includes a link to the **Reports** dashboard, where you can configure how and when you want to receive reports automatically.
+ - To view all the PCI changes, select **View all**.
+
+- **Identity**: A summary of the **Findings** that includes:
+ - The number of **Inactive** identities that haven't been accessed in over 90 days.
+ - The number of **Super** identities that access data regularly.
+ - The number of identities that can **Access secret information**: A list of roles that can access sensitive or secret information.
+ - **Over-provisioned active** identities that have more permissions than they currently access.
+ - The number of identities **With permission escalation**: A list of roles that can increase permissions.
+
+ To view the list of all identities, select **All findings**.
+
+- **Resources**: A summary of the **Findings** that includes the number of resources that are:
+ - **Open security groups**
+ - **Microsoft managed keys**
+ - **Instances with access to S3 buckets**
+ - **Unencrypted S3 buckets**
+ - **SSE-S3 Encrypted buckets**
+ - **S3 Bucket accessible externally**
+++
+## The PCI heat map
+
+The **Permission Creep Index** heat map shows the incurred risk of users with access to high-risk permissions, and provides information about:
+
+- Users who were given access to high-risk permissions but aren't actively using them. *High-risk permissions* include the ability to modify or delete information in the authorization system.
+
+- The number of resources a user has access to, otherwise known as resource reach.
+
+- The high-risk permissions coupled with the number of resources a user has access to produce the score seen on the chart.
+
+ Permissions are classified as *high*, *medium*, and *low*.
+
+ - **High** (displayed in red) - The score is between 68 and 100. The user has access to many high-risk permissions they aren't using, and has high resource reach.
+ - **Medium** (displayed in yellow) - The score is between 34 and 67. The user has access to some high-risk permissions that they use, or have medium resource reach.
+ - **Low** (displayed in green) - The score is between 0 and 33. The user has access to few high-risk permissions. They use all their permissions and have low resource reach.
+
+- The number displayed on the graph shows how many users contribute to a particular score. To view detailed data about a user, hover over the number.
+
+ The distribution graph displays all the users who contribute to the permission creep. It displays how many users contribute to a particular score. For example, if the score from the PCI chart is 14, the graph shows how many users have a score of 14.
+
+- The **PCI Trend** graph shows you the historical trend of the PCI score over the last 90 days.
+ - To download the **PCI history report**, select **Download**.
+
+### View information on the heat map
+
+1. Select the number on the heat map bubble to display:
+
+ - The total number of **Identities** and how many of them are in the high, medium, and low categories.
+ - The **PCI trend** over the last several weeks.
+
+1. The **Identity** section below the heat map on the left side of the page shows all the relevant findings about identities, including roles that can access secret information, roles that are inactive, over provisioned active roles, and so on.
+
+ - To expand the full list of identities, select **All findings**.
+
+1. The **Resource** section below the heat map on the right side of the page shows all the relevant findings about resources. It includes unencrypted S3 buckets, open security groups, and so on.
++
+## The Analytics summary
+
+You can also view a summary of users and activities section on the [Analytics dashboard](usage-analytics-home.md). This dashboard provides a snapshot of the following high-risk tasks or actions users have accessed, and displays the total number of users with the high-risk access, how many users are inactive or have unexecuted tasks, and how many users are active or have executed tasks:
+
+- **Users with access to high-risk tasks**: Displays the total number of users with access to a high risk task (**Total**), how many users have access but haven't used the task (**Inactive**), and how many users are actively using the task (**Active**).
+
+- **Users with access to delete tasks**: A subset of high-risk tasks, which displays the number of users with access to delete tasks (**Total**), how many users have the delete permissions but haven't used the permissions (**Inactive**), and how many users are actively executing the delete capability (**Active**).
+
+- **High-risk tasks accessible by users**: Displays all available high-risk tasks in the authorization system (**Granted**), how many high-risk tasks aren't used (**Unexecuted**), and how many high-risk tasks are used (**Executed**).
+
+- **Delete tasks accessible by users**: Displays all available delete tasks in the authorization system (**Granted**), how many delete tasks aren't used (**Unexecuted**), and how many delete tasks are used (**Executed**).
+
+- **Resources that permit high-risk tasks**: Displays the total number of resources a user has access to (**Total**), how many resources are available but not used (**Inactive**), and how many resources are used (**Active**).
+
+- **Resources that permit delete tasks**: Displays the total number of resources that permit delete tasks (**Total**), how many resources with delete tasks aren't used (**Inactive**), and how many resources with delete tasks are used (**Active**).
+++
+## Next steps
+
+- For information on how to view authorization system and account activity data on the Permissions ManagementDashboard, see [View data about the activity in your authorization system](product-dashboard.md).
+- For an overview of the Analytics dashboard, see [An overview of the Analytics dashboard](usage-analytics-home.md).
active-directory Ui Remediation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-remediation.md
+
+ Title: View existing roles/policies and requests for permission in the Remediation dashboard in Permissions Management
+description: How to view existing roles/policies and requests for permission in the Remediation dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View roles/policies and requests for permission in the Remediation dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Remediation** dashboard in Permissions Management provides an overview of roles/policies, permissions, a list of existing requests for permissions, and requests for permissions you have made.
+
+This article provides an overview of the components of the **Remediation** dashboard.
+
+> [!NOTE]
+> To view the **Remediation** dashboard, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this dashboard, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.
+
+> [!NOTE]
+> Microsoft Azure uses the term *role* for what other cloud providers call *policy*. Permissions Management automatically makes this terminology change when you select the authorization system type. In the user documentation, we use *role/policy* to refer to both.
+
+## Display the Remediation dashboard
+
+1. On the Permissions Management home page, select the **Remediation** tab.
+
+ The **Remediation** dashboard includes six subtabs:
+
+ - **Roles/Policies**: Use this subtab to perform Create Read Update Delete (CRUD) operations on roles/policies.
+ - **Permissions**: Use this subtab to perform Read Update Delete (RUD) on granted permissions.
+ - **Role/Policy Template**: Use this subtab to create a template for roles/policies template.
+ - **Requests**: Use this subtab to view approved, pending, and processed Permission on Demand (POD) requests.
+ - **My Requests**: Use this tab to manage lifecycle of the POD request either created by you or needs your approval.
+ - **Settings**: Use this subtab to select **Request Role/Policy Filters**, **Request Settings**, and **Auto-Approve** settings.
+
+1. Use the dropdown to select the **Authorization System Type** and **Authorization System**, and then select **Apply**.
+
+## View and create roles/policies
+
+The **Role/Policies** subtab provides the following settings that you can use to view and create a role/policy.
+
+- **Authorization System Type**: Displays a dropdown with authorization system types you can access, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
+- **Authorization System**: Displays a list of authorization systems accounts you can access.
+- **Policy Type**: A dropdown with available role/policy types. You can select **All**, **Custom**, **System**, or **Permissions Management Only**.
+- **Policy Status**: A dropdown with available role/policy statuses. You can select **All**, **Assigned**, or **Unassigned**.
+- **Policy Usage**: A dropdown with **All** or **Unused** roles/policies.
+- **Apply**: Select this option to save the changes you've made.
+- **Reset Filter**: Select this option to discard the changes you've made.
+
+The **Policy list** displays a list of existing roles/policies and the following information about each role/policy.
+
+- **Policy Name**: The name of the roles/policies available to you.
+- **Policy Type**: **Custom**, **System**, or **Permissions Management Only**
+- **Actions**
+ - Select **Clone** to create a duplicate copy of the role/policy.
+ - Select **Modify** to change the existing role/policy.
+ - Select **Delete** to delete the role/policy.
+
+Other options available to you:
+- **Search**: Select this option to search for a specific role/policy.
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported Successfully.**
+
+ - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
+- **Create Role/Policy**: Select this option to create a new role/policy. For more information, see [Create a role/policy](how-to-create-role-policy.md).
++
+## Add filters to permissions
+
+The **Permissions** subtab provides the following settings that you can use to add filters to your permissions.
+
+- **Authorization System Type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+- **Authorization System**: Displays a list of authorization systems accounts you can access.
+- **Search For**: A dropdown from which you can select **Group**, **User**, or **Role**.
+- **User Status**: A dropdown from which you can select **Any**, **Active**, or **Inactive**.
+- **Privilege Creep Index** (PCI): A dropdown from which you can select a PCI rating of **Any**, **High**, **Medium**, or **Low**.
+- **Task Usage**: A dropdown from which you can select **Any**, **Granted**, **Used**, or **Unused**.
+- **Enter a Username**: A dropdown from which you can select a username.
+- **Enter a Group Name**: A dropdown from which you can select a group name.
+- **Apply**: Select this option to save the changes you've made and run the filter.
+- **Reset Filter**: Select this option to discard the changes you've made.
+- **Export CSV**: Select this option to export the displayed list of roles/policies as a comma-separated values (CSV) file.
+
+ When the file is successfully exported, a message appears: **Exported Successfully.**
+
+ - Check your email for a message from the Permissions Management Customer Success Team. This email contains a link to:
+ - The **Role Policy Details** report in CSV format.
+ - The **Reports** dashboard where you can configure how and when you can automatically receive reports.
++
+## Create templates for roles/policies
+
+Use the **Role/Policy Template** subtab to create a template for roles/policies.
+
+1. Select:
+ - **Authorization System Type**: Displays a dropdown with authorization system types you can access, WS, Azure, and GCP.
+ - **Create Template**: Select this option to create a template.
+
+1. In the **Details** page, make the required selections:
+ - **Authorization System Type**: Select the authorization system types you want, **AWS**, **Azure**, or **GCP**.
+ - **Template Name**: Enter a name for your template, and then select **Next**.
+
+1. In the **Statements** page, complete the **Tasks**, **Resources**, **Request Conditions** and **Effect** sections. Then select **Save** to save your role/policy template.
+
+Other options available to you:
+- **Search**: Select this option to search for a specific role/policy.
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+
+## View requests for permission
+
+Use the **Requests** tab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made.
+
+- Select:
+ - **Authorization System Type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+ - **Authorization System**: Displays a list of authorization systems accounts you can access.
+
+Other options available to you:
+
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Search**: Select this option to search for a specific role/policy.
+- **Columns**: Select one or more of the following to view more information about the request:
+ - **Submitted By**
+ - **On Behalf Of**
+ - **Authorization System**
+ - **Tasks/Scope/Policies**
+ - **Request Date**
+ - **Schedule**
+ - **Submitted**
+ - **Reset to Default**: Select this option to discard your settings.
+
+### View pending requests
+
+The **Pending** table displays the following information:
+
+- **Summary**: A summary of the request.
+- **Submitted By**: The name of the user who submitted the request.
+- **On Behalf Of**: The name of the user on whose behalf the request was made.
+- **Authorization System**: The authorization system the user selected.
+- **Task/Scope/Policies**: The type of task/scope/policy selected.
+- **Request Date**: The date when the request was made.
+- **Submitted**: The period since the request was made.
+- The ellipses **(...)** menu - Select the ellipses, and then select **Details**, **Approve**, or **Reject**.
+- Select an option:
+ - **Reload**: Select this option to refresh the displayed list of roles/policies.
+ - **Search**: Select this option to search for a specific role/policy.
+ - **Columns**: From the dropdown, select the columns you want to display.
+
+**To return to the previous view:**
+
+- Select the up arrow.
+
+### View approved requests
+
+The **Approved** table displays information about the requests that have been approved.
+
+### View processed requests
+
+The **Processed** table displays information about the requests that have been processed.
+
+## View requests for permission for your approval
+
+Use the **My Requests** subtab to view a list of **Pending**, **Approved**, and **Processed** requests for permissions your team members have made and you must approve or reject.
+
+- Select:
+ - **Authorization System Type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+ - **Authorization System**: Displays a list of authorization systems accounts you can access.
+
+Other options available to you:
+
+- **Reload**: Select this option to refresh the displayed list of roles/policies.
+- **Search**: Select this option to search for a specific role/policy.
+- **Columns**: Select one or more of the following to view more information about the request:
+ - **On Behalf Of**
+ - **Authorization System**
+ - **Tasks/Scope/Policies**
+ - **Request Date**
+ - **Schedule**
+ - **Reset to Default**: Select this option to discard your settings.
+- **New Request**: Select this option to create a new request for permissions. For more information, see Create a request for permissions.
+
+### View pending requests
+
+The **Pending** table displays the following information:
+
+- **Summary**: A summary of the request.
+- **Submitted By**: The name of the user who submitted the request.
+- **On Behalf Of**: The name of the user on whose behalf the request was made.
+- **Authorization System**: The authorization system the user selected.
+- **Task/Scope/Policies**: The type of task/scope/policy selected.
+- **Request Date**: The date when the request was made.
+- **Submitted**: The period since the request was made.
+- The ellipses **(...)** menu - Select the ellipses, and then select **Details**, **Approve**, or **Reject**.
+- Select an option:
+ - **Reload**: Select this option to refresh the displayed list of roles/policies.
+ - **Search**: Select this option to search for a specific role/policy.
+ - **Columns**: From the dropdown, select the columns you want to display.
++
+### View approved requests
+
+The **Approved** table displays information about the requests that have been approved.
+
+### View processed requests
+
+The **Processed** table displays information about the requests that have been processed.
+
+## Make setting selections for requests and auto-approval
+
+The **Settings** subtab provides the following settings that you can use to make setting selections to **Request Role/Policy Filters**, **Request Settings**, and **Auto-Approve** requests.
+
+- **Authorization System Type**: Displays a dropdown with authorization system types you can access, AWS, Azure, and GCP.
+- **Authorization System**: Displays a list of authorization systems accounts you can access.
+- **Reload**: Select this option to refresh the displayed list of role/policy filters.
+- **Create Filter**: Select this option to create a new filter.
+
+## Next steps
++
+- For information on how to view existing roles/policies, requests, and permissions, see [View roles/policies, requests, and permission in the Remediation dashboard](ui-remediation.md).
+- For information on how to create a role/policy, see [Create a role/policy](how-to-create-role-policy.md).
+- For information on how to clone a role/policy, see [Clone a role/policy](how-to-clone-role-policy.md).
+- For information on how to delete a role/policy, see [Delete a role/policy](how-to-delete-role-policy.md).
+- For information on how to modify a role/policy, see Modify a role/policy](how-to-modify-role-policy.md).
+- To view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md).
+- For information on how to attach and detach permissions for AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).
+- For information on how to revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities, see [Revoke high-risk and unused tasks or assign read-only status for Azure and GCP identities](how-to-revoke-task-readonly-status.md)
+- For information on how to create or approve a request for permissions, see [Create or approve a request for permissions](how-to-create-approve-privilege-request.md).
+- For information on how to view information about roles/policies, see [View information about roles/policies](how-to-view-role-policy.md)
active-directory Ui Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-tasks.md
+
+ Title: View information about active and completed tasks in Permissions Management
+description: How to view information about active and completed tasks in the Activities pane in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about active and completed tasks
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes the usage of the **Permissions Management Tasks** pane in Permissions Management.
+
+## Display active and completed tasks
+
+1. In the Permissions Management home page, select **Tasks** (the timer icon).
+
+ The **Permissions Management Tasks** pane appears on the right of the Permissions Management home page. It has two tabs:
+ - **Active**: Displays a list of active tasks, a description of each task, and when the task was started.
+
+ If there are no active tasks, the following message displays: **There are no active tasks**.
+ - **Completed**: Displays a list of completed tasks, a description of each task, when the task was started and ended, and whether the task **Failed** or **Succeeded**.
+
+ If there are no completed activities, the following message displays: **There are no recently completed tasks**.
+1. To close the **Permissions Management Tasks** pane, click outside the pane.
+
+## Next steps
+
+- For information on how to create a role/policy in the **Remediation** dashboard, see [Create a role/policy](how-to-create-role-policy.md).
active-directory Ui Triggers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md
+
+ Title: View information about activity triggers in Permissions Management
+description: How to view information about activity triggers in the Activity triggers dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View information about activity triggers
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to use the **Activity triggers** dashboard in Permissions Management to view information about activity alerts and triggers.
+
+## Display the Activity triggers dashboard
+
+- In the Permissions Management home page, select **Activity triggers** (the bell icon).
+
+ The **Activity triggers** dashboard has four tabs:
+
+ - **Activity**
+ - **Rule-Based Anomaly**
+ - **Statistical Anomaly**
+ - **Permission Analytics**
+
+ Each tab has two subtabs:
+
+ - **Alerts**
+ - **Alert Triggers**
+
+## View information about alerts
+
+The **Alerts** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical Anomaly**, and **Permission Analytics** tabs display the following information:
+
+- **Alert Name**: Select **All** alert names or specific ones.
+- **Date**: Select **Last 24 hours**, **Last 2 Days**, **Last Week**, or **Custom Range.**
+
+ - If you select **Custom Range**, also enter **From** and **To** duration settings.
+- **Apply**: Select this option to activate your settings.
+- **Reset Filter**: Select this option to discard your settings.
+- **Reload**: Select this option to refresh the displayed information.
+- **Create Activity Trigger**: Select this option to [create a new alert trigger](how-to-create-alert-trigger.md).
+- The **Alerts** table displays a list of alerts with the following information:
+ - **Alerts**: The name of the alert.
+ - **# of users subscribed**: The number of users who have subscribed to the alert.
+ - **Created By**: The name of the user who created the alert.
+ - **Modified By**: The name of the user who modified the alert.
+
+The **Rule-Based Anomaly** tab and the **Statistical Anomaly** tab both have one more option:
+
+- **Columns**: Select the columns you want to display: **Task**, **Resource**, and **Identity**.
+ - To return to the system default settings, select **Reset to default**.
+
+## View information about alert triggers
+
+The **Alert Triggers** subtab in the **Activity**, **Rule-Based Anomaly**, **Statistical Anomaly**, and **Permission Analytics** tab displays the following information:
+
+- **Status**: Select the alert status you want to display: **All**, **Activated**, or **Deactivated**.
+- **Apply**: Select this option to activate your settings.
+- **Reset Filter**: Select this option to discard your settings.
+- **Reload**: Select **Reload** to refresh the displayed information.
+- **Create Activity Trigger**: Select this option to [create a new alert trigger](how-to-create-alert-trigger.md).
+- The **Triggers** table displays a list of triggers with the following information:
+ - **Alerts**: The name of the alert.
+ - **# of users subscribed**: The number of users who have subscribed to the alert.
+ - **Created By**: The name of the user who created the alert.
+ - **Modified By**: The name of the user who modified the alert.
++++++
+## Next steps
+
+- For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](how-to-create-alert-trigger.md).
+- For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](product-rule-based-anomalies.md).
+- For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](product-statistical-anomalies.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](product-permission-analytics.md).
active-directory Ui User Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-user-management.md
+
+ Title: Manage users and groups with the User management dashboard in Permissions Management
+description: How to manage users and groups in the User management dashboard in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# Manage users and groups with the User management dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article describes how to use the Permissions Management **User management** dashboard to view and manage users and groups.
+
+**To display the User management dashboard**:
+
+- In the upper right of the Permissions Management home page, select **User** (your initials) in the upper right of the screen, and then select **User management.**
+
+ The **User Management** dashboard has two tabs:
+
+ - **Users**: Displays information about registered users.
+ - **Groups**: Displays information about groups.
+
+## Manage users
+
+Use the **Users** tab to display the following information about users:
+
+- **Name** and **Email Address**: The user's name and email address.
+- **Joined On**: The date the user registered on the system.
+- **Recent Activity**: The date the user last used their permissions to access the system.
+- The ellipses **(...)** menu: Select the ellipses, and then select **View Permissions** to open the **View User Permission** box.
+
+ - To view details about the user's permissions, select one of the following options:
+ - **Admin for all Authorization System Types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected Authorization System Types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** provides **View**, **Control**, and **Approve** permissions for the authorization system types you select.
+
+You can also select the following options:
+
+- **Reload**: Select this option to refresh the information displayed in the **User** table.
+- **Search**: Enter a name or email address to search for a specific user.
+
+## Manage groups
+
+Use the **Groups** tab to display the following information about groups:
+
+- **Name**: Displays the registered user's name and email address.
+- **Permissions**:
+ - The **Authorization Systems** and the type of permissions the user has been granted: **Admin for all Authorization System Types**, **Admin for selected Authorization System Types**, or **Custom**.
+ - Information about the **Viewer**, **Controller**, **Approver**, and **Requestor**.
+- **Modified By**: The email address of the user who modified the group.
+- **Modified On**: The date the user last modified the group.
+
+- The ellipses **(...)** menu: Select the ellipses to:
+
+ - **View Permissions**: Select this option to view details about the group's permissions, and then select one of the following options:
+ - **Admin for all Authorization System Types** provides **View**, **Control**, and **Approve** permissions for all authorization system types.
+ - **Admin for selected Authorization System Types** provides **View**, **Control**, and **Approve** permissions for selected authorization system types.
+ - **Custom** provides **View**, **Control**, and **Approve** permissions for specific authorization system types that you select.
+
+ - **Edit Permissions**: Select this option to modify the group's permissions.
+ - **Delete**: Select this option to delete the group's permissions.
+
+ The **Delete Permission** box asks you to confirm that you want to delete the group.
+ - Select **Delete** if you want to delete the group, **Cancel** to discard your changes.
++
+You can also select the following options:
+
+- **Reload**: Select this option to refresh the information displayed in the **User** table.
+- **Search**: Enter a name or email address to search for a specific user.
+- **Filters**: Select the authorization systems and accounts you want to display.
+- **Create Permission**: Create a group and set up its permissions. For more information, see [Create group-based permissions](how-to-create-group-based-permissions.md)
+++
+## Next steps
+
+- For information about how to view information about active and completed tasks, see [View information about active and completed tasks](ui-tasks.md).
+- For information about how to view personal and organization information, see [View personal and organization information](product-account-settings.md).
+- For information about how to select group-based permissions settings, see [Select group-based permissions settings](how-to-create-group-based-permissions.md).
active-directory Usage Analytics Access Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-access-keys.md
+
+ Title: View analytic information about access keys in Permissions Management
+description: How to view analytic information about access keys in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about access keys
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management provides details about identities, resources, and tasks that you can use make informed decisions about granting permissions, and reducing risk on unused permissions.
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about access keys.
+
+## Create a query to view access keys
+
+When you select **Access keys**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Access Keys** from the drop-down list at the top of the screen.
+
+ The following components make up the **Access Keys** dashboard:
+
+ - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: Select from a **List** of accounts and **Folders***.
+ - **Key Status**: Select **All**, **Active**, or **Inactive**.
+ - **Key Activity State**: Select **All**, how long the access key has been used, or **Not Used**.
+ - **Key Age**: Select **All** or how long ago the access key was created.
+ - **Task Type**: Select **All** tasks, **High Risk Tasks** or, for a list of tasks where users have deleted data, select **Delete Tasks**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## View the results of your query
+
+The **Access Keys** table displays the results of your query.
+
+- **Access Key ID**: Provides the ID for the access key.
+ - To view details about the access keys, select the down arrow to the left of the ID.
+- The **Owner** name.
+- The **Account** number.
+- The **Permission Creep Index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks** Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Access Key Age**: How old the access key is, in days.
+- **Last Used**: How long ago the access key was last accessed.
+
+## Apply filters to your query
+
+There are many filter options within the **Active Tasks** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by key status
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key Status** dropdown, select the type of key: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by key activity status
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key Activity State** dropdown, select **All**, the duration for how long the access key has been used, or **Not Used**.
+
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by key age
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Key Age** dropdown, select **All** or how long ago the access key was created.
+
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by task type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task Type** dropdown, select **All** tasks, **High Risk Tasks** or, for a list of tasks where users have deleted data, select **Delete tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV** or **CSV (Detailed)**.
+
+## Next steps
+
+- To view active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View usage analytics about users](usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View usage analytics about groups](usage-analytics-groups.md).
+- To view active resources, see [View usage analytics about active resources](usage-analytics-active-resources.md).
+- To view assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](usage-analytics-serverless-functions.md).
active-directory Usage Analytics Active Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-resources.md
+
+ Title: View analytic information about active resources in Permissions Management
+description: How to view usage analytics about active resources in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about active resources
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about active resources.
+
+## Create a query to view active resources
+
+1. On the main **Analytics** dashboard, select **Active Resources** from the drop-down list at the top of the screen.
+
+ The dashboard only lists tasks that are active. The following components make up the **Active Resources** dashboard:
+1. From the dropdowns, select:
+ - **Authorization System Type**: The authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: The **List** of accounts and **Folders** you want to include.
+ - **Tasks Type**: Select **All** tasks, **High Risk Tasks** or, for a list of tasks where users have deleted data, select **Delete Tasks**.
+ - **Service Resource Type**: The service resource type.
+ - **Search**: Enter criteria to find specific tasks.
+
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## View the results of your query
+
+The **Active Resources** table displays the results of your query:
+
+- **Resource Name**: Provides the name of the task.
+ - To view details about the task, select the down arrow.
+- **Account**: The name of the account.
+- **Resources Type**: The type of resources used, for example, **bucket** or **key**.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Number of Users**: The number of users with access and accessed.
+- Select the ellipses **(...)** and select **Tags** to add a tag.
+
+## Add a tag to an active resource
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a Tag** dropdown, select a tag.
+1. To create a custom tag select **New Custom Tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced Save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add Tag**.
++
+## Apply filters to your query
+
+There are many filter options within the **Active Resources** screen, including filters by **Authorization System**, filters by **User** and filters by **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task Type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by service resource type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Service Resource Type**, select the type of service resource.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
++
+## Next steps
+
+- To track active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md).
+- To track assigned permissions and usage of users, see [View usage analytics about users](usage-analytics-users.md).
+- To track assigned permissions and usage of the group and the group members, see [View usage analytics about groups](usage-analytics-groups.md).
+- To track the permission usage of access keys for a given user, see [View usage analytics about access keys](usage-analytics-access-keys.md).
+- To track assigned permissions and usage of the serverless functions, see [View usage analytics about serverless functions](usage-analytics-serverless-functions.md).
active-directory Usage Analytics Active Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md
+
+ Title: View analytic information about active tasks in Permissions Management
+description: How to view analytic information about active tasks in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about active tasks
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about active tasks.
+
+## Create a query to view active tasks
+
+When you select **Active Tasks**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Active Tasks** from the drop-down list at the top of the screen.
+
+ The dashboard only lists tasks that are active. The following components make up the **Active Tasks** dashboard:
+
+ - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: Select from a **List** of accounts and **Folders***.
+ - **Tasks Type**: Select **All** tasks, **High Risk tasks** or, for a list of tasks where users have deleted data, select **Delete Tasks**.
+ - **Search**: Enter criteria to find specific tasks.
+
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## View the results of your query
+
+The **Active Tasks** table displays the results of your query.
+
+- **Task Name**: Provides the name of the task.
+ - To view details about the task, select the down arrow in the table.
+
+ - A **Normal Task** icon displays to the left of the task name if the task is normal (that is, not risky).
+ - A **Deleted Task** icon displays to the left of the task name if the task involved deleting data.
+ - A **High-Risk Task** icon displays to the left of the task name if the task is high-risk.
+
+- **Performed on (resources)**: The number of resources on which the task was used.
+
+- **Number of Users**: Displays how many users performed tasks. The tasks are organized into the following columns:
+ - **With Access**: Displays the number of users that have access to the task but haven't accessed it.
+ - **Accessed**: Displays the number of users that have accessed the task.
++
+## Apply filters to your query
+
+There are many filter options within the **Active Tasks** screen, including **Authorization System**, **User**, and **Task**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task Type** dropdown, select the type of tasks: **All**, **High Risk Tasks**, or **Delete Tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+
+## Next steps
+
+- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
active-directory Usage Analytics Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-groups.md
+
+ Title: View analytic information about groups in Permissions Management
+description: How to view analytic information about groups in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about groups
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about groups.
+
+## Create a query to view groups
+
+When you select **Groups**, the **Usage Analytics** dashboard provides a high-level overview of groups.
+
+1. On the main **Analytics** dashboard, select **Groups** from the drop-down list at the top of the screen.
+
+ The following components make up the **Groups** dashboard:
+
+ - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: Select from a **List** of accounts and **Folders**.
+ - **Group Type**: Select **All**, **ED**, or **Local**.
+ - **Group Activity Status**: Select **All**, **Active**, or **Inactive**.
+ - **Tasks Type**: Select **All**, **High Risk Tasks**, or **Delete Tasks**
+ - **Search**: Enter group name to find specific group.
+1. To display the criteria you've selected, select **Apply**.
+ - **Reset Filter**: Select to discard your changes.
++
+## View the results of your query
+
+The **Groups** table displays the results of your query:
+
+- **Group Name**: Provides the name of the group.
+ - To view details about the group, select the down arrow.
+- A **Group Type** icon displays to the left of the group name to describe the type of group (**ED** or **Local**).
+- The **Domain/Account** name.
+- The **Permission Creep Index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Users**: The number of users who accessed the group.
+- Select the ellipses **(...)** and select **Tags** to add a tag.
+
+## Add a tag to a group
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a Tag** dropdown, select a tag.
+1. To create a custom tag select **New Custom Tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced Save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add Tag**.
+
+## View detailed information about a group
+
+1. Select the down arrow to the left of the **Group Name**.
+
+ The list of **Tasks** organized by **Unused** and **Used** displays.
+
+1. Select the arrow to the left of the group name to view details about the task.
+1. Select **Information** (**i**) to view when the task was last used.
+1. From the **Tasks** dropdown, select **All Tasks**, **High Risk Tasks**, and **Delete Tasks**.
+1. The pane on the right displays a list of **Users**, **Policies** for **AWS** and **Roles** for **GCP or AZURE**, and **Tags**.
+
+## Apply filters to your query
+
+There are many filter options within the **Groups** screen, including filters by **Authorization System Type**, **Authorization System**, **Group Type**, **Group Activity Status**, and **Tasks Type**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by group type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Group Type** dropdown, select the type of user: **All**, **ED**, or **Local**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by group activity status
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Group Activity Status** dropdown, select the type of user: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by tasks type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Tasks Type** dropdown, select the type of user: **All**, **High Risk Tasks**, or **Delete Tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## Export the results of your query
+
+- To view a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+- To view a list of members of the groups in your query, select **Export**, and then select **Memberships**.
+++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md).
+- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
active-directory Usage Analytics Home https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-home.md
+
+ Title: View analytic information with the Analytics dashboard in Permissions Management
+description: How to use the Analytics dashboard in Permissions Management to view details about users, groups, active resources, active tasks, access keys, and serverless functions.
+++++++ Last updated : 02/23/2022+++
+# View analytic information with the Analytics dashboard
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This article provides a brief overview of the Analytics dashboard in Permissions Management, and the type of analytic information it provides for Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+
+## Display the Analytics dashboard
+
+- From the Permissions Management home page, select the **Analytics** tab.
+
+ The **Analytics** dashboard displays detailed information about:
+
+ - **Users**: Tracks assigned permissions and usage by users. For more information, see [View analytic information about users](usage-analytics-users.md).
+
+ - **Groups**: Tracks assigned permissions and usage of the group and the group members. For more information, see [View analytic information about groups](usage-analytics-groups.md).
+
+ - **Active Resources**: Tracks resources that have been used in the last 90 days. For more information, see [View analytic information about active resources](usage-analytics-active-resources.md).
+
+ - **Active Tasks**: Tracks tasks that have been performed in the last 90 days. For more information, see [View analytic information about active tasks](usage-analytics-active-tasks.md).
+
+ - **Access Keys**: Tracks the permission usage of access keys for a given user. For more information, see [View analytic information about access keys](usage-analytics-access-keys.md).
+
+ - **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions for AWS only. For more information, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
+
+ System administrators can use this information to make decisions about granting permissions and reducing risk on unused permissions.
+++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
active-directory Usage Analytics Serverless Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-serverless-functions.md
+
+ Title: View analytic information about serverless functions in Permissions Management
+description: How to view analytic information about serverless functions in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about serverless functions
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about serverless functions.
+
+## Create a query to view serverless functions
+
+When you select **Serverless Functions**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Serverless Functions** from the dropdown list at the top of the screen.
+
+ The following components make up the **Serverless Functions** dashboard:
+
+ - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: Select from a **List** of accounts and **Folders**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## View the results of your query
+
+The **Serverless Functions** table displays the results of your query.
+
+- **Function Name**: Provides the name of the serverless function.
+ - To view details about a serverless function, select the down arrow to the left of the function name.
+- A **Function Type** icon displays to the left of the function name to describe the type of serverless function, for example **Lambda function**.
+- The **Permission Creep Index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **Last Activity On**: The date the function was last accessed.
+- Select the ellipses **(...)**, and then select **Tags** to add a tag.
+
+## Add a tag to a serverless function
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a Tag** dropdown, select a tag.
+1. To create a custom tag select **New Custom Tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced Save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add Tag**.
+
+## View detailed information about a serverless function
+
+1. Select the down arrow to the left of the function name to display the following:
+
+ - A list of **Tasks** organized by **Used** and **Unused**.
+ - **Versions**, if a version is available.
+
+1. Select the arrow to the left of the task name to view details about the task.
+1. Select **Information** (**i**) to view when the task was last used.
+1. From the **Tasks** dropdown, select **All Tasks**, **High Risk Tasks**, and **Delete Tasks**.
++
+## Apply filters to your query
+
+You can filter the **Serverless Functions** results by **Authorization System Type** and **Authorization System**.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+++
+## Next steps
+
+- To view active tasks, see [View usage analytics about active tasks](usage-analytics-active-tasks.md).
+- To view assigned permissions and usage by users, see [View analytic information about users](usage-analytics-users.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).
active-directory Usage Analytics Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-users.md
+
+ Title: View analytic information about users in Permissions Management
+description: How to view analytic information about users in Permissions Management.
+++++++ Last updated : 02/23/2022+++
+# View analytic information about users
+
+> [!IMPORTANT]
+> Microsoft Entra Permissions Management is currently in PREVIEW.
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The **Analytics** dashboard in Permissions Management collects detailed information, analyzes, reports on, and visualizes data about all identity types. System administrators can use the information to make informed decisions about granting permissions and reducing risk on unused permissions for:
+
+- **Users**: Tracks assigned permissions and usage of various identities.
+- **Groups**: Tracks assigned permissions and usage of the group and the group members.
+- **Active Resources**: Tracks active resources (used in the last 90 days).
+- **Active Tasks**: Tracks active tasks (performed in the last 90 days).
+- **Access Keys**: Tracks the permission usage of access keys for a given user.
+- **Serverless Functions**: Tracks assigned permissions and usage of the serverless functions.
+
+This article describes how to view usage analytics about users.
+
+## Create a query to view users
+
+When you select **Users**, the **Analytics** dashboard provides a high-level overview of tasks used by various identities.
+
+1. On the main **Analytics** dashboard, select **Users** from the drop-down list at the top of the screen.
+
+ The following components make up the **Users** dashboard:
+
+ - **Authorization System Type**: Select the authorization you want to use: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
+ - **Authorization System**: Select from a **List** of accounts and **Folders***.
+ - **Identity Type**: Select **All** identity types, **User**, **Role/App/Service a/c** or **Resource**.
+ - **Search**: Enter criteria to find specific tasks.
+1. Select **Apply** to display the criteria you've selected.
+
+ Select **Reset filter** to discard your changes.
++
+## View the results of your query
+
+The **Identities** table displays the results of your query.
+
+- **Name**: Provides the name of the group.
+ - To view details about the group, select the down arrow.
+- The **Domain/Account** name.
+- The **Permission Creep Index (PCI)**: Provides the following information:
+ - **Index**: A numeric value assigned to the PCI.
+ - **Since**: How many days the PCI value has been at the displayed level.
+- **Tasks**: Displays the number of **Granted** and **Executed** tasks.
+- **Resources**: The number of resources used.
+- **User Groups**: The number of users who accessed the group.
+- **Last Activity On**: The date the function was last accessed.
+- The ellipses **(...)**: Select **Tags** to add a tag.
+
+ If you're using AWS, another selection is available from the ellipses menu: **Auto Remediate**. You can use this option to remediate your results automatically.
+
+## Add a tag to a user
+
+1. Select the ellipses **(...)** and select **Tags**.
+1. From the **Select a Tag** dropdown, select a tag.
+1. To create a custom tag select **New Custom Tag**, add a tag name, and then select **Create**.
+1. In the **Value (Optional)** box, enter a value.
+1. Select the ellipses **(...)** to select **Advanced Save** options, and then select **Save**.
+1. To add the tag to the serverless function, select **Add Tag**.
+
+## Set the auto-remediate option (AWS only)
+
+- Select the ellipses **(...)** and select **Auto Remediate**.
+
+ A message displays to confirm that your remediation settings are automatically updated.
+
+## Apply filters to your query
+
+There are many filter options within the **Users** screen, including filters by **Authorization System**, **Identity Type**, and **Identity State**.
+Filters can be applied in one, two, or all three categories depending on the type of information you're looking for.
+
+### Apply filters by authorization system type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by authorization system
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select accounts from a **List** of accounts and **Folders**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by identity type
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity Type**, select the type of user: **All**, **User**, **Role/App/Service a/c**, or **Resource**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
+
+### Apply filters by identity subtype
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity Subtype**, select the type of user: **All**, **ED**, **Local**, or **Cross Account**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset filter** to discard your changes.
+
+### Apply filters by identity state
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity State**, select the type of user: **All**, **Active**, or **Inactive**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by identity filters
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Identity Type**, select: **Risky** or **Incl. in PCI Calculation Only**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+### Apply filters by task type
+
+You can filter user details by type of user, user role, app, or service used, or by resource.
+
+1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**.
+1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
+1. From the **Task Type**, select the type of user: **All** or **High Risk Tasks**.
+1. Select **Apply** to run your query and display the information you selected.
+
+ Select **Reset Filter** to discard your changes.
++
+## Export the results of your query
+
+- To export a report of the results of your query as a comma-separated values (CSV) file, select **Export**, and then select **CSV**.
+- To export the data in a detailed comma-separated values (CSV) file format, select **Export** and then select **CSV (Detailed)**.
+- To export a report of user permissions, select **Export** and then select **Permissions**.
++
+## Next steps
+
+- To view active tasks, see [View analytic information about active tasks](usage-analytics-active-tasks.md).
+- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md).
+- To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md).
+- To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
active-directory Msal Js Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-sso.md
# Single sign-on with MSAL.js
-Single sign-on (SSO) provides a more seamless experience by reducing the number of times your users are asked for their credentials. Users enter their credentials once, and the established session can be reused by other applications on the device without further prompting.
+Single sign-on (SSO) provides a more seamless experience by reducing the number of times your users are asked for their credentials. Users enter their credentials once, and the established session can be reused by other applications on the device without further prompting.
-Azure Active Directory (Azure AD) enables SSO by setting a session cookie when a user first authenticates. MSAL.js allows use of the session cookie for SSO between the browser tabs opened for one or several applications.
+Azure Active Directory (Azure AD) enables SSO by setting a session cookie when a user authenticates for the first time. MSAL.js allows the usage of the session cookie for SSO between the browser tabs opened for one or several applications.
-## SSO between browser tabs
+## SSO between browser tabs for the same app
-When a user has your application open in several tabs and signs in on one of them, they're signed into the same app open on the other tabs without being prompted. MSAL.js caches the ID token for the user in the browser `localStorage` and will sign the user in to the application on the other open tabs.
-
-By default, MSAL.js uses `sessionStorage`, which doesn't allow the session to be shared between tabs. To get SSO between tabs, make sure to set the `cacheLocation` in MSAL.js to `localStorage` as shown below.
+When a user has your application open in several tabs and signs in on one of them, they can be signed into the same app open on the other tabs without being prompted. To do so, you'll need to set the *cacheLocation* in MSAL.js configuration object to `localStorage` as shown below.
```javascript const config = { auth: {
- clientId: "abcd-ef12-gh34-ikkl-ashdjhlhsdg",
+ clientId: "1111-2222-3333-4444-55555555",
}, cache: { cacheLocation: "localStorage",
const config = {
const msalInstance = new msal.PublicClientApplication(config); ```
-## SSO between apps
-
-When a user authenticates, a session cookie is set on the Azure AD domain in the browser. MSAL.js relies on this session cookie to provide SSO for the user between different applications. MSAL.js also caches the ID tokens and access tokens of the user in the browser storage per application domain. As a result, the SSO behavior varies for different cases:
-
-### Applications on the same domain
-
-When applications are hosted on the same domain, the user can sign into an app once and then get authenticated to the other apps without a prompt. MSAL.js uses the tokens cached for the user on the domain to provide SSO.
-
-### Applications on different domain
-
-When applications are hosted on different domains, the tokens cached on domain A cannot be accessed by MSAL.js in domain B.
-
-When a user signed in on domain A navigates to an application on domain B, they're typically redirected or prompted to sign in. Because Azure AD still has the user's session cookie, it signs in the user without prompting for credentials.
+## SSO between different apps
-If the user has multiple user accounts in a session with Azure AD, the user is prompted to pick an account to sign in with.
+When a user authenticates, a session cookie is set on the Azure AD domain in the browser. MSAL.js relies on this session cookie to provide SSO for the user between different applications. MSAL.js also caches the ID tokens and access tokens of the user in the browser storage per application domain.
-### Automatic account selection
+MSAL.js offers the `ssoSilent` method to sign-in the user and obtain tokens without an interaction. However, if the user has multiple user accounts in a session with Azure AD, then the user is prompted to pick an account to sign in with. As such, there are two ways to achieve SSO using `ssoSilent` method.
-When a user is signed in concurrently to multiple Azure AD accounts on the same device, you might find you have the need to bypass the account selection prompt.
+### With user hint
-**Using a session ID**
+To improve performance and ensure that the authorization server will look for the correct account session. You can pass one of the following options in the request object of the `ssoSilent` method to obtain the token silently.
-Use the session ID (SID) in silent authentication requests you make with `acquireTokenSilent` in MSAL.js.
+- Session ID `sid` (which can be retrieved from `idTokenClaims` of an `account` object)
+- `login_hint` (which can be retrieved from the `account` object username property or the `upn` claim in the ID token)
+- `account` (which can be retrieved from using one the [account methods](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md#account-apis))
-To use a SID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md).
+#### Using a session ID
-The SID is bound to the session cookie and won't cross browser contexts. You can use the SID only with `acquireTokenSilent`.
+To use a session ID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js.
```javascript
-var request = {
+const request = {
scopes: ["user.read"], sid: sid, };
- msalInstance.acquireTokenSilent(request)
- .then(function (response) {
- const token = response.accessToken;
- })
- .catch(function (error) {
- //handle error
- });
+ try {
+ const loginResponse = await msalInstance.ssoSilent(request);
+} catch (err) {
+ if (err instanceof InteractionRequiredAuthError) {
+ const loginResponse = await msalInstance.loginPopup(request).catch(error => {
+ // handle error
+ });
+ } else {
+ // handle error
+ }
+}
```
-**Using a login hint**
+#### Using a login hint
To bypass the account selection prompt typically shown during interactive authentication requests (or for silent requests when you haven't configured the `sid` optional claim), provide a `loginHint`. In multi-tenant applications, also include a `domain_hint`. ```javascript
-var request = {
+const request = {
scopes: ["user.read"], loginHint: preferred_username, extraQueryParameters: { domain_hint: "organizations" }, };
- msalInstance.loginRedirect(request);
+try {
+ const loginResponse = await msalInstance.ssoSilent(request);
+} catch (err) {
+ if (err instanceof InteractionRequiredAuthError) {
+ const loginResponse = await msalInstance.loginPopup(request).catch(error => {
+ // handle error
+ });
+ } else {
+ // handle error
+ }
+}
``` Get the values for `loginHint` and `domain_hint` from the user's **ID token**:
Get the values for `loginHint` and `domain_hint` from the user's **ID token**:
For more information about login hint and domain hint, see [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
-## SSO without MSAL.js login
+#### Using an account object
-By design, MSAL.js requires that a login method is called to establish a user context before getting tokens for APIs. Since login methods are interactive, the user sees a prompt.
+If you know the user account information, you can also retrieve the user account by using the `getAccountByUsername()` or `getAccountByHomeId()` methods:
-There are certain cases in which applications have access to the authenticated user's context or ID token through authentication initiated in another application and want to use SSO to acquire tokens without first signing in through MSAL.js.
+```javascript
+const username = "test@contoso.com";
+const myAccount = msalInstance.getAccountByUsername(username);
+
+const request = {
+ scopes: ["User.Read"],
+ account: myAccount
+};
-An example: A user is signed in to Microsoft account in a browser that hosts another JavaScript application running as an add-on or plugin, which requires a Microsoft account sign-in.
+try {
+ const loginResponse = await msalInstance.ssoSilent(request);
+} catch (err) {
+ if (err instanceof InteractionRequiredAuthError) {
+ const loginResponse = await msalInstance.loginPopup(request).catch(error => {
+ // handle error
+ });
+ } else {
+ // handle error
+ }
+}
+```
-The SSO experience in this scenario can be achieved as follows:
+### Without user hint
-Pass the `sid` if available (or `login_hint` and optionally `domain_hint`) as request parameters to the MSAL.js `acquireTokenSilent` call as follows:
+You can attempt to use the `ssoSilent` method without passing any `account`, `sid` or `login_hint` as shown in the code below:
```javascript
-var request = {
- scopes: ["user.read"],
- loginHint: preferred_username,
- extraQueryParameters: { domain_hint: "organizations" },
+const request = {
+ scopes: ["User.Read"]
};
-msalInstance.acquireTokenSilent(request)
- .then(function (response) {
- const token = response.accessToken;
- })
- .catch(function (error) {
- //handle error
- });
+try {
+ const loginResponse = await msalInstance.ssoSilent(request);
+} catch (err) {
+ if (err instanceof InteractionRequiredAuthError) {
+ const loginResponse = await msalInstance.loginPopup(request).catch(error => {
+ // handle error
+ });
+ } else {
+ // handle error
+ }
+}
```
+However, there's a likelihood of silent sign-in errors if the application has multiple users in a single browser session or if the user has multiple accounts for that single browser session. You may see the following error in the case of multiple accounts:
+
+```txt
+InteractionRequiredAuthError: interaction_required: AADSTS16000: Either multiple user identities are available for the current request or selected account is not supported for the scenario.
+```
+
+The error indicates that the server couldn't determine which account to sign into, and will require either one of the parameters above (`account`, `login_hint`, `sid`) or an interactive sign-in to choose the account.
+
+## Considerations when using `ssoSilent`
+
+### Redirect URI (reply URL)
+
+For better performance and to help avoid issues, set the `redirectUri` to a blank page or other page that doesn't use MSAL.
+
+- If your application users only popup and silent methods, set the `redirectUri` on the `PublicClientApplication` configuration object.
+- If your application also uses redirect methods, set the `redirectUri` on a per-request basis.
+
+### Third-party cookies
+
+`ssoSilent` attempts to open a hidden iframe and reuse an existing session with Azure AD. This won't work in browsers that block third-party cookies such as safari, and will lead to an interaction error:
+
+```txt
+InteractionRequiredAuthError: login_required: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD
+```
+
+To resolve the error, the user must create an interactive authentication request using the `loginPopup()` or `loginRedirect()`.
+
+Additionally, the request object is required when using the **silent** methods. If you already have the user's sign-in information, you can pass either the `loginHint` or `sid` optional parameters to sign-in a specific account.
+ ## SSO in ADAL.js to MSAL.js update MSAL.js brings feature parity with ADAL.js for Azure AD authentication scenarios. To make the migration from ADAL.js to MSAL.js easy and to avoid prompting your users to sign in again, the library reads the ID token representing userΓÇÖs session in ADAL.js cache, and seamlessly signs in the user in MSAL.js.
To take advantage of the SSO behavior when updating from ADAL.js, you'll need to
// In ADAL.js window.config = {
- clientId: "g075edef-0efa-453b-997b-de1337c29185",
+ clientId: "1111-2222-3333-4444-55555555",
cacheLocation: "localStorage", };
var authContext = new AuthenticationContext(config);
// In latest MSAL.js version const config = { auth: {
- clientId: "abcd-ef12-gh34-ikkl-ashdjhlhsdg",
+ clientId: "1111-2222-3333-4444-55555555",
}, cache: { cacheLocation: "localStorage",
Once the `cacheLocation` is configured, MSAL.js can read the cached state of the
For more information about SSO, see: -- [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md)
+- [Single Sign-on SAML protocol](single-sign-on-saml-protocol.md)
+- [Optional token claims](active-directory-optional-claims.md)
- [Configurable token lifetimes](active-directory-configurable-token-lifetimes.md)
active-directory Scenario Spa Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-sign-in.md
Before you can get tokens to access APIs in your application, you need an authen
You can also optionally pass the scopes of the APIs for which you need the user to consent at the time of sign-in. > [!NOTE]
-> If your application already has access to an authenticated user context or ID token, you can skip the login step and directly acquire tokens. For details, see [SSO without MSAL.js login](msal-js-sso.md#sso-without-msaljs-login).
+> If your application already has access to an authenticated user context or ID token, you can skip the login step and directly acquire tokens. For details, see [SSO with user hint](msal-js-sso.md#with-user-hint).
## Choosing between a pop-up or redirect experience
active-directory Scenario Web App Sign User App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md
In the Azure portal, the reply URIs that you register on the **Authentication**
# [Node.js](#tab/nodejs)
-Here, the configuration parameters reside in `index.js`
+Here, the configuration parameters reside in *.env* as environment variables:
-```javascript
-const REDIRECT_URI = "http://localhost:3000/redirect";
+These parameters are used to create a configuration object in *authConfig.js* file, which will eventually be used to initialize MSAL Node:
-const config = {
- auth: {
- clientId: "Enter_the_Application_Id_Here",
- authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here/",
- clientSecret: "Enter_the_Client_Secret_Here"
- },
- system: {
- loggerOptions: {
- loggerCallback(loglevel, message, containsPii) {
- console.log(message);
- },
- piiLoggingEnabled: false,
- logLevel: msal.LogLevel.Verbose,
- }
- }
-};
-```
-In the Azure portal, the reply URIs that you register on the Authentication page for your application need to match the redirectUri instances that the application defines (`http://localhost:3000/redirect`).
+In the Azure portal, the reply URIs that you register on the Authentication page for your application need to match the redirectUri instances that the application defines (`http://localhost:3000/auth/redirect`).
> [!NOTE] > This quickstart proposes to store the client secret in the configuration file for simplicity. In your production app, you'd want to use other ways to store your secret, such as a key vault or an environment variable.
For details about the authorization code flow that this method triggers, see the
# [Node.js](#tab/nodejs)
-```javascript
-const msal = require('@azure/msal-node');
+Node sample the Express framework. MSAL is initialized in *auth* route handler:
-// Create msal application object
-const cca = new msal.ConfidentialClientApplication(config);
-```
# [Python](#tab/python)
active-directory Scenario Web App Sign User App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md
By default, the sample uses:
1. When the **Register an application page** appears, enter your application's registration information: 1. Enter a **Name** for your application, for example `node-webapp`. Users of your app might see this name, and you can change it later.
- 1. Change **Supported account types** to **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**.
- 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter the following redirect URI: `http://localhost:3000/redirect`.
+ 1. Change **Supported account types** to **Accounts in this organizational directory only**.
+ 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter the following redirect URI: `http://localhost:3000/auth/redirect`.
1. Select **Register** to create the application. 1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the configuration file for this project. 1. Under **Manage**, select **Certificates & secrets**.
active-directory Scenario Web App Sign User Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md
else
# [Java](#tab/java)
-In our Java quickstart, the sign-in button is located in the [main/resources/templates/https://docsupdatetracker.net/index.html](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/master/msal-java-webapp-sample/src/main/resources/templates/https://docsupdatetracker.net/index.html) file.
+In the Java quickstart, the sign-in button is located in the [main/resources/templates/https://docsupdatetracker.net/index.html](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/master/msal-java-webapp-sample/src/main/resources/templates/https://docsupdatetracker.net/index.html) file.
```html <!DOCTYPE html>
In our Java quickstart, the sign-in button is located in the [main/resources/tem
# [Node.js](#tab/nodejs)
-In the Node.js quickstart, there's no sign-in button. The code-behind automatically prompts the user for sign-in when it's reaching the root of the web app.
+In the Node.js quickstart, the code for the sign-in button is located in *index.hbs* template file.
-```javascript
-app.get('/', (req, res) => {
- // authentication logic
-});
-```
+
+This template is served via the main (index) route of the app:
+ # [Python](#tab/python)
public class AuthPageController {
# [Node.js](#tab/nodejs)
-Unlike other platforms, here the MSAL Node takes care of letting the user sign in from the login page.
-
-```javascript
-
-// 1st leg of auth code flow: acquire a code
-app.get('/', (req, res) => {
- const authCodeUrlParameters = {
- scopes: ["user.read"],
- redirectUri: REDIRECT_URI,
- };
-
- // get url to sign user in and consent to scopes needed for application
- pca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
- res.redirect(response);
- }).catch((error) => console.log(JSON.stringify(error)));
-});
-
-// 2nd leg of auth code flow: exchange code for token
-app.get('/redirect', (req, res) => {
- const tokenRequest = {
- code: req.query.code,
- scopes: ["user.read"],
- redirectUri: REDIRECT_URI,
- };
-
- pca.acquireTokenByCode(tokenRequest).then((response) => {
- console.log("\nResponse: \n:", response);
- res.sendStatus(200);
- }).catch((error) => {
- console.log(error);
- res.status(500).send(error);
- });
-});
-```
+When the user selects the **Sign in** link, which triggers the `/auth/signin` route, the sign-in controller takes over to authenticate the user with Microsoft identity platform.
+ # [Python](#tab/python)
In our Java quickstart, the sign-out button is located in the main/resources/tem
# [Node.js](#tab/nodejs)
-This sample application does not implement sign-out.
# [Python](#tab/python)
In Java, sign-out is handled by calling the Microsoft identity platform `logout`
# [Node.js](#tab/nodejs)
-This sample application does not implement sign-out.
+When the user selects the **Sign out** button, the app triggers the `/signout` route, which destroys the session and redirects the browser to Microsoft identity platform sign-out endpoint.
+ # [Python](#tab/python)
In the Java quickstart, the post-logout redirect URI just displays the index.htm
# [Node.js](#tab/nodejs)
-This sample application does not implement sign-out.
+In the Node quickstart, the post-logout redirect URI is used to redirect the browser back to sample home page after the user completes the logout process with the Microsoft identity platform.
# [Python](#tab/python)
If you want to learn more about sign-out, read the protocol documentation that's
## Next steps Move on to the next article in this scenario,
-[Move to production](scenario-web-app-sign-user-production.md).
+[Move to production](scenario-web-app-sign-user-production.md).
active-directory Tutorial V2 Nodejs Webapp Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-nodejs-webapp-msal.md
Last updated 02/17/2021
-# Tutorial: Sign in users in a Node.js & Express web app
+# Tutorial: Sign in users and acquire a token for Microsoft Graph in a Node.js & Express web app
-In this tutorial, you build a web app that signs-in users. The web app you build uses the [Microsoft Authentication Library (MSAL) for Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
+In this tutorial, you build a web app that signs-in users and acquires access tokens for calling Microsoft Graph. The web app you build uses the [Microsoft Authentication Library (MSAL) for Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
Follow the steps in this tutorial to:
First, complete the steps in [Register an application with the Microsoft identit
Use the following settings for your app registration: - Name: `ExpressWebApp` (suggested)-- Supported account types: **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**
+- Supported account types: **Accounts in this organizational directory only**
- Platform type: **Web**-- Redirect URI: `http://localhost:3000/redirect`
+- Redirect URI: `http://localhost:3000/auth/redirect`
- Client secret: `*********` (record this value for use in a later step - it's shown only once) ## Create the project
-Create a folder to host your application, for example *ExpressWebApp*.
+Use the [Express application generator tool](https://expressjs.com/en/starter/generator.html) to create an application skeleton.
-1. First, change to your project directory in your terminal and then run the following `npm` commands:
+1. First, install the [express-generator](https://www.npmjs.com/package/express-generator) package:
```console
- npm init -y
- npm install --save express
+ npm install -g express-generator
```
-2. Next, create file named *index.js* and add the following code:
-
-```JavaScript
- const express = require("express");
- const msal = require('@azure/msal-node');
-
- const SERVER_PORT = process.env.PORT || 3000;
-
- // Create Express App and Routes
- const app = express();
-
- app.listen(SERVER_PORT, () => console.log(`Msal Node Auth Code Sample app listening on port ${SERVER_PORT}!`))
+2. Then, create an application skeleton as follows:
+
+```console
+ express --view=hbs /ExpressWebApp && cd /ExpressWebApp
+ npm install
```
-You now have a simple web server running on port 3000. The file and folder structure of your project should look similar to the following:
+You now have a simple Express web app. The file and folder structure of your project should look similar to the following:
``` ExpressWebApp/
-Γö£ΓöÇΓöÇ index.js
+Γö£ΓöÇΓöÇ bin/
+| ΓööΓöÇΓöÇ wwww
+Γö£ΓöÇΓöÇ public/
+| Γö£ΓöÇΓöÇ images/
+| Γö£ΓöÇΓöÇ javascript/
+| ΓööΓöÇΓöÇ stylesheets/
+| ΓööΓöÇΓöÇ style.css
+Γö£ΓöÇΓöÇ routes/
+| Γö£ΓöÇΓöÇ index.js
+| ΓööΓöÇΓöÇ users.js
+Γö£ΓöÇΓöÇ views/
+| Γö£ΓöÇΓöÇ error.hbs
+| Γö£ΓöÇΓöÇ index.hbs
+| ΓööΓöÇΓöÇ layout.hbs
+Γö£ΓöÇΓöÇ app.js
ΓööΓöÇΓöÇ package.json ``` ## Install the auth library
-Locate the root of your project directory in a terminal and install the MSAL Node package via NPM.
+Locate the root of your project directory in a terminal and install the MSAL Node package via npm.
```console npm install --save @azure/msal-node ```
-## Add app registration details
+## Install other dependencies
+
+The web app sample in this tutorial uses the [express-session](https://www.npmjs.com/package/express-session) package for session management, [dotenv](https://www.npmjs.com/package/dotenv) package for reading environment parameters during development, and [axios](https://www.npmjs.com/package/axios) for making network calls to the Microsoft Graph API. Install these via npm:
-In the *index.js* file you've created earlier, add the following code:
-
-```JavaScript
- // Before running the sample, you will need to replace the values in the config,
- // including the clientSecret
- const config = {
- auth: {
- clientId: "Enter_the_Application_Id",
- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Id_here",
- clientSecret: "Enter_the_Client_secret"
- },
-     system: {
-         loggerOptions: {
-             loggerCallback(loglevel, message, containsPii) {
-                 console.log(message);
-             },
-          piiLoggingEnabled: false,
-          logLevel: msal.LogLevel.Verbose,
-         }
-     }
- };
+```console
+ npm install --save express-session dotenv axios
```
+## Add app registration details
+
+1. Create an *.env* file in the root of your project folder. Then add the following code:
++ Fill in these details with the values you obtain from Azure app registration portal: -- `Enter_the_Tenant_Id_here` should be one of the following:
+- `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
+ - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com/` (include the trailing forward-slash).
+ - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
+- `Enter_the_Tenant_Info_here` should be one of the following:
- If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - `Enter_the_Application_Id_Here`: The **Application (client) ID** of the application you registered.-- `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
- - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com`.
- - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
- `Enter_the_Client_secret`: Replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal. > [!WARNING] > Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
-## Add code for user login
-
-In the *index.js* file you've created earlier, add the following code:
-
-```JavaScript
- // Create msal application object
- const cca = new msal.ConfidentialClientApplication(config);
-
- app.get('/', (req, res) => {
- const authCodeUrlParameters = {
- scopes: ["user.read"],
- redirectUri: "http://localhost:3000/redirect",
- };
-
- // get url to sign user in and consent to scopes needed for application
- cca.getAuthCodeUrl(authCodeUrlParameters).then((response) => {
- res.redirect(response);
- }).catch((error) => console.log(JSON.stringify(error)));
- });
-
- app.get('/redirect', (req, res) => {
- const tokenRequest = {
- code: req.query.code,
- scopes: ["user.read"],
- redirectUri: "http://localhost:3000/redirect",
- };
-
- cca.acquireTokenByCode(tokenRequest).then((response) => {
- console.log("\nResponse: \n:", response);
- res.sendStatus(200);
- }).catch((error) => {
- console.log(error);
- res.status(500).send(error);
- });
- });
-```
+- `Enter_the_Graph_Endpoint_Here`: The Microsoft Graph API cloud instance that your app will call. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash).
+- `Enter_the_Express_Session_Secret_Here` the secret used to sign the Express session cookie. Choose a random string of characters to replace this string with, such as your client secret.
++
+2. Next, create a file named *authConfig.js* in the root of your project for reading in these parameters. Once created, add the following code there:
++
+## Add code for user login and token acquisition
++
+2. Next, update the *index.js* route by replacing the existing code with the following:
++
+3. Finally, update the *users.js* route by replacing the existing code with the following:
-## Test sign in
+
+## Add code for calling the Microsoft Graph API
+
+Create a file named **fetch.js** in the root of your project and add the following code:
++
+## Add views for displaying data
+
+1. In the *views* folder, update the *index.hbs* file by replacing the existing code with the following:
++
+2. Still in the same folder, create another file named *id.hbs* for displaying the contents of user's ID token:
++
+3. Finally, create another file named *profile.hbs* for displaying the result of the call made to Microsoft Graph:
++
+## Register routers and add state management
+
+In the *app.js* file in the root of the project folder, register the routes you have created earlier and add session support for tracking authentication state using the **express-session** package. Replace the existing code there with the following:
++
+## Test sign in and call Microsoft Graph
You've completed creation of the application and are now ready to test the app's functionality. 1. Start the Node.js console app by running the following command from within the root of your project folder: ```console
- node index.js
+ npm start
```
-2. Open a browser window and navigate to `http://localhost:3000`. You should see a sign-in screen:
+2. Open a browser window and navigate to `http://localhost:3000`. You should see a welcome page:
++
+3. Select **Sign in** link. You should see the Azure AD sign-in screen:
:::image type="content" source="media/tutorial-v2-nodejs-webapp-msal/sign-in-screen.png" alt-text="Azure AD sign-in screen displaying":::
-3. Once you enter your credentials, you should see a consent screen asking you to approve the permissions for the app.
+4. Once you enter your credentials, you should see a consent screen asking you to approve the permissions for the app.
:::image type="content" source="media/tutorial-v2-nodejs-webapp-msal/consent-screen.png" alt-text="Azure AD consent screen displaying":::
+5. Once you consent, you should be redirected back to application home page.
++
+6. Select the **View ID Token** link for displaying the contents of the signed-in user's ID token.
++
+7. Go back to the home page, and select the **Acquire an access token and call the Microsoft Graph API** link. Once you do, you should see the response from Microsoft Graph /me endpoint for the signed-in user.
++
+8. Go back to the home page, and select the **Sign out** link. You should see the Azure AD sign-out screen.
++ ## How the application works
-In this tutorial, you initialized an MSAL Node [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md) object by passing it a configuration object (*msalConfig*) that contains parameters obtained from your Azure AD app registration on Azure portal. The web app you created uses the [OAuth 2.0 Authorization code grant flow](./v2-oauth2-auth-code-flow.md) to sign-in users and obtain ID and access tokens.
+In this tutorial, you instantiated an MSAL Node [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md) object by passing it a configuration object (*msalConfig*) that contains parameters obtained from your Azure AD app registration on Azure portal. The web app you created uses the [OpenID Connect protocol](./v2-protocols-oidc.md) to sign-in users and the [OAuth 2.0 Authorization code grant flow](./v2-oauth2-auth-code-flow.md) obtain access tokens.
## Next steps
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
The AADLoginForWindows extension must install successfully in order for the VM t
1. Ensure the required endpoints are accessible from the VM using PowerShell:
- - `curl https://login.microsoftonline.com/ -D -`
- - `curl https://login.microsoftonline.com/<TenantID>/ -D -`
- - `curl https://enterpriseregistration.windows.net/ -D -`
- - `curl https://device.login.microsoftonline.com/ -D -`
- - `curl https://pas.windows.net/ -D -`
+ - `curl.exe https://login.microsoftonline.com/ -D -`
+ - `curl.exe https://login.microsoftonline.com/<TenantID>/ -D -`
+ - `curl.exe https://enterpriseregistration.windows.net/ -D -`
+ - `curl.exe https://device.login.microsoftonline.com/ -D -`
+ - `curl.exe https://pas.windows.net/ -D -`
> [!NOTE]
- > Replace `<TenantID>` with the Azure AD Tenant ID that is associated with the Azure subscription.<br/> `enterpriseregistration.windows.net` and `pas.windows.net` should return 404 Not Found, which is expected behavior.
+ > Replace `<TenantID>` with the Azure AD Tenant ID that is associated with the Azure subscription.<br/> `login.microsoftonline.com/<TenantID>`, `enterpriseregistration.windows.net`, and `pas.windows.net` should return 404 Not Found, which is expected behavior.
1. The Device State can be viewed by running `dsregcmd /status`. The goal is for Device State to show as `AzureAdJoined : YES`.
active-directory Hybrid Azuread Join Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-control.md
Use the following example to create a Group Policy Object (GPO) to deploy a regi
### Configure AD FS settings
-If you're using AD FS, you first need to configure client-side SCP using the instructions mentioned earlier by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.
+If your Azure AD is federated with AD FS, you first need to configure client-side SCP using the instructions mentioned earlier by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.
> [!NOTE]
-> If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-premises. ADFS will then start deleting device objects from on-premises directory after the stipulated period defined in the ADFS Device Registration's attribute "MaximumInactiveDays". ADFS Device Registration objects can be found using the [Get-AdfsDeviceRegistration cmdlet](/powershell/module/adfs/get-adfsdeviceregistration).
+> If you failed to configure client-side SCP on your AD FS servers, the source for device identities would be considered as on-premises. AD FS will then start deleting device objects from on-premises directory after the stipulated period defined in the AD FS Device Registration's attribute "MaximumInactiveDays". AD FS Device Registration objects can be found using the [Get-AdfsDeviceRegistration cmdlet](/powershell/module/adfs/get-adfsdeviceregistration).
## Supporting down-level devices
active-directory Licensing Groups Assign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md
Previously updated : 12/02/2020 Last updated : 05/26/2022
In this example, the Azure AD organization contains a security group called **HR
> [!NOTE] > Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to specify the Usage location property on the user. >
-> For group license assignment, any users without a usage location specified inherit the location of the directory. If you have users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Azure AD (e.g. via AAD Connect configuration) - that ensures the result of license assignment is always correct and users do not receive services in locations that are not allowed.
+> For group license assignment, any users without a usage location specified inherit the location of the directory. If you have users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Azure AD. For example, configure Azure AD Connect configuration to set usage location. This recommendation makes sure the result of license assignment is always correct and users do not receive services in locations that are not allowed.
## Step 1: Assign the required licenses
In this example, the Azure AD organization contains a security group called **HR
1. Select a user or group, and then use the **Select** button at the bottom of the page to confirm your selection.
+ >[!NOTE]
+ >When assigning licenses to a group with service plans that have dependencies on other service plans, they must both be assigned together in the same group, otherwise the service plan with the dependency will be disabled.
+ 1. On the **Assign license** page, click **Assignment options**, which displays all service plans included in the two products that we selected previously. Find **Yammer Enterprise** and turn it **Off** to disable that service from the product license. Confirm by clicking **OK** at the bottom of **License options**. ![select service plans for licenses](./media/licensing-groups-assign/assignment-options.png)
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/whats-new-docs.md
Title: "What's new in Azure Active Directory External Identities" description: "New and updated documentation for the Azure Active Directory External Identities." Previously updated : 05/02/2022 Last updated : 06/01/2022
Welcome to what's new in Azure Active Directory External Identities documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the External Identities service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md). +
+## May 2022
+
+### New articles
+
+- [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md)
+
+### Updated articles
+
+- [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md)
+- [Overview: Cross-tenant access with Azure AD External Identities (Preview)](cross-tenant-access-overview.md)
+- [Example: Configure SAML/WS-Fed based identity provider federation with AD FS](direct-federation-adfs.md)
+- [Federation with SAML/WS-Fed identity providers for guest users](direct-federation.md)
+- [External Identities documentation](index.yml)
+- [Quickstart: Add a guest user and send an invitation](b2b-quickstart-add-guest-users-portal.md)
+- [B2B collaboration overview](what-is-b2b.md)
+- [Leave an organization as a B2B collaboration user](leave-the-organization.md)
+- [Configure external collaboration settings](external-collaboration-settings-configure.md)
+- [B2B direct connect overview (Preview)](b2b-direct-connect-overview.md)
+- [Azure Active Directory External Identities: What's new](whats-new-docs.md)
+- [Configure cross-tenant access settings for B2B collaboration (Preview)](cross-tenant-access-settings-b2b-collaboration.md)
+- [Configure cross-tenant access settings for B2B direct connect (Preview)](cross-tenant-access-settings-b2b-direct-connect.md)
+- [Azure AD B2B in government and national clouds](b2b-government-national-clouds.md)
+- [External Identities in Azure Active Directory](external-identities-overview.md)
+- [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)
+ ## April 2022 ### Updated articles
Welcome to what's new in Azure Active Directory External Identities documentatio
- [Leave an organization as a B2B collaboration user](leave-the-organization.md) - [Configure external collaboration settings](external-collaboration-settings-configure.md) - [Reset redemption status for a guest user (Preview)](reset-redemption-status.md)-
-## February 2022
-
-### Updated articles
--- [Add Google as an identity provider for B2B guest users](google-federation.md)-- [External Identities in Azure Active Directory](external-identities-overview.md)-- [Overview: Cross-tenant access with Azure AD External Identities (Preview)](cross-tenant-access-overview.md)-- [B2B collaboration overview](what-is-b2b.md)-- [Federation with SAML/WS-Fed identity providers for guest users (preview)](direct-federation.md)-- [Quickstart: Add a guest user with PowerShell](b2b-quickstart-invite-powershell.md)-- [Tutorial: Bulk invite Azure AD B2B collaboration users](tutorial-bulk-invite.md)-- [Azure Active Directory B2B best practices](b2b-fundamentals.md)-- [Azure Active Directory B2B collaboration FAQs](faq.yml)-- [Email one-time passcode authentication](one-time-passcode.md)-- [Azure Active Directory B2B collaboration invitation redemption](redemption-experience.md)-- [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)-- [Properties of an Azure Active Directory B2B collaboration user](user-properties.md)-- [Authentication and Conditional Access for External Identities](authentication-conditional-access.md)
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
The What's new in Azure Active Directory? release notes provide information abou
+## November 2021
+
+### Tenant enablement of combined security information registration for Azure Active Directory
+
+**Type:** Plan for change
+**Service category:** MFA
+**Product capability:** Identity Security & Protection
+
+We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF).
+
++
+### Windows users will see prompts more often when switching user accounts
+
+**Type:** Fixed
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh login at ADFS when a user is directed to ADFS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.
+
+For more information, see the [change notice](../develop/reference-breaking-changes.md).
+
++
+### Public preview - Conditional Access Overview Dashboard
+
+**Type:** New feature
+**Service category:** Conditional Access
+**Product capability:** Monitoring & Reporting
+
+The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. [Learn more](../conditional-access/overview.md).
+
++
+### Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync
+
+**Type:** New feature
+**Service category:** Azure AD Connect Cloud Sync
+**Product capability:** Identity Lifecycle Management
+
+The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to writeback a userΓÇÖs password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+++
+### Public preview - Conditional Access for workload identities
+
+**Type:** New feature
+**Service category:** Conditional Access for workload identities
+**Product capability:** Identity Security & Protection
+
+Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted-named locations or Azure Virtual Networks. [Learn more](../conditional-access/workload-identity.md).
+++
+### Public preview - Extra attributes available as claims
+
+**Type:** Changed feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md#table-3-valid-id-values-per-source).
+
++
+### Public preview - "Session Lifetime Policies Applied" property in the sign-in logs
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** Identity Security & Protection
+
+We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details).
+
++
+### Public preview - Enriched reviews on access packages in entitlement management
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Entitlement ManagementΓÇÖs enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md).
+
++
+### General availability - randomString and redact provisioning functions
+
+**Type:** New feature
+**Service category:** Provisioning
+**Product capability:** Outbound to SaaS Applications
+
+
+The Azure AD Provisioning service now supports two new functions, randomString() and Redact():
+- randomString - generate a string based on the length and characters you would like to include or exclude in your string.
+- redact - remove the value of the attribute from the audit and provisioning logs. [Learn more](../app-provisioning/functions-for-customizing-application-data.md#randomstring).
+++
+### General availability - Now access review creators can select users and groups to receive notification on completion of reviews
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Now access review creators can select users and groups to receive notification on completion of reviews. [Learn more](../governance/create-access-review.md).
+
+
+
+### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator
+
+**Type:** New feature
+**Service category:** Microsoft Authenticator App
+**Product capability:** Identity Security & Protection
+
+This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information.
+
+For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md).
+++
+### General availability - New Microsoft Authenticator app icon
+
+**Type:** New feature
+**Service category:** Microsoft Authenticator App
+**Product capability:** Identity Security & Protection
+
+New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the [Microsoft Authenticator app](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/microsoft-authenticator-app-easier-ways-to-add-or-manage/ba-p/2464408) blog post.
+++
+### General availability - Azure AD single Sign-on and device-based Conditional Access support in Firefox on Windows 10/11
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** SSO
+
+We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites).
+
++
+### New provisioning connectors in the Azure AD Application Gallery - November 2021
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md)
+- [BenQ IAM](../saas-apps/benq-iam-provisioning-tutorial.md)
+- [BIC Cloud Design](../saas-apps/bic-cloud-design-provisioning-tutorial.md)
+- [Chaos](../saas-apps/chaos-provisioning-tutorial.md)
+- [directprint.io](../saas-apps/directprint-io-provisioning-tutorial.md)
+- [Documo](../saas-apps/documo-provisioning-tutorial.md)
+- [Facebook Work Accounts](../saas-apps/facebook-work-accounts-provisioning-tutorial.md)
+- [introDus Pre and Onboarding Platform](../saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md)
+- [Kisi Physical Security](../saas-apps/kisi-physical-security-provisioning-tutorial.md)
+- [Klaxoon](../saas-apps/klaxoon-provisioning-tutorial.md)
+- [Klaxoon SAML](../saas-apps/klaxoon-saml-provisioning-tutorial.md)
+- [MX3 Diagnostics](../saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md)
+- [Netpresenter](../saas-apps/netpresenter-provisioning-tutorial.md)
+- [Peripass](../saas-apps/peripass-provisioning-tutorial.md)
+- [Real Links](../saas-apps/real-links-provisioning-tutorial.md)
+- [Sentry](../saas-apps/sentry-provisioning-tutorial.md)
+- [Teamgo](../saas-apps/teamgo-provisioning-tutorial.md)
+- [Zero](../saas-apps/zero-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).
+
++
+### New Federated Apps available in Azure AD Application gallery - November 2021
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In November 2021, we have added following 32 new applications in our App gallery with Federation support:
+
+[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure MFA](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit
+
+You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md).
+
+For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md).
+++
+### Updated "switch organizations" user experience in My Account.
+
+**Type:** Changed feature
+**Service category:** My Profile/Account
+**Product capability:** End User Experiences
+
+Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. [Learn more](https://support.microsoft.com/account-billing/switch-organizations-in-your-work-or-school-account-portals-c54c32c9-2f62-4fad-8c23-2825ed49d146).
+
++ ## October 2021 ### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
Azure AD receives improvements on an ongoing basis. To stay up to date with the
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).
+## May 2022
+
+### General Availability: Tenant-based service outage notifications
+
+**Type:** Plan for change
+**Service category:** Other
+**Product capability:** Platform
+
+
+Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues in the near future. These outages will also appear on the Azure AD admin portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We will continue to send outage notifications to subscriptions within a tenant for a period of transition. More information will be available when this capability is released. The expected release is for June 2022.
+
++++
+### New Federated Apps available in Azure AD Application gallery - May 2022
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
++
+In May 2022 we've added the following 25 new applications in our App gallery with Federation support:
+
+[UserZoom](../saas-apps/userzoom-tutorial.md), [AMX Mobile](https://www.amxsolutions.co.uk/), [i-Sight](../saas-apps/isight-tutorial.md), [Method InSight](https://digital.methodrecycling.com/), [Chronus SAML](../saas-apps/chronus-saml-tutorial.md), [Attendant Console for Microsoft Teams](https://attendant.anywhere365.io/), [Skopenow](../saas-apps/skopenow-tutorial.md), [Fidelity PlanViewer](../saas-apps/fidelity-planviewer-tutorial.md), [Lyve Cloud](../saas-apps/lyve-cloud-tutorial.md), [Framer](../saas-apps/framer-tutorial.md), [Authomize](../saas-apps/authomize-tutorial.md), [gamba!](../saas-apps/gamba-tutorial.md), [Datto File Protection Single Sign On](../saas-apps/datto-file-protection-tutorial.md), [LONEALERT](https://portal.lonealert.co.uk/auth/azure/saml/signin), [Payfactors](https://pf.payfactors.com/client/auth/login), [deBroome Brand Portal](../saas-apps/debroome-brand-portal-tutorial.md), [TeamSlide](../saas-apps/teamslide-tutorial.md), [Sensera Systems](https://sitecloud.senserasystems.com/), [YEAP](https://prismaonline.propay.be/logon/login.aspx), [Monaca Education](https://monaca.education/j), [OpenForms](https://login.openforms.com/Login).
+
+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,
+
+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
+++
+
++
+
+
+### General Availability ΓÇô My Apps users can make apps from URLs (add sites)
+
+**Type:** New feature
+**Service category:** My Apps
+**Product capability:** End User Experiences
+
+
+When editing a collection using the My Apps portal, users can now add their own sites, in addition to adding apps that have been assigned to them by an admin. To add a site, users must provide a name and URL. For more information on how to use this feature, see: [Customize app collections in the My Apps portal](https://support.microsoft.com/account-billing/customize-app-collections-in-the-my-apps-portal-2dae6b8a-d8b0-4a16-9a5d-71ed4d6a6c1d).
+
++
+
+
+### Public preview - New provisioning connectors in the Azure AD Application Gallery - May 2022
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Alinto Protect](../saas-apps/alinto-protect-provisioning-tutorial.md)
+- [Blinq](../saas-apps/blinq-provisioning-tutorial.md)
+- [Cerby](../saas-apps/cerby-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+
+
+### Public Preview: Confirm safe and compromised in signIns API beta
+
+**Type:** New feature
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+
+The signIns Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: [signIn: confirmSafe - Microsoft Graph beta | Microsoft Docs](/graph/api/signin-confirmsafe?view=graph-rest-beta&preserve-view=true)
+
++
+
+
+### Public Preview of Microsoft cloud settings for Azure AD B2B
+
+**Type:** New feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+**Clouds impacted:** China;Public (M365,GCC);US Gov (GCC-H, DoD)
+
+
+Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:
+
+-Microsoft Azure global cloud and Microsoft Azure Government
+-Microsoft Azure global cloud and Microsoft Azure China 21Vianet
+
+To learn more about Microsoft cloud settings for B2B collaboration, see: [Cross-tenant access overview - Azure AD | Microsoft Docs](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).
+
++
+
+
+### General Availability of SAML and WS-Fed federation in External Identities
+
+**Type:** Changed feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+**Clouds impacted:** Public (M365,GCC);US Gov (GCC-H, DoD)
+
+
+When setting up federation with a partner's IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to your Azure AD tenant and start collaborating with you. There's no need for the guest user to create a separate Azure AD account. To learn more about federating with SAML or WS-Fed identity providers in External Identities, see: [Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs](../external-identities/direct-federation.md).
+
++
+
+
+### Public Preview - Create Group in Administrative Unit
+
+**Type:** Changed feature
+**Service category:** Directory Management
+**Product capability:** Access Control
+**Clouds impacted:** China;Public (M365,GCC);US Gov (GCC-H, DoD)
+
+
+Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped group administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md).
+
++
+
+
+### Public Preview - Dynamic administrative unit support for onPremisesDistinguishedName property
+
+**Type:** Changed feature
+**Service category:** Directory Management
+**Product capability:** AuthZ/Access Delegation
+**Clouds impacted:** Public (M365,GCC)
+
+
+The public preview of dynamic administrative units now supports the **onPremisesDistinguishedName** property for users. This makes it possible to create dynamic rules which incorporate the organizational unit of the user from on-premises AD. For more information, see: [Manage users or devices for an administrative unit with dynamic membership rules (Preview)](../roles/admin-units-members-dynamic.md).
+
++
+
+
+### General Availability - Improvements to Azure AD Smart Lockout
+
+**Type:** Changed feature
+**Service category:** Other
+**Product capability:** User Management
+**Clouds impacted:** China;Public (M365,GCC);US Gov (GCC-H, DoD);US Nat;US Sec
+
+
+Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).
+
++
+
++ ## April 2022 ### General Availability - Microsoft Defender for Endpoint Signal in Identity Protection
We highly recommend enabling this new protection when using Azure AD Multi-Facto
**Service category:** Enterprise Apps **Product capability:** Third Party Integration
-In April 2022 we added the following 24 new applications in our App gallery with Federation support
+In April 2022 we added the following 24 new applications in our App gallery with Federation support:
[X-1FBO](https://www.x1fbo.com/), [select Armor](https://app.clickarmor.c) You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.
WeΓÇÖre no longer publishing sign-in logs with the following error codes because
-## November 2021
-
-### Tenant enablement of combined security information registration for Azure Active Directory
-
-**Type:** Plan for change
-**Service category:** MFA
-**Product capability:** Identity Security & Protection
-
-We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF).
-
--
-### Windows users will see prompts more often when switching user accounts
-
-**Type:** Fixed
-**Service category:** Authentications (Logins)
-**Product capability:** User Authentication
-
-A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh login at ADFS when a user is directed to ADFS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.
-
-For more information, see the [change notice](../develop/reference-breaking-changes.md).
-
--
-### Public preview - Conditional Access Overview Dashboard
-
-**Type:** New feature
-**Service category:** Conditional Access
-**Product capability:** Monitoring & Reporting
-
-The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. [Learn more](../conditional-access/overview.md).
-
--
-### Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync
-
-**Type:** New feature
-**Service category:** Azure AD Connect Cloud Sync
-**Product capability:** Identity Lifecycle Management
-
-The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to writeback a userΓÇÖs password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
---
-### Public preview - Conditional Access for workload identities
-
-**Type:** New feature
-**Service category:** Conditional Access for workload identities
-**Product capability:** Identity Security & Protection
-
-Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted-named locations or Azure Virtual Networks. [Learn more](../conditional-access/workload-identity.md).
---
-### Public preview - Extra attributes available as claims
-
-**Type:** Changed feature
-**Service category:** Enterprise Apps
-**Product capability:** SSO
-
-Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md#table-3-valid-id-values-per-source).
-
--
-### Public preview - "Session Lifetime Policies Applied" property in the sign-in logs
-
-**Type:** New feature
-**Service category:** Authentications (Logins)
-**Product capability:** Identity Security & Protection
-
-We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details).
-
--
-### Public preview - Enriched reviews on access packages in entitlement management
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-Entitlement ManagementΓÇÖs enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md).
-
--
-### General availability - randomString and redact provisioning functions
-
-**Type:** New feature
-**Service category:** Provisioning
-**Product capability:** Outbound to SaaS Applications
-
-
-The Azure AD Provisioning service now supports two new functions, randomString() and Redact():
-- randomString - generate a string based on the length and characters you would like to include or exclude in your string.-- redact - remove the value of the attribute from the audit and provisioning logs. [Learn more](../app-provisioning/functions-for-customizing-application-data.md#randomstring).---
-### General availability - Now access review creators can select users and groups to receive notification on completion of reviews
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-Now access review creators can select users and groups to receive notification on completion of reviews. [Learn more](../governance/create-access-review.md).
-
-
-
-### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator
-
-**Type:** New feature
-**Service category:** Microsoft Authenticator App
-**Product capability:** Identity Security & Protection
-
-This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information.
-
-For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md).
---
-### General availability - New Microsoft Authenticator app icon
-
-**Type:** New feature
-**Service category:** Microsoft Authenticator App
-**Product capability:** Identity Security & Protection
-
-New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the [Microsoft Authenticator app](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/microsoft-authenticator-app-easier-ways-to-add-or-manage/ba-p/2464408) blog post.
---
-### General availability - Azure AD single Sign-on and device-based Conditional Access support in Firefox on Windows 10/11
-
-**Type:** New feature
-**Service category:** Authentications (Logins)
-**Product capability:** SSO
-
-We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites).
-
--
-### New provisioning connectors in the Azure AD Application Gallery - November 2021
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
--- [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md)-- [BenQ IAM](../saas-apps/benq-iam-provisioning-tutorial.md)-- [BIC Cloud Design](../saas-apps/bic-cloud-design-provisioning-tutorial.md)-- [Chaos](../saas-apps/chaos-provisioning-tutorial.md)-- [directprint.io](../saas-apps/directprint-io-provisioning-tutorial.md)-- [Documo](../saas-apps/documo-provisioning-tutorial.md)-- [Facebook Work Accounts](../saas-apps/facebook-work-accounts-provisioning-tutorial.md)-- [introDus Pre and Onboarding Platform](../saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md)-- [Kisi Physical Security](../saas-apps/kisi-physical-security-provisioning-tutorial.md)-- [Klaxoon](../saas-apps/klaxoon-provisioning-tutorial.md)-- [Klaxoon SAML](../saas-apps/klaxoon-saml-provisioning-tutorial.md)-- [MX3 Diagnostics](../saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md)-- [Netpresenter](../saas-apps/netpresenter-provisioning-tutorial.md)-- [Peripass](../saas-apps/peripass-provisioning-tutorial.md)-- [Real Links](../saas-apps/real-links-provisioning-tutorial.md)-- [Sentry](../saas-apps/sentry-provisioning-tutorial.md)-- [Teamgo](../saas-apps/teamgo-provisioning-tutorial.md)-- [Zero](../saas-apps/zero-provisioning-tutorial.md)-
-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).
-
--
-### New Federated Apps available in Azure AD Application gallery - November 2021
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In November 2021, we have added following 32 new applications in our App gallery with Federation support:
-
-[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure MFA](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit
-
-You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md).
-
-For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md).
---
-### Updated "switch organizations" user experience in My Account.
-
-**Type:** Changed feature
-**Service category:** My Profile/Account
-**Product capability:** End User Experiences
-
-Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. [Learn more](https://support.microsoft.com/account-billing/switch-organizations-in-your-work-or-school-account-portals-c54c32c9-2f62-4fad-8c23-2825ed49d146).
-
-
-
active-directory Howto Identity Protection Remediate Unblock https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md
If a password reset isn't an option for you, you can choose to dismiss user risk
When you select **Dismiss user risk**, all events are closed and the affected user is no longer at risk. However, because this method doesn't have an impact on the existing password, it doesn't bring the related identity back into a safe state.
+To **Dismiss user risk**, search for and select **Azure AD Risky users**, select the affected user, and select **Dismiss user(s) risk**.
+ ### Close individual risk detections manually You can close individual risk detections manually. By closing risk detections manually, you can lower the user risk level. Typically, risk detections are closed manually in response to a related investigation. For example, when talking to a user reveals that an active risk detection isn't required anymore.
active-directory Admin Consent Workflow Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/admin-consent-workflow-faq.md
- Previously updated : 11/17/2021+ Last updated : 05/27/2022
active-directory App Management Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-videos.md
+
+ Title: Application management videos
+description: A list of videos about app registrations, enterprise apps, consent and permissions, and app ownership and assignment in Azure AD
++++++++ Last updated : 05/31/2022++++
+# Application management videos
+
+Learn about the key concepts of application management such as App registrations vs enterprise apps, consent and permissions framework and app ownership and, user assignment.
+
+## App registrations and Enterprise apps
+
+Learn about the different use cases and personas involved in App Registrations and Enterprise Apps and how developers and admins interact with each option to manage applications in Azure AD.
+___
+
+ :::column:::
+ [What is the difference between app registrations and enterprise apps?](https://www.youtube.com/watch?v=JeahL9ZtGfQ&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=4&t=2s)(2:01)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/JeahL9ZtGfQ]
+ :::column-end:::
+++
+## Consent and permissions for admins
+
+Learn about the options available for managing consent to applications in a tenant. Learn how about delegated permissions and how to revoke previously consented permissions to mitigate risks posed by malicious applications.
+___
+
+ :::column:::
+ 1 - [How do I turn on the admin consent workflow?](https://www.youtube.com/watch?v=19v7WSt9HwU&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=4)(1:04)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/19v7WSt9HwU]
+ :::column-end:::
+ :::column:::
+ 2 - [How do I grant admin consent in the Azure AD portal](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/LSYcelwdhHI]
+ :::column-end:::
+ :::column:::
+ 3 - [How do delegated permissions work](https://www.youtube.com/watch?v=URTrOXCyH1s&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=7)(1:21)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/URTrOXCyH1s]
+ :::column-end:::
+ :::column:::
+ 4 - [How do I revoke permissions I've previously consented to for an app](https://www.youtube.com/watch?v=A88uh7ICNJU&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=6)(1:34)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/A88uh7ICNJU]
+ :::column-end:::
++
+## Assigning owners and users to an enterprise app
+Learn about who can assign owners to service principals, how to assign these owners, permissions that owners have, and what to do when an owner leaves the organization.
+Learn how to assign users and, groups to an enterprise application and how and why an enterprise app may show up in a tenant.
+___
+
+ :::column:::
+ 1 - [How can you ensure healthy ownership to manage your Azure AD app ecosystem?](https://www.youtube.com/watch?v=akOrP3mP4UQ&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=1)(2:13)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/akOrP3mP4UQ]
+ :::column-end:::
+ :::column:::
+ 2 - [How do I manage who can access the applications in my tenant](https://www.youtube.com/watch?v=IVRI9mSPDBA&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=2)(1:48)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/IVRI9mSPDBA]
+ :::column-end:::
+ :::column:::
+ 3 - [Why is this app in my tenant?](https://www.youtube.com/watch?v=NhbcVt5xOVI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=8)(1:36)
+ :::column-end:::
+ :::column:::
+ >[!Video https://www.youtube.com/embed/NhbcVt5xOVI]
+ :::column-end:::
+ :::column:::
+
+ :::column-end:::
+ :::column:::
+
+ :::column-end:::
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Previously updated : 03/22/2021 Last updated : 05/27/2022
active-directory Debug Saml Sso Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/debug-saml-sso-issues.md
Previously updated : 02/18/2019 Last updated : 05/27/2022 # Debug SAML-based single sign-on to applications
Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for
## Before you begin
-We recommend installing the [My Apps Secure Sign-in Extension](https://support.microsoft.com/account-billing/troubleshoot-problems-with-the-my-apps-portal-d228da80-fcb7-479c-b960-a1e2535cbdff#im-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need to resolving issues with single sign-on. In case you cannot install the extension, this article shows you how to resolve issues both with and without the extension installed.
+We recommend installing the [My Apps Secure Sign-in Extension](https://support.microsoft.com/account-billing/troubleshoot-problems-with-the-my-apps-portal-d228da80-fcb7-479c-b960-a1e2535cbdff#im-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need to resolve issues with single sign-on. In case you can't install the extension, this article shows you how to resolve issues both with and without the extension installed.
To download and install the My Apps Secure Sign-in Extension, use one of the following links.
To test SAML-based single sign-on between Azure AD and a target application:
![Screenshot showing the test SAML SSO page](./media/debug-saml-sso-issues/test-single-sign-on.png)
-If you are successfully signed in, the test has passed. In this case, Azure AD issued a SAML response token to the application. The application used the SAML token to successfully sign you in.
+If you're successfully signed in, the test has passed. In this case, Azure AD issued a SAML response token to the application. The application used the SAML token to successfully sign you in.
If you have an error on the company sign-in page or the application's page, use one of the next sections to resolve the error.
To debug this error, you need the error message and the SAML request. The My App
1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on** blade. 1. On the **Test single sign-on** blade, select **Download the SAML request**. 1. You should see specific resolution guidance based on the error and the values in the SAML request.
-1. You will see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue is not due to a misconfiguration on Azure AD.
+1. You'll see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
If no resolution is provided for the sign-in error, we suggest that you use the feedback textbox to inform us.
If no resolution is provided for the sign-in error, we suggest that you use the
- A statement identifying the root cause of the problem. 1. Go back to Azure AD and find the **Test single sign-on** blade. 1. In the text box above **Get resolution guidance**, paste the error message.
-1. Click **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
-1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-On Service URL obtained from Azure AD.
-1. Verify the issuer in the SAML request is the same identifier you have configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory.
+1. Select **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
+1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-on Service URL obtained from Azure AD.
+1. Verify the issuer in the SAML request is the same identifier you've configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory.
1. Verify AssertionConsumerServiceURL is where the application expects to receive the SAML token from Azure AD. You can configure this value in Azure AD, but it's not mandatory if it's part of the SAML request. ## Resolve a sign-in error on the application page
-You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application does not accept the response.
+You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
To resolve the error, follow these steps, or watch this [short video about how to use Azure AD to troubleshoot SAML SSO](https://www.youtube.com/watch?v=poQCJK0WPUk&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=8): 1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md). 1. Retrieve the SAML response.
- - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, click **download the SAML response**.
- - If the extension is not installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
+ - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, select **download the SAML response**.
+ - If the extension isn't installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
1. Notice these elements in the SAML response token: - User unique identifier of NameID value and format - Claims issued in the token
To resolve the error, follow these steps, or watch this [short video about how t
For more information on the SAML response, see [Single Sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).
-1. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
+1. Now that you've reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
1. If you're still not able to sign in successfully, you can ask the application vendor what is missing from the SAML response. ## Next steps
active-directory Howto Saml Token Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/howto-saml-token-encryption.md
Previously updated : 03/13/2020 Last updated : 05/27/2022
When you configure a keyCredential using Graph, PowerShell, or in the applicatio
1. From the Azure portal, go to **Azure Active Directory > App registrations**.
-1. Select **All apps** from the dropdown to show all apps, and then select the enterprise application that you want to configure.
+1. Select the **All apps** tab to show all apps, and then select the application that you want to configure.
1. In the application's page, select **Manifest** to edit the [application manifest](../develop/reference-app-manifest.md).
active-directory Review Admin Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/review-admin-consent-requests.md
Previously updated : 03/22/2021 Last updated : 05/27/2022
# Review admin consent requests
-In this article, you learn how to review and take action on admin consent requests. To review and act on consent requests, you must be designated as a reviewer. As a reviewer, you only see admin consent requests that were created after you were designated as a reviewer.
+In this article, you learn how to review and take action on admin consent requests. To review and act on consent requests, you must be designated as a reviewer. As a reviewer, you can view all admin consent requests but you can only act on those requests that were created after you were designated as a reviewer.
## Prerequisites
To review the admin consent requests and take action:
1. In the filter search box, type and select **Azure Active Directory**. 1. From the navigation menu, select **Enterprise applications**. 1. Under **Activity**, select **Admin consent requests**.
-1. Select the application that is being requested.
-1. Review details about the request:
+1. Select **My Pending** tab to view and act on the pending requests.
+1. Select the application that is being requested from the list.
+1. Review details about the request:
+ - To view the application details, select the **App details** tab.
- To see who is requesting access and why, select the **Requested by** tab. - To see what permissions are being requested by the application, select **Review permissions and consent**.
+ :::image type="content" source="media/configure-admin-consent-workflow/review-consent-requests.png" alt-text="Screenshot of the admin consent requests in the portal.":::
+
1. Evaluate the request and take the appropriate action: - **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. Approving a request allows all users in your tenant to access the application unless otherwise restricted with user assignment.
- - **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the app again in the future.
+ - **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the application again in the future.
- **Block the request**. To block a request, you must provide a justification that will be provided to all requestors. Once a request is blocked, all requestors are notified they've been denied access to the application. Blocking a request creates a service principal object for the application in your tenant in a disabled state. Users won't be able to request admin consent to the application in the future.+
+## Next steps
+- [Review permissions granted to apps](manage-application-permissions.md)
+- [Grant tenant-wide admin consent](grant-admin-consent.md)
active-directory Tutorial Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md
Previously updated : 03/31/2022 Last updated : 05/27/2022
# Tutorial: Manage certificates for federated single sign-on
-In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.
+In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD application gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.
This tutorial is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation.
+Using the information in this tutorial, an administrator of the application learns how to:
+
+> [!div class="checklist"]
+> * Generate certificates for gallery and non-gallery applications
+> * Customize the expiration dates for certificates
+> * Add email notification address for certificate expiration dates
+> * Renew certificates
+
+## Prerequisites
+
+- An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator.
+- An enterprise application that has been configured in your Azure AD tenant.
++ ## Auto-generated certificate for gallery and non-gallery applications When you add a new application from the gallery and configure a SAML-based sign-on (by selecting **Single sign-on** > **SAML** from the application overview page), Azure AD generates a certificate for the application that is valid for three years. To download the active certificate as a security certificate (**.cer**) file, return to that page (**SAML-based sign-on**) and select a download link in the **SAML Signing Certificate** heading. You can choose between the raw (binary) certificate or the Base64 (base 64-encoded text) certificate. For gallery applications, this section might also show a link to download the certificate as federation metadata XML (an **.xml** file), depending on the requirement of the application.
Next, download the new certificate in the correct format, upload it to the appli
1. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**. 1. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format.
-If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.
+If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your application is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.
## Add email notification addresses for certificate expiration
If a certificate is about to expire, you can renew it using a procedure that res
1. In the newly saved certificate row, select the ellipsis (**...**) and then select **Make certificate active**. 1. Skip the next two steps.
-1. If the app can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesnΓÇÖt automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)
-1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your app may fail.
+1. If the application can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesnΓÇÖt automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)
+1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your application may fail.
1. Sign in to the application to make sure that the certificate works correctly.
-If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.
+If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your application is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.
## Related articles -- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md) - [Application management with Azure Active Directory](what-is-application-management.md) - [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md) - [Debug SAML-based single sign-on to applications in Azure Active Directory](./debug-saml-sso-issues.md)
active-directory Security Planning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-planning.md
Attackers might try to target privileged accounts so that they can disrupt the i
* Impersonation attacks * Credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket
-By deploying privileged access workstations, you can reduce the risk that administrators enter their credentials in a desktop environment that hasn't been hardened. For more information, see [Privileged Access Workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/).
+By deploying privileged access workstations, you can reduce the risk that administrators enter their credentials in a desktop environment that hasn't been hardened. For more information, see [Privileged Access Workstations](/security/compass/overview).
#### Review National Institute of Standards and Technology recommendations for handling incidents
active-directory Github Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/github-provisioning-tutorial.md
For more information, see [Assign a user or group to an enterprise app](../manag
## Configuring user provisioning to GitHub
-This section guides you through connecting your Azure AD to GitHub's SCIM provisioning API to automate provisioning of GitHub organization membership. This integration, which leverages an [OAuth app](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/authorizing-oauth-apps#oauth-apps-and-organizations), automatically adds, manages, and removes members' access to a GitHub Enterprise Cloud organization based on user and group assignment in Azure AD. When users are [provisioned to a GitHub organization via SCIM](https://docs.github.com/en/free-pro-team@latest/rest/reference/scim#provision-and-invite-a-scim-user), an email invitation is sent to the user's email address.
+This section guides you through connecting your Azure AD to GitHub's SCIM provisioning API to automate provisioning of GitHub organization membership. This integration, which leverages an [OAuth app](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/authorizing-oauth-apps#oauth-apps-and-organizations), automatically adds, manages, and removes members' access to a GitHub Enterprise Cloud organization based on user and group assignment in Azure AD. When users are [provisioned to a GitHub organization via SCIM](https://docs.github.com/en/rest/enterprise-admin/scim), an email invitation is sent to the user's email address.
### Configure automatic user account provisioning to GitHub in Azure AD
active-directory Credential Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/credential-design.md
# How to customize your verifiable credentials (preview) + Verifiable credentials are made up of two components, the rules and display files. The rules file determines what the user needs to provide before they receive a verifiable credential. The display file controls the branding of the credential and styling of the claims. In this guide, we will explain how to modify both files to meet the requirements of your organization. > [!IMPORTANT]
active-directory Decentralized Identifier Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md
# Introduction to Azure Active Directory Verifiable Credentials (preview) + > [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
The scenario we use to explain how VCs work involves:
Today, Alice provides a username and password to log onto WoodgroveΓÇÖs networked environment. Woodgrove is deploying a verifiable credential solution to provide a more manageable way for Alice to prove that she is an employee of Woodgrove. Proseware accepts verifiable credentials issued by Woodgrove as proof of employment to offer corporate discounts as part of their corporate discount program.
-Alice requests Woodgrove Inc for a proof of employment verifiable credential. Woodgrove Inc attests Alice's identiy and issues a signed verfiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employement on the Proseware site. After a succesfull presentation of the credential, Prosware offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she has presented her proof of employment verifiable credential.
+Alice requests Woodgrove Inc for a proof of employment verifiable credential. Woodgrove Inc attests Alice's identity and issues a signed verfiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employement on the Proseware site. After a succesfull presentation of the credential, Prosware offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she has presented her proof of employment verifiable credential.
![microsoft-did-overview](media/decentralized-identifier-overview/did-overview.png)
There are three primary actors in the verifiable credential solution. In the fol
- **Step 1**, the **user** requests a verifiable credential from an issuer. - **Step 2**, the **issuer** of the credential attests that the proof the user provided is accurate and creates a verifiable credential signed with their DID and the userΓÇÖs DID is the subject.-- **In Step 3**, the user signs a verifiable presentation (VP) with their DID and sends to the **verifier.** The verifier then validates of the credential by matching with the public key placed in the DPKI.
+- **In Step 3**, the user signs a verifiable presentation (VP) with their DID and sends to the **verifier.** The verifier then validates the credential by matching with the public key placed in the DPKI.
The roles in this scenario are:
active-directory Get Started Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/get-started-request-api.md
# Request Service REST API (preview) + Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API. > [!IMPORTANT]
active-directory How To Create A Free Developer Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-create-a-free-developer-account.md
# How to create a free Azure Active Directory developer tenant + > [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
active-directory How To Dnsbind https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-dnsbind.md
# Link your domain to your Decentralized Identifier (DID) (preview) + > [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
active-directory How To Issuer Revoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md
# Revoke a previously issued verifiable credential (preview) + As part of the process of working with verifiable credentials (VCs), you not only have to issue credentials, but sometimes you also have to revoke them. In this article we go over the **Status** property part of the VC specification and take a closer look at the revocation process, why we may want to revoke credentials and some data and privacy implications. > [!IMPORTANT]
active-directory How To Opt Out https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-opt-out.md
# Opt out of the verifiable credentials (preview) + In this article: - The reason why you may need to opt out.
active-directory Introduction To Verifiable Credentials Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/introduction-to-verifiable-credentials-architecture.md
# Azure AD Verifiable Credentials architecture overview (preview) + > [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
active-directory Issuance Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuance-request-api.md
# Request Service REST API issuance specification (preview) + Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for an issuance request. ## HTTP request
active-directory Issuer Openid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuer-openid.md
# Issuer service communication examples (preview) + The Azure AD Verifiable Credential service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service. > [!IMPORTANT]
active-directory Plan Issuance Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-issuance-solution.md
# Plan your Azure Active Directory Verifiable Credentials issuance solution (preview) + >[!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
active-directory Plan Verification Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-verification-solution.md
# Plan your Azure Active Directory Verifiable Credentials verification solution (preview) + >[!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
active-directory Presentation Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/presentation-request-api.md
# Request Service REST API presentation specification (preview) + Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for a presentation request. The presentation request asks the user to present a verifiable credential, and then verify the credential. ## HTTP request
POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecred
Content-Type: application/json Authorization: Bearer <token>
-{
-    "includeQRCode": true,
- "callback":ΓÇ»{
-    "url": "https://www.contoso.com/api/verifier/presentationCallbac",
-    "state": "11111111-2222-2222-2222-333333333333",
-      "headers": {
-        "api-key": "an-api-key-can-go-here"
-      }
-    },
+{
+    "includeQRCode": true,
+ "callback":ΓÇ»{
+    "url": "https://www.contoso.com/api/verifier/presentationCallbac",
+    "state": "11111111-2222-2222-2222-333333333333",
+      "headers": {
+        "api-key": "an-api-key-can-go-here"
+      }
+    },
    ...
-}
-```
+}
+```
The following permission is required to call the Request Service REST API. For more information, see [Grant permissions to get access tokens](verifiable-credentials-configure-tenant.md#grant-permissions-to-get-access-tokens).
The presentation request payload contains information about your verifiable cred
} ```
-The payload contains the following properties.
+The payload contains the following properties.
|Parameter |Type | Description | ||||
The Request Service REST API generates several events to the callback endpoint.
If successful, this method returns a response code (*HTTP 201 Created*), and a collection of event objects in the response body. The following JSON demonstrates a successful response: ```json
-{
+{
"requestId": "e4ef27ca-eb8c-4b63-823b-3b95140eac11", "url": "openid://vc/?request_uri=https://beta.did.msidentity.com/v1.0/87654321-0000-0000-0000-000000000000/verifiablecredentials/request/e4ef27ca-eb8c-4b63-823b-3b95140eac11", "expiry": 1633017751, "qrCode":ΓÇ»"data:image/png;base64,iVBORw0KGgoA<SNIP>"
-}
+}
``` The response contains the following properties:
The response contains the following properties:
## Callback events
-The callback endpoint is called when a user scans the QR code, uses the deep link the authenticator app, or finishes the presentation process.
+The callback endpoint is called when a user scans the QR code, uses the deep link the authenticator app, or finishes the presentation process.
|Property |Type |Description | ||||
The callback endpoint is called when a user scans the QR code, uses the deep lin
| `code` |string |The code returned when the request was retrieved by the authenticator app. Possible values: <ul><li>`request_retrieved`: The user scanned the QR code or selected the link that starts the presentation flow.</li><li>`presentation_verified`: The verifiable credential validation completed successfully.</li></ul> | | `state` |string| Returns the state value that you passed in the original payload. | | `subject`|string | The verifiable credential user DID.|
-| `issuers`| array |Returns an array of verifiable credentials requested. For each verifiable credential, it provides: </li><li>The verifiable credential type(s).</li><li>The issuer's DID</li><li>The claims retrieved.</li><li>The verifiable credential issuerΓÇÖs domain. </li><li>The verifiable credential issuerΓÇÖs domain validation status. </li></ul> |
+| `issuers`| array |Returns an array of verifiable credentials requested. For each verifiable credential, it provides: </li><li>The verifiable credential type(s).</li><li>The issuer's DID</li><li>The claims retrieved.</li><li>The verifiable credential issuer's domain. </li><li>The verifiable credential issuer's domain validation status. </li></ul> |
| `receipt`| string | Optional. The receipt contains the original payload sent from the wallet to the Verifiable Credentials service. The receipt should be used for troubleshooting/debugging only. The format in the receipt is not fix and can change based on the wallet and version used.| The following example demonstrates a callback payload when the authenticator app starts the presentation request: ```json
-{
-    "requestId":"aef2133ba45886ce2c38974339ba1057",
-    "code":"request_retrieved",
+{
+    "requestId":"aef2133ba45886ce2c38974339ba1057",
+    "code":"request_retrieved",
    "state":"Wy0ThUz1gSasAjS1"
-}
+}
``` The following example demonstrates a callback payload after the verifiable credential presentation has successfully completed:
active-directory Verifiable Credentials Configure Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Last updated 05/03/2022
+ # Issue Azure AD Verifiable Credentials from an application (preview) + In this tutorial, you run a sample application from your local computer that connects to your Azure Active Directory (Azure AD) tenant. Using the application, you're going to issue and verify a verified credential expert card. In this article, you learn how to:
active-directory Verifiable Credentials Configure Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Last updated 05/06/2022
# Configure your tenant for Azure AD Verifiable Credentials (preview) + Azure Active Directory (Azure AD) Verifiable Credentials safeguards your organization with an identity solution that's seamless and decentralized. The service allows you to issue and verify credentials. For issuers, Azure AD provides a service that they can customize and use to issue their own verifiable credentials. For verifiers, the service provides a free REST API that makes it easy to request and accept verifiable credentials in your apps and services. In this tutorial, you learn how to configure your Azure AD tenant so it can use the verifiable credentials service.
active-directory Verifiable Credentials Configure Verifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-verifier.md
Previously updated : 10/08/2021 Last updated : 05/18/2022 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials. # Configure Azure AD Verifiable Credentials verifier (preview) + In [Issue Azure AD Verifiable Credentials from an application (preview)](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Azure Active Directory (Azure AD) tenant. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card. As a verifier, you unlock privileges to subjects that possess verified credential expert cards. In this tutorial, you run a sample application from your local computer that asks you to present a verified credential expert card, and then verifies it.
active-directory Verifiable Credentials Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-faq.md
# Frequently Asked Questions (FAQ) (preview) + This page contains commonly asked questions about Verifiable Credentials and Decentralized Identity. Questions are organized into the following sections. - [Vocabulary and basics](#the-basics)
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md
# What's new in Azure Active Directory Verifiable Credentials (preview) + This article lists the latest features, improvements, and changes in the Azure Active Directory (Azure AD) Verifiable Credentials service. ## May 2022
aks Azure Ad Integration Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md
For best practices on identity and resource control, see [Best practices for aut
[kubernetes-webhook]:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
-[complete-script]: https://github.com/Azure-Samples/azure-cli-samples/tree/master/aks/azure-ad-integration/azure-ad-integration.sh
<!-- LINKS - internal --> [az-aks-create]: /cli/azure/aks#az_aks_create
aks Csi Secrets Store Nginx Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-nginx-tls.md
Previously updated : 10/19/2021 Last updated : 05/26/2022
This article walks you through the process of securing an NGINX Ingress Controll
Importing the ingress TLS certificate to the cluster can be accomplished using one of two methods: -- **Application** - The application deployment manifest declares and mounts the provider volume. Only when the application is deployed is the certificate made available in the cluster, and when the application is removed the secret is removed as well. This scenario fits development teams who are responsible for the applicationΓÇÖs security infrastructure and their integration with the cluster.-- **Ingress Controller** - The ingress deployment is modified to declare and mount the provider volume. The secret is imported when ingress pods are created. The applicationΓÇÖs pods have no access to the TLS certificate. This scenario fits scenarios where one team (i.e. IT) manages and provisions infrastructure and networking components (including HTTPS TLS certificates) and other teams manage application lifecycle. In this case, ingress is specific to a single namespace/workload and is deployed in the same namespace as the application.
+- **Application** - The application deployment manifest declares and mounts the provider volume. Only when the application is deployed, is the certificate made available in the cluster, and when the application is removed the secret is removed as well. This scenario fits development teams who are responsible for the applicationΓÇÖs security infrastructure and their integration with the cluster.
+- **Ingress Controller** - The ingress deployment is modified to declare and mount the provider volume. The secret is imported when ingress pods are created. The applicationΓÇÖs pods have no access to the TLS certificate. This scenario fits scenarios where one team (for example, IT) manages and creates infrastructure and networking components (including HTTPS TLS certificates) and other teams manage application lifecycle. In this case, ingress is specific to a single namespace/workload and is deployed in the same namespace as the application.
## Prerequisites
Importing the ingress TLS certificate to the cluster can be accomplished using o
## Generate a TLS certificate ```bash
-export CERT_NAME=ingresscert
+export CERT_NAME=aks-ingress-cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
- -out ingress-tls.crt \
- -keyout ingress-tls.key \
- -subj "/CN=demo.test.com/O=ingress-tls"
+ -out aks-ingress-tls.crt \
+ -keyout aks-ingress-tls.key \
+ -subj "/CN=demo.azure.com/O=aks-ingress-tls"
``` ### Import the certificate to AKV ```bash export AKV_NAME="[YOUR AKV NAME]"
-openssl pkcs12 -export -in ingress-tls.crt -inkey ingress-tls.key -out $CERT_NAME.pfx
+openssl pkcs12 -export -in aks-ingress-tls.crt -inkey aks-ingress-tls.key -out $CERT_NAME.pfx
# skip Password prompt ```
az keyvault certificate import --vault-name $AKV_NAME -n $CERT_NAME -f $CERT_NAM
First, create a new namespace: ```bash
-export NAMESPACE=ingress-test
+export NAMESPACE=ingress-basic
``` ```azurecli-interactive
-kubectl create ns $NAMESPACE
+kubectl create namespace $NAMESPACE
``` Select a [method to provide an access identity][csi-ss-identity-access] and configure your SecretProviderClass YAML accordingly. Additionally:
Select a [method to provide an access identity][csi-ss-identity-access] and conf
- Be sure to use `objectType=secret`, which is the only way to obtain the private key and the certificate from AKV. - Set `kubernetes.io/tls` as the `type` in your `secretObjects` section.
-See the following for an example of what your SecretProviderClass might look like:
+See the following example of what your SecretProviderClass might look like:
```yml apiVersion: secrets-store.csi.x-k8s.io/v1
spec:
key: tls.crt parameters: usePodIdentity: "false"
+ useVMManagedIdentity: "true"
+ userAssignedIdentityID: <client id>
keyvaultName: $AKV_NAME # the name of the AKV instance objects: | array:
The applicationΓÇÖs deployment will reference the Secrets Store CSI Driver's Azu
helm install ingress-nginx/ingress-nginx --generate-name \ --namespace $NAMESPACE \ --set controller.replicaCount=2 \
- --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.nodeSelector."kubernetes\.io/os"=linux \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux
``` #### Bind certificate to ingress controller
The ingress controllerΓÇÖs deployment will reference the Secrets Store CSI Drive
helm install ingress-nginx/ingress-nginx --generate-name \ --namespace $NAMESPACE \ --set controller.replicaCount=2 \
- --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.nodeSelector."kubernetes\.io/os"=linux \
+ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \ --set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME \ -f - <<EOF
Again, depending on your scenario, the instructions will change slightly. Follow
### Deploy the application using an application reference
-Create a file named `deployment.yaml` with the following content:
+Create a file named `aks-helloworld-one.yaml` with the following content:
```yml apiVersion: apps/v1 kind: Deployment metadata:
- name: busybox-one
- labels:
- app: busybox-one
+ name: aks-helloworld-one
spec: replicas: 1 selector: matchLabels:
- app: busybox-one
+ app: aks-helloworld-one
template: metadata: labels:
- app: busybox-one
+ app: aks-helloworld-one
spec: containers:
- - name: busybox
- image: k8s.gcr.io/e2e-test-images/busybox:1.29-1
- command:
- - "/bin/sleep"
- - "10000"
+ - name: aks-helloworld-one
+ image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
+ ports:
+ - containerPort: 80
+ env:
+ - name: TITLE
+ value: "Welcome to Azure Kubernetes Service (AKS)"
volumeMounts: - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true volumes:
+ - name: secrets-store-inline
+ csi:
+ driver: secrets-store.csi.k8s.io
+ readOnly: true
+ volumeAttributes:
+ secretProviderClass: "azure-tls"
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: aks-helloworld-one
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ selector:
+ app: aks-helloworld-one
+```
+
+Create a file named `aks-helloworld-two.yaml` with the following content:
+
+```yml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: aks-helloworld-two
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: aks-helloworld-two
+ template:
+ metadata:
+ labels:
+ app: aks-helloworld-two
+ spec:
+ containers:
+ - name: aks-helloworld-two
+ image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
+ ports:
+ - containerPort: 80
+ env:
+ - name: TITLE
+ value: "AKS Ingress Demo"
+ volumeMounts:
- name: secrets-store-inline
- csi:
- driver: secrets-store.csi.k8s.io
- readOnly: true
- volumeAttributes:
- secretProviderClass: "azure-tls"
+ mountPath: "/mnt/secrets-store"
+ readOnly: true
+ volumes:
+ - name: secrets-store-inline
+ csi:
+ driver: secrets-store.csi.k8s.io
+ readOnly: true
+ volumeAttributes:
+ secretProviderClass: "azure-tls"
apiVersion: v1 kind: Service metadata:
- name: busybox-one
+ name: aks-helloworld-two
spec: type: ClusterIP ports: - port: 80 selector:
- app: busybox-one
+ app: aks-helloworld-two
```
-And apply it to your cluster:
+And apply them to your cluster:
```bash
-kubectl apply -f deployment.yaml -n $NAMESPACE
+kubectl apply -f aks-helloworld-one.yaml -n $NAMESPACE
+kubectl apply -f aks-helloworld-two.yaml -n $NAMESPACE
``` Verify the Kubernetes secret has been created:
ingress-tls-csi kubernetes.io/tls
### Deploy the application using an ingress controller reference
-Create a file named `deployment.yaml` with the following content:
+Create a file named `aks-helloworld-one.yaml` with the following content:
```yml apiVersion: apps/v1 kind: Deployment metadata:
- name: busybox-one
- labels:
- app: busybox-one
+ name: aks-helloworld-one
spec: replicas: 1 selector: matchLabels:
- app: busybox-one
+ app: aks-helloworld-one
template: metadata: labels:
- app: busybox-one
+ app: aks-helloworld-one
spec: containers:
- - name: busybox
- image: k8s.gcr.io/e2e-test-images/busybox:1.29-1
- command:
- - "/bin/sleep"
- - "10000"
+ - name: aks-helloworld-one
+ image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
+ ports:
+ - containerPort: 80
+ env:
+ - name: TITLE
+ value: "Welcome to Azure Kubernetes Service (AKS)"
apiVersion: v1 kind: Service metadata:
- name: busybox-one
+ name: aks-helloworld-one
spec: type: ClusterIP ports: - port: 80 selector:
- app: busybox-one
+ app: aks-helloworld-one
```
-And apply it to your cluster:
+Create a file named `aks-helloworld-two.yaml` with the following content:
+
+```yml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: aks-helloworld-two
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: aks-helloworld-two
+ template:
+ metadata:
+ labels:
+ app: aks-helloworld-two
+ spec:
+ containers:
+ - name: aks-helloworld-two
+ image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
+ ports:
+ - containerPort: 80
+ env:
+ - name: TITLE
+ value: "AKS Ingress Demo"
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: aks-helloworld-two
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ selector:
+ app: aks-helloworld-two
+```
+
+And apply them to your cluster:
```bash
-kubectl apply -f deployment.yaml -n $NAMESPACE
+kubectl apply -f aks-helloworld-one.yaml -n $NAMESPACE
+kubectl apply -f aks-helloworld-two.yaml -n $NAMESPACE
``` ## Deploy an ingress resource referencing the secret
-Finally, we can deploy a Kubernetes ingress resource referencing our secret. Create a file name `ingress.yaml` with the following content:
+Finally, we can deploy a Kubernetes ingress resource referencing our secret. Create a file name `hello-world-ingress.yaml` with the following content:
```yml apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ingress-tls annotations:
- kubernetes.io/ingress.class: nginx
- nginx.ingress.kubernetes.io/rewrite-target: /$1
+ nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
+ ingressClassName: nginx
tls: - hosts:
- - demo.test.com
+ - demo.azure.com
secretName: ingress-tls-csi rules:
- - host: demo.test.com
+ - host: demo.azure.com
http: paths:
- - backend:
+ - path: /hello-world-one(/|$)(.*)
+ pathType: Prefix
+ backend:
service:
- name: busybox-one
+ name: aks-helloworld-one
port: number: 80
- path: /(.*)
- - backend:
+ - path: /hello-world-two(/|$)(.*)
+ pathType: Prefix
+ backend:
service:
- name: busybox-two
+ name: aks-helloworld-two
+ port:
+ number: 80
+ - path: /(.*)
+ pathType: Prefix
+ backend:
+ service:
+ name: aks-helloworld-one
port: number: 80
- path: /two(/|$)(.*)
``` Make note of the `tls` section referencing the secret we've created earlier, and apply the file to your cluster: ```bash
-kubectl apply -f ingress.yaml -n $NAMESPACE
+kubectl apply -f hello-world-ingress.yaml -n $NAMESPACE
``` ## Obtain the external IP address of the ingress controller
kubectl apply -f ingress.yaml -n $NAMESPACE
Use `kubectl get service` to obtain the external IP address for the ingress controller. ```bash
- kubectl get service -l app=nginx-ingress --namespace $NAMESPACE
+kubectl get service --namespace $NAMESPACE --selector app.kubernetes.io/name=ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
-nginx-ingress-1588032400-controller LoadBalancer 10.0.255.157 52.xx.xx.xx 80:31293/TCP,443:31265/TCP 19m
+nginx-ingress-1588032400-controller LoadBalancer 10.0.255.157 EXTERNAL_IP 80:31293/TCP,443:31265/TCP 19m
nginx-ingress-1588032400-default-backend ClusterIP 10.0.223.214 <none> 80/TCP 19m ```
nginx-ingress-1588032400-default-backend ClusterIP 10.0.223.214 <none>
Use `curl` to verify your ingress has been properly configured with TLS. Be sure to use the external IP you've obtained from the previous step: ```bash
-curl -v -k --resolve demo.test.com:443:52.xx.xx.xx https://demo.test.com
+curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com
+```
-# You should see output similar to the following
-* subject: CN=demo.test.com; O=ingress-tls
-* start date: Oct 15 04:23:46 2021 GMT
-* expire date: Oct 15 04:23:46 2022 GMT
-* issuer: CN=demo.test.com; O=ingress-tls
+No additional path was provided with the address, so the ingress controller defaults to the */* route. The first demo application is returned, as shown in the following condensed example output:
+
+```console
+[...]
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <link rel="stylesheet" type="text/css" href="/static/default.css">
+ <title>Welcome to Azure Kubernetes Service (AKS)</title>
+[...]
+```
+
+The *-v* parameter in our `curl` command outputs verbose information, including the TLS certificate received. Half-way through your curl output, you can verify that your own TLS certificate was used. The *-k* parameter continues loading the page even though we're using a self-signed certificate. The following example shows that the *issuer: CN=demo.azure.com; O=aks-ingress-tls* certificate was used:
+
+```
+[...]
+* Server certificate:
+* subject: CN=demo.azure.com; O=aks-ingress-tls
+* start date: Oct 22 22:13:54 2021 GMT
+* expire date: Oct 22 22:13:54 2022 GMT
+* issuer: CN=demo.azure.com; O=aks-ingress-tls
* SSL certificate verify result: self signed certificate (18), continuing anyway.
+[...]
+```
+
+Now add */hello-world-two* path to the address, such as `https://demo.azure.com/hello-world-two`. The second demo application with the custom title is returned, as shown in the following condensed example output:
+
+```
+curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com/hello-world-two
+
+[...]
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <link rel="stylesheet" type="text/css" href="/static/default.css">
+ <title>AKS Ingress Demo</title>
+[...]
``` <!-- LINKS INTERNAL -->
aks Quick Windows Container Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md
spec:
limits: cpu: 1 memory: 800M
- requests:
- cpu: .1
- memory: 300M
ports: - containerPort: 80 selector:
aks Quick Windows Container Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-powershell.md
spec:
limits: cpu: 1 memory: 800M
- requests:
- cpu: .1
- memory: 300M
ports: - containerPort: 80 selector:
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/policy-reference.md
the link in the **Version** column to view the source on the
[!INCLUDE [azure-policy-reference-rp-aks-containerservice](../../includes/policy/reference/byrp/microsoft.containerservice.md)]
-### AKS Engine
-- ## Next steps - See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
aks Release Tracker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/release-tracker.md
description: Learn how to determine which Azure regions have the weekly AKS rele
Last updated 05/24/2022++ # AKS release tracker
+> [!NOTE]
+> The AKS release tracker is currently not accessible. When the feature is fully released, this article will be updated to include access instructions.
+ AKS releases weekly rounds of fixes and feature and component updates that affect all clusters and customers. However, these releases can take up to two weeks to roll out to all regions from the initial time of shipping due to Azure Safe Deployment Practices (SDP). It is important for customers to know when a particular AKS release is hitting their region, and the AKS release tracker provides these details in real time by versions and regions. ## Why release tracker?
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md
A successful cluster creation using your own kubelet managed identity contains t
}, ```
-### Update an existing cluster using kubelet identity (Preview)
+### Update an existing cluster using kubelet identity
Update kubelet identity on an existing cluster with your existing identities.
-#### Install the `aks-preview` Azure CLI
-
-You also need the *aks-preview* Azure CLI extension version 0.5.64 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+#### Make sure the CLI version is 2.37.0 or later
```azurecli-interactive
-# Install the aks-preview extension
-az extension add --name aks-preview
+# Check the version of Azure CLI modules
+az version
-# Update the extension to make sure you have the latest version installed
-az extension update --name aks-preview
+# Upgrade the version to make sure it is 2.37.0 or later
+az upgrade
```
-#### Updating your cluster with kubelet identity (Preview)
+#### Updating your cluster with kubelet identity
Now you can use the following command to update your cluster with your existing identities. Provide the control plane identity id via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
aks Use Network Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-network-policies.md
This article shows you how to install the network policy engine and create Kuber
You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
-> [!TIP]
-> If you used the network policy feature during preview, we recommend that you [create a new cluster](#create-an-aks-cluster-and-enable-network-policy).
->
-> If you wish to continue using existing test clusters that used network policy during preview, upgrade your cluster to a new Kubernetes versions for the latest GA release and then deploy the following YAML manifest to fix the crashing metrics server and Kubernetes dashboard. This fix is only required for clusters that used the Calico network policy engine.
->
-> As a security best practice, [review the contents of this YAML manifest][calico-aks-cleanup] to understand what is deployed into the AKS cluster.
->
-> `kubectl delete -f https://raw.githubusercontent.com/Azure/aks-engine/master/docs/topics/calico-3.3.1-cleanup-after-upgrade.yaml`
- ## Overview of network policy All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.
api-management Api Management Howto Create Or Invite Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-or-invite-developers.md
When a developer is invited, an email is sent to the developer. This email is ge
Once the invitation is accepted, the account becomes active.
+Invitation link will be active for 2 days.
+ ## <a name="block-developer"> </a> Deactivate or reactivate a developer account By default, newly created or invited developer accounts are **Active**. To deactivate a developer account, click **Block**. To reactivate a blocked developer account, click **Activate**. A blocked developer account can't access the developer portal or call any APIs. To delete a user account, click **Delete**.
app-service Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-python.md
Title: 'Quickstart: Deploy a Python (Django or Flask) web app to Azure'
description: Get started with Azure App Service by deploying your first Python app to Azure App Service. Last updated 03/22/2022--++ ms.devlang: python
automation Automation Hrw Run Runbooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-hrw-run-runbooks.md
Follow the next steps to use a managed identity for Azure resources on a Hybrid
For instance, a runbook with `Get-AzVM` can return all the VMs in the subscription with no call to `Connect-AzAccount`, and the user would be able to access Azure resources without having to authenticate within that runbook. You can disable context autosave in Azure PowerShell, as detailed [here](/powershell/azure/context-persistence?view=azps-7.3.2#save-azure-contexts-across-powershell-sessions).
-### Use runbook authentication with Run As account
+### Use runbook authentication with Hybrid Worker Credentials
-Instead of having your runbook provide its own authentication to local resources, you can specify a Run As account for a Hybrid Runbook Worker group. To specify a Run As account, you must define a [credential asset](./shared-resources/credentials.md) that has access to local resources. These resources include certificate stores and all runbooks run under these credentials on a Hybrid Runbook Worker in the group.
+Instead of having your runbook provide its own authentication to local resources, you can specify Hybrid Worker Credentials for a Hybrid Runbook Worker group. To specify a Hybrid Worker Credentials, you must define a [credential asset](./shared-resources/credentials.md) that has access to local resources. These resources include certificate stores and all runbooks run under these credentials on a Hybrid Runbook Worker in the group.
- The user name for the credential must be in one of the following formats:
Instead of having your runbook provide its own authentication to local resources
- To use the PowerShell runbook **Export-RunAsCertificateToHybridWorker**, you need to install the Az modules for Azure Automation on the local machine.
-#### Use a credential asset to specify a Run As account
+#### Use a credential asset for a Hybrid Runbook Worker group
-Use the following procedure to specify a Run As account for a Hybrid Runbook Worker group:
+By default, the Hybrid jobs run under the context of System account. However, to run Hybrid jobs under a different credential asset, follow the steps:
1. Create a [credential asset](./shared-resources/credentials.md) with access to local resources. 1. Open the Automation account in the Azure portal. 1. Select **Hybrid Worker Groups**, and then select the specific group.
-1. Select **All settings**, followed by **Hybrid worker group settings**.
-1. Change the value of **Run As** from **Default** to **Custom**.
+1. Select **Settings**.
+1. Change the value of **Hybrid Worker credentials** from **Default** to **Custom**.
1. Select the credential and click **Save**.
+1. If the following permissions are not assigned for Custom users, jobs might get suspended.
+Use your discretion in assigning the elevated permissions corresponding to the following registry keys/folders:
+
+**Registry path**
+
+- HKLM\SYSTEM\CurrentControlSet\Services\EventLog (read) </br>
+- HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters (full access) </br>
+- HKLM\SOFTWARE\Microsoft\Wbem\CIMOM (full access) </br>
+- HKLM\Software\Policies\Microsoft\SystemCertificates\Root (full access) </br>
+- HKLM\Software\Microsoft\SystemCertificates (full access) </br>
+- HKLM\Software\Microsoft\EnterpriseCertificates (full access) </br>
+- HKLM\software\Microsoft\HybridRunbookWorker (full access) </br>
+- HKLM\software\Microsoft\HybridRunbookWorkerV2 (full access) </br>
+- HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed (full access) </br>
+- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles (full access) </br>
+
+**Folders**
+- C:\ProgramData\AzureConnectedMachineAgent\Tokens (read) </br>
+- C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\0.1.0.18\HybridWorkerPackage\HybridWorkerAgent (full access)
## <a name="runas-script"></a>Install Run As account certificate
automation Extension Based Hybrid Runbook Worker Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/extension-based-hybrid-runbook-worker-install.md
To create a hybrid worker group in the Azure portal, follow these steps:
1. From the **Basics** tab, in the **Name** text box, enter a name for your Hybrid worker group.
-1. For the **Use run as credential** option:
+1. For the **Use Hybrid Worker Credentials** option:
- - If you select **No**, the hybrid extension will be installed using the local system account.
- - If you select **Yes**, then from the drop-down list, select the credential asset.
+ - If you select **Default**, the hybrid extension will be installed using the local system account.
+ - If you select **Custom**, then from the drop-down list, select the credential asset.
1. Select **Next** to advance to the **Hybrid workers** tab. You can select Azure virtual machines or Azure Arc-enabled servers to be added to this Hybrid worker group. If you don't select any machines, an empty Hybrid worker group will be created. You can still add machines later.
To install and use Hybrid Worker extension using REST API, follow these steps. T
1. Get the automation account details using this API call. ```http
- GET https://westcentralus.management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}?api-version=2021-06-22
+ GET https://westcentralus.management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/HybridWorkerExtension?api-version=2021-06-22
```
To install and use Hybrid Worker extension using REST API, follow these steps. T
1. Install the Hybrid Worker Extension on Azure VM by using the following API call. ```http
- PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/{vmExtensionName}?api-version=2021-11-01
+ PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/HybridWorkerExtension?api-version=2021-11-01
```
azure-app-configuration Concept Soft Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-soft-delete.md
Purge is the operation to permanently delete the stores in a soft deleted state,
## Purge protection With Purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.
-## Permissions to recover or purge store
+## Permissions to recover a deleted store
-A user has to have below permissions to recover or purge a soft-deleted app configuration store. The built-in Contributor and Owner roles already have the required permissions to recover and purge.
+- `Microsoft.AppConfiguration/configurationStores/write`
-- Permission to recover - `Microsoft.AppConfiguration/configurationStores/write`
+To recover a deleted App Configuration store the `Microsoft.AppConfiguration/configurationStores/write` permission is needed. The built-in "Owner" and "Contributor" roles contain this permission by default. The permission can be assigned at the subscription or resource group scope.
-- Permission to purge - `Microsoft.AppConfiguration/configurationStores/action`
+## Permissions to read and purge deleted stores
+
+* Read: `Microsoft.AppConfiguration/locations/deletedConfigurationStores/read`
+* Purge: `Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action`
+
+To list deleted App Configuration stores, or get an individual store by name the `Microsoft.AppConfiguration/locations/deletedConfigurationStores/read` permission is needed. To purge a deleted App Configuration store the `Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action` permission is needed. The built-in "Owner" and "Contributor" roles contain these permissions by default. Permissions for reading and purging deleted App Configuration stores must be assigned at the subscription level. This is because deleted configuration stores exist outside of individual resource groups.
## Billing implications
azure-app-configuration Howto Recover Deleted Stores In Azure App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-recover-deleted-stores-in-azure-app-configuration.md
To learn more about the concept of soft delete feature, see [Soft-Delete in Azur
* An Azure subscription - [create one for free](https://azure.microsoft.com/free/dotnet)
-* Refer to the [Soft-Delete in Azure App Configuration](./concept-soft-delete.md#permissions-to-recover-or-purge-store) for permissions requirements.
+* Refer to the [Soft-Delete in Azure App Configuration](./concept-soft-delete.md#permissions-to-recover-a-deleted-store) section for permissions requirements.
## Set retention policy and enable purge protection at store creation
azure-arc Upload Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/upload-logs.md
description: Upload logs for Azure Arc-enabled data services to Azure Monitor
--++ Previously updated : 11/03/2021 Last updated : 05/27/2022
echo $WORKSPACE_SHARED_KEY
With the environment variables set, you can upload logs to the log workspace.
-## Upload logs to Azure Log Analytics Workspace in direct mode
+## Configure automatic upload of logs to Azure Log Analytics Workspace in direct mode using `az` CLI
-In the **direct** connected mode, Logs upload can only be setup in **automatic** mode. This automatic upload of metrics can be setup either during deployment or post deployment of Azure Arc data controller.
+In the **direct** connected mode, Logs upload can only be set up in **automatic** mode. This automatic upload of metrics can be set up either during deployment or post deployment of Azure Arc data controller.
### Enable automatic upload of logs to Azure Log Analytics Workspace
az arcdata dc update --name <name of datacontroller> --resource-group <resource
az arcdata dc update --name arcdc --resource-group <myresourcegroup> --auto-upload-logs true ```
-### Disable automatic upload of logs to Azure Log Analytics Workspace
+### Enable automatic upload of logs to Azure Log Analytics Workspace
If the automatic upload of logs was enabled during Azure Arc data controller deployment, run the below command to disable automatic upload of logs. ```
az arcdata dc update --name <name of datacontroller> --resource-group <resource
az arcdata dc update --name arcdc --resource-group <myresourcegroup> --auto-upload-logs false ```
-## Upload logs to Azure Monitor in indirect mode
+## Configure automatic upload of logs to Azure Log Analytics Workspace in **direct** mode using `kubectl` CLI
+
+### Enable automatic upload of logs to Azure Log Analytics Workspace
+
+To configure automatic upload of logs using ```kubectl```:
+
+- ensure the Log Analytics Workspace is created as described in the earlier section
+- create a Kubernetes secret for the Log Analytics workspace using the ```WorkspaceID``` and `SharedAccessKey` as follows:
+
+```
+apiVersion: v1
+data:
+ primaryKey: <base64 encoding of Azure Log Analytics workspace primary key>
+ workspaceId: <base64 encoding of Azure Log Analytics workspace Id>
+kind: Secret
+metadata:
+ name: log-workspace-secret
+ namespace: <your datacontroller namespace>
+type: Opaque
+```
+
+- To create the secret, run:
+
+ ```console
+ kubectl apply -f <myLogAnalyticssecret.yaml> --namespace <mynamespace>
+ ```
+
+- To open the settings as a yaml file in the default editor, run:
+
+ ```console
+ kubectl edit datacontroller <DC name> --name <namespace>
+ ```
+
+- update the autoUploadLogs property to ```"true"```, and save the file
+++
+### Enable automatic upload of logs to Azure Log Analytics Workspace
+
+To disable automatic upload of logs, run:
+
+```console
+kubectl edit datacontroller <DC name> --name <namespace>
+```
+
+- update the autoUploadLogs property to `"false"`, and save the file
+
+## Upload logs to Azure Monitor in **indirect** mode
To upload logs for your Azure Arc-enabled SQL managed instances and Azure Arc-enabled PostgreSQL Hyperscale server groups run the following CLI commands-
Once your logs are uploaded, you should be able to query them using the log quer
If you want to upload metrics and logs on a scheduled basis, you can create a script and run it on a timer every few minutes. Below is an example of automating the uploads using a Linux shell script.
-In your favorite text/code editor, add the following script to the file and save as a script executable file such as .sh (Linux/Mac) or .cmd, .bat, .ps1.
+In your favorite text/code editor, add the following script to the file and save as a script executable file - such as .sh for Linux/Mac, or .cmd, .bat, or .ps1 for Windows.
```azurecli az arcdata dc export --type logs --path logs.json --force --k8s-namespace arc
azure-functions Dotnet Isolated Process Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-process-guide.md
A .NET isolated function project is basically a .NET console app project that ta
+ Program.cs file that's the entry point for the app. + Any code files [defining your functions](#bindings).
-For complete examples, see the [.NET 6 isolated sample project](https://github.com/Azure/azure-functions-dotnet-worker/tree/main/samples/FunctionApp) and the [.NET Framework 4.8 isolated sample project](https://github.com/Azure/azure-functions-dotnet-worker/tree/main/samples/NetFxWorker).
+For complete examples, see the [.NET 6 isolated sample project](https://github.com/Azure/azure-functions-dotnet-worker/tree/main/samples/FunctionApp) and the [.NET Framework 4.8 isolated sample project](https://go.microsoft.com/fwlink/p/?linkid=2197310).
> [!NOTE] > To be able to publish your isolated function project to either a Windows or a Linux function app in Azure, you must set a value of `dotnet-isolated` in the remote [FUNCTIONS_WORKER_RUNTIME](functions-app-settings.md#functions_worker_runtime) application setting. To support [zip deployment](deployment-zip-push.md) and [running from the deployment package](run-functions-from-deployment-package.md) on Linux, you also need to update the `linuxFxVersion` site config setting to `DOTNET-ISOLATED|6.0`. To learn more, see [Manual version updates on Linux](set-runtime-version.md#manual-version-updates-on-linux).
azure-functions Functions Add Output Binding Storage Queue Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-add-output-binding-storage-queue-cli.md
mvn azure-functions:deploy
# [Browser](#tab/browser)
- Copy the complete **Invoke URL** shown in the output of the publish command into a browser address bar, appending the query parameter `&name=Functions`. The browser should display similar output as when you ran the function locally.
-
- ![The output of the function runs on Azure in a browser](./media/functions-add-output-binding-storage-queue-cli/function-test-cloud-browser.png)
+ Copy the complete **Invoke URL** shown in the output of the publish command into a browser address bar, appending the query parameter `&name=Functions`. The browser should display the same output as when you ran the function locally.
# [curl](#tab/curl)
- Run [`curl`](https://curl.haxx.se/) with the **Invoke URL**, appending the parameter `&name=Functions`. The output of the command should be the text, "Hello Functions."
-
- ![The output of the function runs on Azure using CURL](./media/functions-add-output-binding-storage-queue-cli/function-test-cloud-curl.png)
+ Run [`curl`](https://curl.haxx.se/) with the **Invoke URL**, appending the parameter `&name=Functions`. The output should be the same as when you ran the function locally.
azure-functions Functions Bindings Mobile Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-mobile-apps.md
The following table explains the binding configuration properties that you set i
| **name**| n/a | Name of output parameter in function signature.| |**tableName** |**TableName**|Name of the mobile app's data table| |**connection**|**MobileAppUriSetting**|The name of an app setting that has the mobile app's URL. The function uses this URL to construct the required REST operations against your mobile app. Create an app setting in your function app that contains the mobile app's URL, then specify the name of the app setting in the `connection` property in your input binding. The URL looks like `http://<appname>.azurewebsites.net`.
-|**apiKey**|**ApiKeySetting**|The name of an app setting that has your mobile app's API key. Provide the API key if you implement an API key in your Node.js mobile app backend, or [implement an API key in your .NET mobile app backend](https://github.com/Azure/azure-mobile-apps-net-server/wiki/Implementing-Application-Key). To provide the key, create an app setting in your function app that contains the API key, then add the `apiKey` property in your input binding with the name of the app setting. |
+|**apiKey**|**ApiKeySetting**|The name of an app setting that has your mobile app's API key. Provide the API key if you implement an API key in your Node.js mobile app backend, or implement an API key in your .NET mobile app backend. To provide the key, create an app setting in your function app that contains the API key, then add the `apiKey` property in your input binding with the name of the app setting. |
[!INCLUDE [app settings to local.settings.json](../../includes/functions-app-settings-local.md)]
azure-functions Functions Bindings Storage Blob https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-storage-blob.md
Functions 1.x apps automatically have a reference to the extension.
## host.json settings
-This section describes the function app configuration settings available for functions that this binding. These settings only apply when using extension version 5.0.0 and higher. The example host.json file below contains only the version 2.x+ settings for this binding. For more information about function app configuration settings in versions 2.x and later versions, see [host.json reference for Azure Functions](functions-host-json.md).
+This section describes the function app configuration settings available for functions that use this binding. These settings only apply when using extension version 5.0.0 and higher. The example host.json file below contains only the version 2.x+ settings for this binding. For more information about function app configuration settings in versions 2.x and later versions, see [host.json reference for Azure Functions](functions-host-json.md).
> [!NOTE] > This section doesn't apply to extension versions before 5.0.0. For those earlier versions, there aren't any function app-wide configuration settings for blobs.
azure-monitor Alerts Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-log.md
You can also [create log alert rules using Azure Resource Manager templates](../
|Field |Description | |||
- |Dimension name|Dimensions can be either number or string columns. Dimensions are used to monitor specific time series and provide context to a fired alert.<br>Splitting on the Azure Resource ID column makes the specified resource into the alert target. If an Resource ID column is detected, it is selected automatically and changes the context of the fired alert to the record's resource. |
+ |Dimension name|Dimensions can be either number or string columns. Dimensions are used to monitor specific time series and provide context to a fired alert.<br>Splitting on the Azure Resource ID column makes the specified resource into the alert target. If a Resource ID column is detected, it is selected automatically and changes the context of the fired alert to the record's resource. |
|Operator|The operator used on the dimension name and value. | |Dimension values|The dimension values are based on data from the last 48 hours. Select **Add custom value** to add custom dimension values. |
You can also [create log alert rules using Azure Resource Manager templates](../
> [!NOTE] > This section above describes creating alert rules using the new alert rule wizard. > The new alert rule experience is a little different than the old experience. Please note these changes:
-> - Previously, search results were included in the payloads of the triggered alert and its associated notifications. This was a limited and error prone solution. To get detailed context information about the alert so that you can decide on the appropriate action :
-> - The recommended best practice it to use [Dimensions](alerts-unified-log.md#split-by-alert-dimensions). Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.
-> - When you need to investigate in the logs, use the link in the alert to the search results in Logs.
-> - If you need the raw search results or for any other advanced customizations, use Logic Apps.
+> - Previously, search results were included in the payloads of the triggered alert and its associated notifications. This was a limited solution, since the email included only 10 rows from the unfiltered results while the webhook payload contained 1000 unfiltered results.
+> To get detailed context information about the alert so that you can decide on the appropriate action :
+> - We recommend using [Dimensions](alerts-unified-log.md#split-by-alert-dimensions). Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.
+> - When you need to investigate in the logs, use the link in the alert to the search results in Logs.
+> - If you need the raw search results or for any other advanced customizations, use Logic Apps.
> - The new alert rule wizard does not support customization of the JSON payload. > - Use custom properties in the [new API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules/create-or-update#actions) to add static parameters and associated values to the webhook actions triggered by the alert. > - For more advanced customizations, use Logic Apps.
azure-monitor Itsmc Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connections.md
To set up your ITSM environment:
1. Connect to your ITSM. - For ServiceNow ITSM, see [the ServiceNow connection instructions](./itsmc-connections-servicenow.md).
- - For SCSM, see [the System Center Service Manager connection instructions](./itsmc-connections-scsm.md).
+ - For SCSM, see [the System Center Service Manager connection instructions](/azure/azure-monitor/alerts/itsmc-connections).
>[!NOTE] > As of March 1, 2022, System Center ITSM integrations with Azure alerts is no longer enabled for new customers. New System Center ITSM Connections are not supported.
azure-monitor Itsmc Definition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-definition.md
After you've prepped your ITSM tool, complete these steps to create a connection
1. Specify the connection settings for the ITSM product that you're using: - [ServiceNow](./itsmc-connections-servicenow.md)
- - [System Center Service Manager](./itsmc-connections-scsm.md)
+ - [System Center Service Manager](/azure/azure-monitor/alerts/itsmc-connections)
> [!NOTE] > By default, ITSMC refreshes the connection's configuration data once every 24 hours. To refresh your connection's data instantly to reflect any edits or template updates that you make, select the **Sync** button on your connection's pane:
azure-monitor Live Stream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/live-stream.md
Title: Diagnose with Live Metrics Stream - Azure Application Insights description: Monitor your web app in real time with custom metrics, and diagnose issues with a live feed of failures, traces, and events. Previously updated : 10/12/2021 Last updated : 05/31/2022 ms.devlang: csharp
Monitor your live, in-production web application by using Live Metrics Stream (a
With Live Metrics Stream, you can:
-* Validate a fix while it is released, by watching performance and failure counts.
+* Validate a fix while it's released, by watching performance and failure counts.
* Watch the effect of test loads, and diagnose issues live. * Focus on particular test sessions or filter out known issues, by selecting and filtering the metrics you want to watch. * Get exception traces as they happen.
Live Metrics are currently supported for ASP.NET, ASP.NET Core, Azure Functions,
### Enable LiveMetrics using code for any .NET application
-Even though LiveMetrics is enabled by default when onboarding using recommended instructions for .NET Applications, the following shows how to setup Live Metrics
+Even though LiveMetrics is enabled by default when onboarding using recommended instructions for .NET Applications, the following shows how to set up Live Metrics
manually. 1. Install the NuGet package [Microsoft.ApplicationInsights.PerfCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.PerfCounterCollector)
namespace LiveMetricsDemo
} ```
-While the above sample is for a console app, the same code can be used in any .NET applications. If any other TelemetryModules are enabled which auto-collects telemetry, it is important to ensure the same configuration used for initializing those modules is used for Live Metrics module as well.
+While the above sample is for a console app, the same code can be used in any .NET applications. If any other TelemetryModules are enabled which auto-collects telemetry, it's important to ensure the same configuration used for initializing those modules is used for Live Metrics module as well.
## How does Live Metrics Stream differ from Metrics Explorer and Analytics?
While the above sample is for a console app, the same code can be used in any .N
|**Latency**|Data displayed within one second|Aggregated over minutes| |**No retention**|Data persists while it's on the chart, and is then discarded|[Data retained for 90 days](./data-retention-privacy.md#how-long-is-the-data-kept)| |**On demand**|Data is only streamed while the Live Metrics pane is open |Data is sent whenever the SDK is installed and enabled|
-|**Free**|There is no charge for Live Stream data|Subject to [pricing](../logs/cost-logs.md#application-insights-billing)
+|**Free**|There's no charge for Live Stream data|Subject to [pricing](../logs/cost-logs.md#application-insights-billing)
|**Sampling**|All selected metrics and counters are transmitted. Failures and stack traces are sampled. |Events may be [sampled](./api-filtering-sampling.md)| |**Control channel**|Filter control signals are sent to the SDK. We recommend you secure this channel.|Communication is one way, to the portal|
While the above sample is for a console app, the same code can be used in any .N
(Available with ASP.NET, ASP.NET Core, and Azure Functions (v2).)
-You can monitor custom KPI live by applying arbitrary filters on any Application Insights telemetry from the portal. Click the filter control that shows when you mouse-over any of the charts. The following chart is plotting a custom Request count KPI with filters on URL and Duration attributes. Validate your filters with the Stream Preview section that shows a live feed of telemetry that matches the criteria you have specified at any point in time.
+You can monitor custom KPI live by applying arbitrary filters on any Application Insights telemetry from the portal. Select the filter control that shows when you mouse-over any of the charts. The following chart is plotting a custom Request count KPI with filters on URL and Duration attributes. Validate your filters with the Stream Preview section that shows a live feed of telemetry that matches the criteria you've specified at any point in time.
![Filter request rate](./media/live-stream/filter-request.png)
In addition to Application Insights telemetry, you can also monitor any Windows
Live metrics are aggregated at two points: locally on each server, and then across all servers. You can change the default at either by selecting other options in the respective drop-downs. ## Sample Telemetry: Custom Live Diagnostic Events
-By default, the live feed of events shows samples of failed requests and dependency calls, exceptions, events, and traces. Click the filter icon to see the applied criteria at any point in time.
+By default, the live feed of events shows samples of failed requests and dependency calls, exceptions, events, and traces. Select the filter icon to see the applied criteria at any point in time.
![Filter button](./media/live-stream/filter.png)
-As with metrics, you can specify any arbitrary criteria to any of the Application Insights telemetry types. In this example, we are selecting specific request failures, and events.
+As with metrics, you can specify any arbitrary criteria to any of the Application Insights telemetry types. In this example, we're selecting specific request failures, and events.
![Query Builder](./media/live-stream/query-builder.png)
For Azure Function Apps (v2), securing the channel with an API key can be accomp
Create an API key from within your Application Insights resource and go to **Settings > Configuration** for your Function App. Select **New application setting** and enter a name of `APPINSIGHTS_QUICKPULSEAUTHAPIKEY` and a value that corresponds to your API key.
-However, if you recognize and trust all the connected servers, you can try the custom filters without the authenticated channel. This option is available for six months. This override is required once every new session, or when a new server comes online.
+Securing the control channel is not necessary if you recognize and trust all the connected servers. This option is made available so that you can try custom filters without having to set up an authenticated channel. If you choose this option you will have to authorize the connected servers once every new session or when a new server comes online. We strongly discourage the use of unsecured channels and will disable this option 6 months after you start using it. To use custom filters without a secure channel simply click on any of the filter icons and authorize the connected servers. The ΓÇ£Authorize connected serversΓÇ¥ dialog displays the date (highlighted below) after which this option will be disabled.
-![Live Metrics Auth options](./media/live-stream/live-stream-auth.png)
> [!NOTE] > We strongly recommend that you set up the authenticated channel before entering potentially sensitive information like CustomerID in the filter criteria.
azure-monitor Cost Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/cost-logs.md
When Microsoft Sentinel is enabled in a Log Analytics workspace, all data collec
- [SecurityDetection](/azure/azure-monitor/reference/tables/securitydetection) - [SecurityEvent](/azure/azure-monitor/reference/tables/securityevent) - [WindowsFirewall](/azure/azure-monitor/reference/tables/windowsfirewall)-- [MaliciousIPCommunication](/azure/azure-monitor/reference/tables/maliciousipcommunication) - [LinuxAuditLog](/azure/azure-monitor/reference/tables/linuxauditlog) - [SysmonEvent](/azure/azure-monitor/reference/tables/sysmonevent) - [ProtectionStatus](/azure/azure-monitor/reference/tables/protectionstatus)
azure-monitor Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/customer-managed-keys.md
Customer-Managed key is provided on dedicated cluster and these operations are r
## Limitations and constraints -- The max number of cluster per region and subscription is two.
+- A maximum of five active clusters can be created in each region and subscription.
-- The maximum number of workspaces that can be linked to a cluster is 1000.
+- A maximum number of seven reserved clusters (active or recently deleted) can exist in each region and subscription.
-- You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to two in a period of 30 days.
+- A maximum of 1,000 Log Analytics workspaces can be linked to a cluster.
-- Customer-managed key encryption applies to newly ingested data after the configuration time. Data that was ingested prior to the configuration, remains encrypted with Microsoft key. You can query data ingested before and after the Customer-managed key configuration seamlessly.--- The Azure Key Vault must be configured as recoverable. These properties aren't enabled by default and should be configured using CLI or PowerShell:<br>
- - [Soft Delete](../../key-vault/general/soft-delete-overview.md).
- - [Purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) should be turned on to guard against force deletion of the secret, vault even after soft delete.
--- Cluster move to another resource group or subscription isn't supported currently.
+- A maximum of two workspace link operations on particular workspace is allowed in 30 day period.
-- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
+- Moving a cluster to another resource group or subscription isn't currently supported.
- Cluster update should not include both identity and key identifier details in the same operation. In case you need to update both, the update should be in two consecutive operations.
Customer-Managed key is provided on dedicated cluster and these operations are r
- If you create a cluster and get an errorΓÇö"region-name doesnΓÇÖt support Double Encryption for clusters", you can still create the cluster without Double encryption, by adding `"properties": {"isDoubleEncryptionEnabled": false}` in the REST request body. - Double encryption setting can not be changed after the cluster has been created.
- - Setting the cluster's `identity` `type` to `None` also revokes access to your data, but this approach isn't recommended since you can't revert it without contacting support. The recommended way to revoke access to your data is [key revocation](#key-revocation).
+Deleting a linked workspace is permitted while linked to cluster. If you decide to [recover](./delete-workspace.md#recover-workspace) the workspace during the [soft-delete](./delete-workspace.md#soft-delete-behavior) period, it returns to previous state and remains linked to cluster.
+
+- Customer-managed key encryption applies to newly ingested data after the configuration time. Data that was ingested prior to the configuration, remains encrypted with Microsoft key. You can query data ingested before and after the Customer-managed key configuration seamlessly.
+
+- The Azure Key Vault must be configured as recoverable. These properties aren't enabled by default and should be configured using CLI or PowerShell:<br>
+ - [Soft Delete](../../key-vault/general/soft-delete-overview.md).
+ - [Purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) should be turned on to guard against force deletion of the secret, vault even after soft delete.
+
+- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
+
+- Setting the cluster's `identity` `type` to `None` also revokes access to your data, but this approach isn't recommended since you can't revert it without contacting support. The recommended way to revoke access to your data is [key revocation](#key-revocation).
- - You can't use Customer-managed key with User-assigned managed identity if your Key Vault is in Private-Link (vNet). You can use System-assigned managed identity in this scenario.
+- You can't use Customer-managed key with User-assigned managed identity if your Key Vault is in Private-Link (vNet). You can use System-assigned managed identity in this scenario.
## Troubleshooting
azure-monitor Tutorial Custom Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/tutorial-custom-logs.md
Instead of directly configuring the schema of the table, the portal allows you t
```kusto source | extend TimeGenerated = todatetime(Time)
- | parse RawData.value with
+ | parse RawData with
ClientIP:string ' ' * ' ' *
azure-monitor Workbooks Chart Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-chart-visualizations.md
requests
| summarize Request = count() by bin(timestamp, 1h), RequestName = name ```
-Even though the underlying result set is different. All a user has to do is set the visualization to area, line, bar, or time and Workbooks will take care of the rest.
+Even though the queries return results in different formats, when a user sets the visualization to area, line, bar, or time, Workbooks understands how to handle the data to create the visualization.
[![Screenshot of a log line chart made from a make-series query](./media/workbooks-chart-visualizations/log-chart-line-make-series.png)](./media/workbooks-chart-visualizations/log-chart-line-make-series.png#lightbox)
The series setting tab lets you adjust the labels and colors shown for series in
## Next steps - Learn how to create a [tile in workbooks](workbooks-tile-visualizations.md).-- Learn how to create [interactive workbooks](workbooks-interactive.md).
+- Learn how to create [interactive workbooks](workbooks-interactive.md).
azure-portal How To Create Azure Support Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/supportability/how-to-create-azure-support-request.md
Follow these links to learn more:
* [Azure support ticket REST API](/rest/api/support) * Engage with us on [Twitter](https://twitter.com/azuresupport) * Get help from your peers in the [Microsoft Q&A question page](/answers/products/azure)
-* Learn more in [Azure Support FAQ](https://azure.microsoft.com/support/faq)
+* Learn more in [Azure Support FAQ](https://azure.microsoft.com/support/faq)
azure-resource-manager Tag Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/tag-resources.md
The following limitations apply to tags:
> * Azure Automation > * Azure Content Delivery Network (CDN) > * Azure DNS (Zone and A records)
- > * Azure Private DNS (Zone, A records, and virtual network link)
## Next steps
azure-signalr Signalr Howto Move Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-move-across-regions.md
Title: Move an Azure SignalR resource to another region | Microsoft Docs
-description: Shows you how to move an Azure SignalR resource to another region.
+ Title: Move an Azure SignalR resource to another region
+description: Learn how to use an Azure Resource Manager template to export the configuration of an Azure SignalR resource to a different Azure region.
Previously updated : 12/22/2021 Last updated : 05/23/2022 -+
+- subject-moving-resources
+- kr2b-contr-experiment
# Move an Azure SignalR resource to another region
-There are various scenarios in which you'd want to move your existing SignalR resource from one region to another. **Azure SignalR resource are region specific and can't be moved from one region to another.** You can however, use an Azure Resource Manager template to export the existing configuration of an Azure SignalR resource, modify the parameters to match the destination region, and then create a copy of your SignalR resource in another region. For more information on Resource Manager and templates, see [Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md).
+Azure SignalR resources are region specific and can't be moved from one region to another. There are, however, scenarios where you might want to move your existing SignalR resource to another region.
-## Prerequisites
--- Ensure that the service and features that your are using are supported in the target region.
+You can use an Azure Resource Manager template to export the existing configuration of an Azure SignalR resource, modify the parameters to match the destination region, and then create a copy of your SignalR resource in another region. For more information on Resource Manager and templates, see [Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md).
-- Verify that your Azure subscription allows you to create SignalR resource in the target region that's used. Contact support to enable the required quota.
+## Prerequisites
+- Ensure that the service and features that you're using are supported in the target region.
+- Verify that your Azure subscription allows you to create SignalR resource in the target region that's used.
+- Contact support to enable the required quota.
- For preview features, ensure that your subscription is allowlisted for the target region. <a id="prepare"></a>
-## Prepare and move
+## Prepare and move your SignalR resource
To get started, export, and then modify a Resource Manager template.
-### Export the template and deploy from the Portal
+### Export the template and deploy from the Azure portal
The following steps show how to prepare the SignalR resource move using a Resource Manager template, and move it to the target region using the portal.
-1. Sign in to the [Azure portal](https://portal.azure.com) > **Resource Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Locate the Resource Group that contains the source SignalR resource and click on it.
+1. Select **Resource Groups**. Locate the resource group that contains the source SignalR resource and select it.
-3. Select > **Automation** > **Export template**.
+1. Under **Automation**, select **Export template**.
-4. Choose **Deploy** in the **Export template** blade.
+1. Select **Deploy**.
-5. Click **TEMPLATE** > **Edit parameters** to open the **parameters.json** file in the online editor.
+1. Select **TEMPLATE** > **Edit parameters** to open the *parameters.json* file in the online editor.
-6. To edit the parameter of the SignalR resource name, change the **value** property under **parameters**:
+1. To edit the parameter of the SignalR resource name, change the `value` property under `parameters`:
```json {
The following steps show how to prepare the SignalR resource move using a Resour
} ```
-7. Change the value in the editor to a name of your choice for the target SignalR resource. Ensure you enclose the name in quotes.
+1. Change the value in the editor to a name of your choice for the target SignalR resource. Ensure you enclose the name in quotes.
-8. Click **Save** in the editor.
+1. Select **Save** in the editor.
-9. Click **TEMPLATE** > **Edit template** to open the **template.json** file in the online editor.
+1. Select **TEMPLATE** > **Edit template** to open the *template.json* file in the online editor.
-10. To edit the target region, change the **location** property under **resources** in the online editor:
+1. To edit the target region, change the `location` property under `resources` in the online editor:
```json "resources": [
The following steps show how to prepare the SignalR resource move using a Resour
```
-11. To obtain region location codes, see [Azure SignalR Locations](https://azure.microsoft.com/global-infrastructure/services/?products=signalr-service). The code for a region is the region name with no spaces, **Central US** = **centralus**.
-
-12. You can also change other parameters in the template if you choose, and are optional depending on your requirements.
+1. To obtain region location codes, see [Azure SignalR Locations](https://azure.microsoft.com/global-infrastructure/services/?products=signalr-service). The code for a region is the region name with no spaces, **Central US** = **centralus**.
-13. Click **Save** in the online editor.
+1. You can also change other parameters in the template if you choose, and are optional depending on your requirements.
-14. Click **BASICS** > **Subscription** to choose the subscription where the target resource will be deployed.
+1. Select **Save** in the online editor.
-15. Click **BASICS** > **Resource group** to choose the resource group where the target resource will be deployed. You can click **Create new** to create a new resource group for the target resource. Ensure the name isn't the same as the source resource group of the existing resource.
+1. Select **BASICS** > **Subscription** to choose the subscription where the target resource will be deployed.
-16. Verify **BASICS** > **Location** is set to the target location where you wish for the resource to be deployed.
+1. Select **BASICS** > **Resource group** to choose the resource group where the target resource will be deployed. You can select **Create new** to create a new resource group for the target resource. Ensure the name isn't the same as the source resource group of the existing resource.
-17. Click the **Review + create** button to deploy the target Azure SignalR resource.
+1. Verify **BASICS** > **Location** is set to the target location where you wish for the resource to be deployed.
+1. Select **Review + create** to deploy the target Azure SignalR resource.
### Export the template and deploy using Azure PowerShell
To export a template by using PowerShell:
Connect-AzAccount ```
-2. If your identity is associated with more than one subscription, then set your active subscription to subscription of the SignalR resource that you want to move.
+1. If your identity is associated with more than one subscription, then set your active subscription to subscription of the SignalR resource that you want to move.
```azurepowershell-interactive $context = Get-AzSubscription -SubscriptionId <subscription-id> Set-AzContext $context ```
-3. Export the template of your source SignalR resource. These commands save a json template to your current directory.
+1. Export the template of your source SignalR resource. These commands save a JSON template to your current directory.
```azurepowershell-interactive $resource = Get-AzResource `
To export a template by using PowerShell:
-IncludeParameterDefaultValue ```
-4. The file downloaded will be named after the resource group the resource was exported from. Locate the file that was exported from the command named **\<resource-group-name>.json** and open it in an editor of your choice:
-
+1. The file downloaded will be named after the resource group the resource was exported from. Locate the file that was exported from the command named *\<resource-group-name>.json* and open it in an editor of your choice:
+ ```azurepowershell notepad <source-resource-group-name>.json ```
-5. To edit the parameter of the SignalR resource name, change the property **defaultValue** of the source SignalR resource name to the name of your target SignalR resource, ensure the name is in quotes:
-
+1. To edit the parameter of the SignalR resource name, change the property `defaultValue` of the source SignalR resource name to the name of your target SignalR resource. Ensure the name is in quotes:
+ ```json { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
To export a template by using PowerShell:
} ```
-6. To edit the target region where the SignalR resource will be moved, change the **location** property under resources:
+1. To edit the target region where the SignalR resource will be moved, change the `location` property under `resources`:
```json "resources": [
To export a template by using PowerShell:
] ```
-7. To obtain region location codes, see [Azure SignalR Locations](https://azure.microsoft.com/global-infrastructure/services/?products=signalr-service). The code for a region is the region name with no spaces, **Central US** = **centralus**.
+1. To obtain region location codes, see [Azure SignalR Locations](https://azure.microsoft.com/global-infrastructure/services/?products=signalr-service). The code for a region is the region name with no spaces, **Central US** = **centralus**.
+
+ You can also change other parameters in the template if you choose, depending on your requirements.
-8. You can also change other parameters in the template if you choose, and are optional depending on your requirements.
+1. Save the *\<resource-group-name>.json* file.
-9. Save the **\<resource-group-name>.json** file.
+1. Create a resource group in the target region for the target SignalR resource to be deployed using [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup).
-10. Create a resource group in the target region for the target SignalR resource to be deployed using [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup).
-
```azurepowershell-interactive New-AzResourceGroup -Name <target-resource-group-name> -location <target-region> ```
-11. Deploy the edited **\<resource-group-name>.json** file to the resource group created in the previous step using [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment):
+1. Deploy the edited *\<resource-group-name>.json* file to the resource group created in the previous step using [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment):
```azurepowershell-interactive New-AzResourceGroupDeployment -ResourceGroupName <target-resource-group-name> -TemplateFile <source-resource-group-name>.json ```
-12. To verify the resources were created in the target region, use [Get-AzResourceGroup](/powershell/module/az.resources/get-azresourcegroup) and [Get-AzSignalR](/powershell/module/az.signalr/get-azsignalr):
-
- ```azurepowershell-interactive
- Get-AzResourceGroup -Name <target-resource-group-name>
- ```
+1. To verify that the resources were created in the target region, use [Get-AzResourceGroup](/powershell/module/az.resources/get-azresourcegroup) and [Get-AzSignalR](/powershell/module/az.signalr/get-azsignalr):
```azurepowershell-interactive
+ Get-AzResourceGroup -Name <target-resource-group-name>
Get-AzSignalR -Name <target-signalr-name> -ResourceGroupName <target-resource-group-name> ```
-## Discard
-
-After the deployment, if you wish to start over or discard the SignalR resource in the target, delete the resource group that was created in the target and the moved SignalR resource will be deleted. To do so, select the resource group from your dashboard in the portal and select **Delete** at the top of the overview page. Alternatively you can use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup):
-
-```azurepowershell-interactive
-Remove-AzResourceGroup -Name <target-resource-group-name>
-```
+> [!NOTE]
+>
+> After the deployment, if you wish to start over or discard the SignalR resource in the target, delete the resource group that was created in the target, which deletes the moved SignalR resource. To do so, select the resource group from your dashboard in the portal and select **Delete** at the top of the overview page. Alternatively you can use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup):
+>
+> ```azurepowershell-interactive
+> Remove-AzResourceGroup -Name <target-resource-group-name>
+> ```
-## Clean up
+## Clean up source region
To commit the changes and complete the move of the SignalR resource, delete the source SignalR resource or resource group. To do so, select the SignalR resource or resource group from your dashboard in the portal and select **Delete** at the top of each page. ## Next steps
-In this tutorial, you moved an Azure SignalR resource from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:
+In this tutorial, you moved an Azure SignalR resource from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, see:
- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md) - [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)
azure-video-analyzer Deploy Iot Edge Linux On Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-analyzer/video-analyzer-docs/edge/deploy-iot-edge-linux-on-windows.md
The following depicts the overall flow of the document and in 5 simple steps you
## Next steps * Try motion detection along with recording relevant videos in the Cloud. Follow the steps from the [detect motion and record video clips](detect-motion-record-video-edge-devices.md) quickstart.
-* Use our [VS Code extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.live-video-analytics-edge) to view additional pipelines.
+* Use our [VS Code extension](https://marketplace.visualstudio.com/vscode) to view additional pipelines.
* Use an [IP camera](https://en.wikipedia.org/wiki/IP_camera) that supports RTSP instead of using the RTSP simulator. You can find IP cameras that support RTSP on the [ONVIF conformant products](https://www.onvif.org/conformant-products/) page. Look for devices that conform with profiles G, S, or T. * Run [AI on Live Video](analyze-live-video-use-your-model-http.md#overview) (you can skip the prerequisite setup as it has already been done above).
azure-video-indexer Audio Effects Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/audio-effects-detection.md
Some scenarios where this feature is useful:
## Supported audio categories
-**Audio effect detection** can detect and classify 7 different categories. In the next table, you can find the different categories split in to the different presets, divided to **Standard** and **Advanced**. For more information, see [pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+**Audio effect detection** can detect and classify 7 different categories. In the next table, you can find the different categories split in to the different presets, divided to **Standard** and **Advanced**. For more information, see [pricing](https://azure.microsoft.com/pricing/details/media-services/).
|Indexing type |Standard indexing| Advanced indexing| ||||
azure-video-indexer Compare Video Indexer With Media Services Presets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/compare-video-indexer-with-media-services-presets.md
Currently, there is an overlap between features offered by the [Azure Video Inde
|||| |Media Insights|[Enhanced](video-indexer-output-json-v2.md) |[Fundamentals](/azure/media-services/latest/analyze-video-audio-files-concept)| |Experiences|See the full list of supported features: <br/> [Overview](video-indexer-overview.md)|Returns video insights only|
-|Billing|[Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/#analytics)|[Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/#analytics)|
+|Billing|[Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/#analytics) |[Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/#analytics) |
|Compliance|For the most current compliance updates, visit [Azure Compliance Offerings.pdf](https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942/file/178110/23/Microsoft%20Azure%20Compliance%20Offerings.pdf) and search for "Azure Video Indexer" to see if it complies with a certificate of interest.|For the most current compliance updates, visit [Azure Compliance Offerings.pdf](https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942/file/178110/23/Microsoft%20Azure%20Compliance%20Offerings.pdf) and search for "Media Services" to see if it complies with a certificate of interest.| |Free Trial|East US|Not available| |Region availability|See [Cognitive Services availability by region](https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services)|See [Media Services availability by region](https://azure.microsoft.com/global-infrastructure/services/?products=media-services).|
azure-video-indexer Connect To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/connect-to-azure.md
When creating an Azure Video Indexer account, you can choose a free trial accoun
1. [Azure Video Indexer portal](https://aka.ms/vi-portal-link) 2. [Azure portal](https://portal.azure.com/#home)
- 3. [QuickStart ARM template](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/ARM-Samples/Create-Account)
To read more on how to create a **new ARM-Based** Azure Video Indexer account, read this [article](create-video-analyzer-for-media-account.md)
If the connection to Azure failed, you can attempt to troubleshoot the problem b
### Create and configure a Media Services account
-1. Use the [Azure](https://portal.azure.com/) portal to create an Azure Media Services account, as described in [Create an account](/azure/azure/media-services/previous/media-services-portal-create-account).
+1. Use the [Azure](https://portal.azure.com/) portal to create an Azure Media Services account, as described in [Create an account](/azure/media-services/previous/media-services-portal-create-account).
Make sure the Media Services account was created with the classic APIs.
If the connection to Azure failed, you can attempt to troubleshoot the problem b
In the new Media Services account, select **Streaming endpoints**. Then select the streaming endpoint and press start. :::image type="content" alt-text="Screenshot that shows how to specify streaming endpoints." source="./media/create-account/create-ams-account-se.png":::
-4. For Azure Video Indexer to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/azure/azure/media-services/previous/media-services-portal-get-started-with-aad):
+4. For Azure Video Indexer to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/azure/media-services/previous/media-services-portal-get-started-with-aad):
1. In the new Media Services account, select **API access**.
- 2. Select [Service principal authentication method](/azure/azure/media-services/previous/media-services-portal-get-started-with-aad).
+ 2. Select [Service principal authentication method](/azure/media-services/previous/media-services-portal-get-started-with-aad).
3. Get the client ID and client secret After you select **Settings**->**Keys**, add **Description**, press **Save**, and the key value gets populated.
azure-video-indexer Customize Person Model With Website https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/customize-person-model-with-website.md
Previously updated : 12/16/2020 Last updated : 05/31/2022
You can use the Azure Video Indexer website to edit faces that were detected in
## Create a new Person model 1. Select the **+ Add model** button on the right.
-1. Enter the name of the model. You can now add new people and faces to the new Person model.
+1. Enter the name of the model and select the check button to save the new model created. You can now add new people and faces to the new Person model.
1. Select the list menu button and choose **+ Add person**. > [!div class="mx-imgBorder"]
You can delete any Person model that you created in your account. However, you c
## Manage existing people in a Person model
-To look at the contents of any of your Person models, select the arrow next to the name of the Person model. The drop-down shows you all of the people in that particular Person model. If you select the list menu button next to each of the people, you see manage, rename, and delete options.
+To look at the contents of any of your Person models, select the arrow next to the name of the Person model. Then you can view all of the people in that particular Person model. If you select the list menu button next to each of the people, you see manage, rename, and delete options.
![Screenshot shows a contextual menu with options to Manage, Rename, and Delete.](./media/customize-face-model/manage-people.png)
azure-video-indexer Deploy With Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/deploy-with-arm-template.md
The resource will be deployed to your subscription and will create the Azure Vid
``` > [!NOTE]
-> If you would like to work with bicep format, inspect the [bicep file](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/ARM-Samples/Create-Account/avam.template.bicep) on this repo.
+> If you would like to work with bicep format, inspect the [bicep file](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/ARM-Quick-Start/avam.template.bicep) on this repo.
## Parameters
If you're new to template deployment, see:
## Next steps
-[Connect an existing classic paid Azure Video Indexer account to ARM-based account](connect-classic-account-to-arm.md)
+[Connect an existing classic paid Azure Video Indexer account to ARM-based account](connect-classic-account-to-arm.md)
azure-video-indexer Manage Account Connected To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/manage-account-connected-to-azure.md
If your account needs some adjustments, you see relevant errors and warnings abo
* Media reserved units
- You must allocate Media Reserved Units on your Media Service resource in order to index videos. For optimal indexing performance, it's recommended to allocate at least 10 S3 Reserved Units. For pricing information, see the FAQ section of the [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/) page.
+ You must allocate Media Reserved Units on your Media Service resource in order to index videos. For optimal indexing performance, it's recommended to allocate at least 10 S3 Reserved Units. For pricing information, see the FAQ section of the [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/) page.
## Next steps
azure-video-indexer Odrv Download https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/odrv-download.md
Use this parameter to define an AI bundle that you want to apply on your audio o
Azure Video Indexer covers up to two tracks of audio. If the file has more audio tracks, they're treated as one track. If you want to index the tracks separately, you need to extract the relevant audio file and index it as `AudioOnly`.
-Price depends on the selected indexing option. For more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+Price depends on the selected indexing option. For more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).
#### priority
azure-video-indexer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/release-notes.md
Azure Video Indexer website is now supporting account management based on ARM in
### Leverage open-source code to create ARM based account
-Added new code samples including HTTP calls to use Azure Video Indexer create, read, update and delete (CRUD) ARM API for solution developers. See [this sample](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/ARM-Samples/Create-Account
-).
+Added new code samples including HTTP calls to use Azure Video Indexer create, read, update and delete (CRUD) ARM API for solution developers. See [this sample](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/ARM-Quick-Start).
## January 2022
You can now see the detected acoustic events in the closed captions file. The fi
### Audio analysis
-Audio analysis is available now in additional new bundle of audio features at different price point. The new **Basic Audio** analysis preset provides a low-cost option to only extract speech transcription, translation and format output captions and subtitles. The **Basic Audio** preset will produce two separate meters on your bill, including a line for transcription and a separate line for caption and subtitle formatting. More information on the pricing, see the [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/) page.
+Audio analysis is available now in additional new bundle of audio features at different price point. The new **Basic Audio** analysis preset provides a low-cost option to only extract speech transcription, translation and format output captions and subtitles. The **Basic Audio** preset will produce two separate meters on your bill, including a line for transcription and a separate line for caption and subtitle formatting. More information on the pricing, see the [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/) page.
The newly added bundle is available when indexing or re-indexing your file by choosing the **Advanced option** -> **Basic Audio** preset (under the **Video + audio indexing** drop-down box).
azure-video-indexer Upload Index Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/upload-index-videos.md
When you're creating an Azure Video Indexer account, you choose between:
- A free trial account. Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2,400 minutes of free indexing to API users. - A paid option where you're not limited by a quota. You create an Azure Video Indexer account that's [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for indexed minutes.
-For more information about account types, see [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+For more information about account types, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).
After you upload and index a video, you can use [Azure Video Indexer website](video-indexer-view-edit.md) or [Azure Video Indexer Developer Portal](video-indexer-use-apis.md) to see the insights of the video (see [Examine the Azure Video Indexer output](video-indexer-output-json-v2.md)).
Use this parameter to define an AI bundle that you want to apply on your audio o
Azure Video Indexer covers up to two tracks of audio. If the file has more audio tracks, they're treated as one track. If you want to index the tracks separately, you need to extract the relevant audio file and index it as `AudioOnly`.
-Price depends on the selected indexing option. For more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+Price depends on the selected indexing option. For more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).
#### priority
azure-video-indexer Video Indexer Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/video-indexer-get-started.md
This getting started quickstart shows how to sign in to the Azure Video Indexer website and how to upload your first video.
-When creating an Azure Video Indexer account, you can choose a free trial account (where you get a certain number of free indexing minutes) or a paid option (where you aren't limited by the quota). With free trial, Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With paid option, you create an Azure Video Indexer account that is [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+When creating an Azure Video Indexer account, you can choose a free trial account (where you get a certain number of free indexing minutes) or a paid option (where you aren't limited by the quota). With free trial, Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With paid option, you create an Azure Video Indexer account that is [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).
## Sign up for Azure Video Indexer
azure-video-indexer Video Indexer Use Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/video-indexer-use-apis.md
Azure Video Indexer consolidates various audio and video artificial intelligence (AI) technologies offered by Microsoft into one integrated service, making development simpler. The APIs are designed to enable developers to focus on consuming Media AI technologies without worrying about scale, global reach, availability, and reliability of cloud platforms. You can use the API to upload your files, get detailed video insights, get URLs of embeddable insight and player widgets, and more.
-When creating an Azure Video Indexer account, you can choose a free trial account (where you get a certain number of free indexing minutes) or a paid option (where you're not limited by the quota). With a free trial, Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With a paid option, you create an Azure Video Indexer account that's [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/azure/media-services/).
+When creating an Azure Video Indexer account, you can choose a free trial account (where you get a certain number of free indexing minutes) or a paid option (where you're not limited by the quota). With a free trial, Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With a paid option, you create an Azure Video Indexer account that's [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).
This article shows how the developers can take advantage of the [Azure Video Indexer API](https://api-portal.videoindexer.ai/).
azure-vmware Deploy Disaster Recovery Using Jetstream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-disaster-recovery-using-jetstream.md
Once JetStream DR MSA and JetStream VIB are installed on the Azure VMware Soluti
1. [Select the VMs](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/select-vms-for-protection/) you want to protect and then [start VM protection](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/start-vm-protection/).
-For remaining configuration steps for JetStream DR, such as creating a failover runbook, invoking failover to the DR site, and invoking failback to the primary site, see the [JetStream Admin Guide documentation](https://www.jetstreamsoft.com/portal/jetstream-article-categories/product-manual/).
+For remaining configuration steps for JetStream DR, such as creating a failover runbook, invoking failover to the DR site, and invoking failback to the primary site, see the [JetStream Admin Guide documentation](https://docs.delphix.com/docs51/delphix-jet-stream/jet-stream-admin-guide).
## Disable JetStream DR on an Azure VMware Solution cluster
azure-vmware Deploy Zerto Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-zerto-disaster-recovery.md
You can reuse pre-existing Zerto product licenses for Azure VMware Solution envi
### How is Zerto supported?
-Zerto disaster recovery is a solution that is sold and supported by Zerto. For any support issue with Zerto disaster recovery, always contact [Zerto support](https://www.zerto.com/company/support-and-service/support/).
+Zerto disaster recovery is a solution that is sold and supported by Zerto. For any support issue with Zerto disaster recovery, always contact [Zerto support](https://www.zerto.com/support-and-services/).
Zerto and Microsoft support teams will engage each other as needed to troubleshoot Zerto disaster recovery issues on Azure VMware Solution.
azure-web-pubsub Reference Server Sdk Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/reference-server-sdk-python.md
Title: Reference - Python server SDK for Azure Web PubSub
-description: This reference describes the Python server SDK for the Azure Web PubSub service.
+description: Learn about the Python server SDK for the Azure Web PubSub service. You can use this library in your app server to manage the WebSocket client connections.
- Previously updated : 11/08/2021++ Last updated : 05/23/2022 # Azure Web PubSub service client library for Python [Azure Web PubSub Service](./index.yml) is an Azure-managed service that helps developers easily build web applications with real-time features and publish-subscribe pattern. Any scenario that requires real-time publish-subscribe messaging between server and clients or among clients can use Azure Web PubSub service. Traditional real-time features that often require polling from server or submitting HTTP requests can also use Azure Web PubSub service.
-You can use this library in your app server side to manage the WebSocket client connections, as shown in below diagram:
+You can use this library in your app server side to manage the WebSocket client connections, as shown in following diagram:
![The overflow diagram shows the overflow of using the service client library.](media/sdk-reference/service-client-overflow.png)
Use this library to:
- Send messages to hubs and groups. - Send messages to particular users and connections. - Organize users and connections into groups.-- Close connections-- Grant, revoke, and check permissions for an existing connection
+- Close connections.
+- Grant, revoke, and check permissions for an existing connection.
-[Source code](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/webpubsub/azure-messaging-webpubsubservice) | [Package (Pypi)][package] | [API reference documentation](/python/api/overview/azure/messaging-webpubsubservice-readme) | [Product documentation][webpubsubservice_docs]
+## Prerequisites
-> [!IMPORTANT]
-> Azure SDK Python packages support for Python 2.7 is ending 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691.
+- Python 3.6 or later is required to use this package.
+- You need an [Azure subscription][azure_sub] and an [Azure WebPubSub service instance][webpubsubservice_docs] to use this package.
+- An existing Azure Web PubSub service instance.
-## Getting started
+> [!IMPORTANT]
+> Azure SDK Python packages support for Python 2.7 is ending 01 January 2022. For more information, see [Azure SDK Python packages support](https://github.com/Azure/azure-sdk-for-python/issues/20691).
-### Prerequisites
+## Install the package
-- Python 2.7, or 3.6 or later is required to use this package.-- You need an [Azure subscription][azure_sub] and a [Azure WebPubSub service instance][webpubsubservice_docs] to use this package.-- An existing Azure Web PubSub service instance.-
-### 1. Install the package
+Use this command to install the package:
```bash python -m pip install azure-messaging-webpubsubservice ```
-### 2. Create and authenticate a WebPubSubServiceClient
+## Create and authenticate a WebPubSubServiceClient
-You can authenticate the `WebPubSubServiceClient` using [connection string][connection_string]:
+You can authenticate the `WebPubSubServiceClient` using a [connection string][connection_string]:
```python >>> from azure.messaging.webpubsubservice import WebPubSubServiceClient
You can authenticate the `WebPubSubServiceClient` using [connection string][conn
>>> service = WebPubSubServiceClient.from_connection_string(connection_string='<connection_string>', hub='hub') ```
-Or using the service endpoint and the access key:
+Or use the service endpoint and the access key:
```python >>> from azure.messaging.webpubsubservice import WebPubSubServiceClient
Or using the service endpoint and the access key:
>>> service = WebPubSubServiceClient(endpoint='<endpoint>', hub='hub', credential=AzureKeyCredential("<access_key>")) ```
-Or using [Azure Active Directory][aad_doc]:
+Or use [Azure Active Directory][aad_doc] (Azure AD):
-1. [pip][pip] install [`azure-identity`][azure_identity_pip]
-2. Follow the document to [enable AAD authentication on your Webpubsub resource][aad_doc]
-3. Update code to use [DefaultAzureCredential][default_azure_credential]
+1. [pip][pip] install [`azure-identity`][azure_identity_pip].
+2. [Enable Azure AD authentication on your Webpubsub resource][aad_doc].
+3. Update code to use [DefaultAzureCredential][default_azure_credential].
```python >>> from azure.messaging.webpubsubservice import WebPubSubServiceClient
Or using [Azure Active Directory][aad_doc]:
}) ```
-The WebSocket client will receive JSON serialized text: `{"from": "user1", "data": "Hello world"}`.
+The WebSocket client receives JSON serialized text: `{"from": "user1", "data": "Hello world"}`.
### Broadcast messages in plain-text format
The WebSocket client will receive JSON serialized text: `{"from": "user1", "data
>>> service.send_to_all(message = 'Hello world', content_type='text/plain') ```
-The WebSocket client will receive text: `Hello world`.
+The WebSocket client receives text: `Hello world`.
### Broadcast messages in binary format
The WebSocket client will receive text: `Hello world`.
>>> service.send_to_all(message=io.StringIO('Hello World'), content_type='application/octet-stream') ```
-The WebSocket client will receive binary text: `b'Hello world'`.
-
-## Troubleshooting
+The WebSocket client receives binary text: `b'Hello world'`.
-### Logging
+## Logging
This SDK uses Python standard logging library.
-You can configure logging print out debugging information to the stdout or anywhere you want.
+You can configure logging to print debugging information to the `stdout` or anywhere you want.
```python import sys
credential = DefaultAzureCredential()
service = WebPubSubServiceClient(endpoint=endpoint, hub='hub', credential=credential, logging_enable=True) ```
-Similarly, `logging_enable` can enable detailed logging for a single call,
-even when it isn't enabled for the WebPubSubServiceClient:
+Similarly, `logging_enable` can enable detailed logging for a single call, even when it isn't enabled for the `WebPubSubServiceClient`:
```python result = service.send_to_all(..., logging_enable=True) ```
-Http request and response details are printed to stdout with this logging config.
+HTTP request and response details are printed to `stdout` with this logging configuration.
## Next steps
-Check [more samples here][samples].
+- [Source code](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/webpubsub/azure-messaging-webpubsubservice)
+- [Package (Pypi)][package]
+- [API reference documentation](/python/api/overview/azure/messaging-webpubsubservice-readme)
+- [Product documentation][webpubsubservice_docs]
+
+For more samples, see [Azure Web PubSub service client library for Python Samples][samples].
## Contributing
-This project welcomes contributions and suggestions. Most contributions require
-you to agree to a Contributor License Agreement (CLA) declaring that you have
-the right to, and actually do, grant us the rights to use your contribution.
-For details, visit https://cla.microsoft.com.
+This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For more information, see [Contributor License Agreement](https://cla.microsoft.com).
-When you submit a pull request, a CLA-bot will automatically determine whether
-you need to provide a CLA and decorate the PR appropriately (e.g., label,
-comment). Simply follow the instructions provided by the bot. You will only
-need to do this once across all repos using our CLA.
+When you submit a pull request, a CLA-bot automatically determines whether you need to provide a CLA and decorate the PR appropriately, for example, "label", "comment". Follow the instructions provided by the bot. You only need to do this action once across all repos using our CLA.
-This project has adopted the
-[Microsoft Open Source Code of Conduct][code_of_conduct]. For more information,
-see the Code of Conduct FAQ or contact opencode@microsoft.com with any
-additional questions or comments.
+This project has adopted the Microsoft Open Source Code of Conduct. For more information, see [Code of Conduct][code_of_conduct] FAQ or contact [Open Source Conduct Team](mailto:opencode@microsoft.com) with questions or comments.
<!-- LINKS --> [webpubsubservice_docs]: ./index.yml
backup Backup Azure Sap Hana Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-sap-hana-database.md
Title: Back up an SAP HANA database to Azure with Azure Backup description: In this article, learn how to back up an SAP HANA database to Azure virtual machines with the Azure Backup service. Previously updated : 04/28/2022 Last updated : 06/01/2022
The following table lists the various alternatives you can use for establishing
| Private endpoints | Allow backups over private IPs inside the virtual network <br><br> Provide granular control on the network and vault side | Incurs standard private endpoint [costs](https://azure.microsoft.com/pricing/details/private-link/) | | NSG service tags | Easier to manage as range changes are automatically merged <br><br> No additional costs | Can be used with NSGs only <br><br> Provides access to the entire service | | Azure Firewall FQDN tags | Easier to manage since the required FQDNs are automatically managed | Can be used with Azure Firewall only |
-| Allow access to service FQDNs/IPs | No additional costs <br><br> Works with all network security appliances and firewalls | A broad set of IPs or FQDNs may be required to be accessed |
+| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage* and *Azure Active Directory*. However, for Azure Backup, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. |
| [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) | Can be used for Azure Storage (= Recovery Services vault). <br><br> Provides large benefit to optimize performance of data plane traffic. | CanΓÇÖt be used for Azure AD, Azure Backup service. | | Network Virtual Appliance | Can be used for Azure Storage, Azure AD, Azure Backup service. <br><br> **Data plane** <ul><li> Azure Storage: `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net` </li></ul> <br><br> **Management plane** <ul><li> Azure AD: Allow access to FQDNs mentioned in sections 56 and 59 of [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). </li><li> Azure Backup service: `.backup.windowsazure.com` </li></ul> <br>Learn more about [Azure Firewall service tags](../firewall/fqdn-tags.md). | Adds overhead to data plane traffic and decrease throughput/performance. |
backup Backup Sql Server Database Azure Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-sql-server-database-azure-vms.md
Title: Back up multiple SQL Server VMs from the vault description: In this article, learn how to back up SQL Server databases on Azure virtual machines with Azure Backup from the Recovery Services vault Previously updated : 04/28/2022 Last updated : 06/01/2022
The following table lists the various alternatives you can use for establishing
| Private endpoints | Allow backups over private IPs inside the virtual network <br><br> Provide granular control on the network and vault side | Incurs standard private endpoint [costs](https://azure.microsoft.com/pricing/details/private-link/) | | NSG service tags | Easier to manage as range changes are automatically merged <br><br> No additional costs | Can be used with NSGs only <br><br> Provides access to the entire service | | Azure Firewall FQDN tags | Easier to manage since the required FQDNs are automatically managed | Can be used with Azure Firewall only |
-| Allow access to service FQDNs/IPs | No additional costs <br><br> Works with all network security appliances and firewalls | A broad set of IPs or FQDNs may be required to be accessed |
+| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage* and *Azure Active Directory*. However, for Azure Backup, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. |
| Use an HTTP proxy | Single point of internet access to VMs | Additional costs to run a VM with the proxy software | The following sections provide more details around using these options.
bastion Connect Ip Address https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/connect-ip-address.md
Before you begin these steps, verify that you have the following environment set
1. To connect to a VM using a specified private IP address, you make the connection from Bastion to the VM, not directly from the VM page. On your Bastion page, select **Connect** to open the Connect page.
-1. On the Bastion **Connect** page, for **Hostname**, enter the private IP address of the target VM.
+1. On the Bastion **Connect** page, for **IP address**, enter the private IP address of the target VM.
:::image type="content" source="./media/connect-ip-address/ip-address.png" alt-text="Screenshot of the Connect using Azure Bastion page." lightbox="./media/connect-ip-address/ip-address.png":::
cloud-services-extended-support Cloud Services Model And Package https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services-extended-support/cloud-services-model-and-package.md
Once the cloud service is running in Azure, you can reconfigure it through the *
* I want to know more about the [ServiceDefinition.csdef](#csdef) and [ServiceConfig.cscfg](#cscfg) files. * I already know about that, give me [some examples](#next-steps) on what I can configure. * I want to create the [ServicePackage.cspkg](#cspkg).
-* I am using Visual Studio and I want to...
- * [Create a cloud service][vs_create]
- * [Reconfigure an existing cloud service][vs_reconfigure]
- * [Deploy a Cloud Service project][vs_deploy]
- * [Remote desktop into a cloud service instance][remotedesktop]
<a name="csdef"></a>
cognitive-services Entities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/LUIS/concepts/entities.md
You can use entities as a signal for an intent. For example, the presence of a c
| Example utterance | Entity | Intent | |--|--|--|
-| Book me a _fight to New York_. | City | Book Flight |
+| Book me a _flight to New York_. | City | Book Flight |
| Book me the _main conference room_. | Room | Reserve Room | ## Entities as Feature for entities
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/document-translation/overview.md
The following document file types are supported by Document Translation:
|Tab Separated Values/TAB|tsv/tab| A tab-delimited raw-data file used by spreadsheet programs.| |Text|txt| An unformatted text document.|
+### Legacy file types
+
+Source file types will be preserved during the document translation with the following exceptions:
+
+| Source file extension | Translated file extension|
+| | |
+| .doc, .odt, .rtf, | .docx |
+| .xls, .ods | .xlsx |
+| .ppt, .odp | .pptx |
+ ## Supported glossary formats The following glossary file types are supported by Document Translation:
cognitive-services Model Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/concepts/model-lifecycle.md
Use the table below to find which API versions are supported by each feature:
| Feature | Supported versions | Latest Generally Available version | Latest preview version | |--||||
-| Custom text classification | `2022-03-01-preview` | | `2022-03-01-preview` |
-| Conversational language understanding | `2022-03-01-preview` | | `2022-03-01-preview` |
-| Custom named entity recognition | `2022-03-01-preview` | | `2022-03-01-preview` |
-| Orchestration workflow | `2022-03-01-preview` | | `2022-03-01-preview` |
+| Custom text classification | `2022-05-01` ,`2022-05-15-preview` | `2022-05-01` | `2022-05-15-preview` |
+| Conversational language understanding | `2022-05-01` ,`2022-05-15-preview` | `2022-05-01` | `2022-05-15-preview` |
+| Custom named entity recognition | `2022-05-01` ,`2022-05-15-preview` | `2022-05-01` | `2022-05-15-preview` |
+| Orchestration workflow | `2022-05-01`,`2022-05-15-preview` | `2022-05-01` | `2022-05-15-preview` |
## Next steps
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/conversational-language-understanding/how-to/call-api.md
You can also use the client libraries provided by the Azure SDK to send requests
|Language |Package version | |||
- |.NET | [5.2.0-beta.2](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.2) |
- |Python | [5.2.0b2](https://pypi.org/project/azure-ai-textanalytics/5.2.0b2/) |
+ |.NET | [1.0.0-beta.3 ](https://www.nuget.org/packages/Azure.AI.Language.Conversations/1.0.0-beta.3) |
+ |Python | [1.1.0b1](https://pypi.org/project/azure-ai-language-conversations/) |
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-named-entity-recognition/how-to/call-api.md
First you will need to get your resource key and endpoint:
|Language |Package version | |||
- |.NET | [5.2.0-beta.2](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.2) |
- |Java | [5.2.0-beta.2](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.2.0-beta.2) |
- |JavaScript | [5.2.0-beta.2](https://www.npmjs.com/package/@azure/ai-text-analytics/v/5.2.0-beta.2) |
- |Python | [5.2.0b2](https://pypi.org/project/azure-ai-textanalytics/5.2.0b2/) |
+ |.NET | [5.2.0-beta.3](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.3) |
+ |Java | [5.2.0-beta.3](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.2.0-beta.3) |
+ |JavaScript | [6.0.0-beta.1](https://www.npmjs.com/package/@azure/ai-text-analytics/v/6.0.0-beta.1) |
+ |Python | [5.2.0b4](https://pypi.org/project/azure-ai-textanalytics/5.2.0b4/) |
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
cognitive-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-named-entity-recognition/service-limits.md
Custom named entity recognition is only available in some Azure regions. To use
* West Europe * North Europe * UK south
-* Southeast Asia
* Australia East
-* Sweden Central
## API limits
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-text-classification/how-to/call-api.md
First you will need to get your resource key and endpoint:
|Language |Package version | |||
- |.NET | [5.2.0-beta.2](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.2) |
- |Java | [5.2.0-beta.2](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.2.0-beta.2) |
- |JavaScript | [5.2.0-beta.2](https://www.npmjs.com/package/@azure/ai-text-analytics/v/5.2.0-beta.2) |
- |Python | [5.2.0b2](https://pypi.org/project/azure-ai-textanalytics/5.2.0b2/) |
+ |.NET | [5.2.0-beta.3](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.3) |
+ |Java | [5.2.0-beta.3](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.2.0-beta.3) |
+ |JavaScript | [6.0.0-beta.1](https://www.npmjs.com/package/@azure/ai-text-analytics/v/6.0.0-beta.1) |
+ |Python | [5.2.0b4](https://pypi.org/project/azure-ai-textanalytics/5.2.0b4/) |
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
cognitive-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-text-classification/service-limits.md
Custom text classification is only available in some Azure regions. To use custo
* West Europe * North Europe * UK south
-* Southeast Asia
* Australia East
-* Sweden Central
+
## API limits
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/orchestration-workflow/how-to/call-api.md
You can also use the client libraries provided by the Azure SDK to send requests
|Language |Package version | |||
- |.NET | [5.2.0-beta.2](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.2.0-beta.2) |
- |Python | [5.2.0b2](https://pypi.org/project/azure-ai-textanalytics/5.2.0b2/) |
+ |.NET | [1.0.0-beta.3 ](https://www.nuget.org/packages/Azure.AI.Language.Conversations/1.0.0-beta.3) |
+ |Python | [1.1.0b1](https://pypi.org/project/azure-ai-language-conversations/) |
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
cognitive-services Adding Synonyms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/question-answering/tutorials/adding-synonyms.md
As you can see, when `troubleshoot` was not added as a synonym, we got a low con
## Notes * Synonyms can be added in any order. The ordering is not considered in any computational logic.
+* Synonyms can only be added to a project that has at least one question and answer pair.
+* Synonyms can be added only when there is at least one question and answer pair present in a knowledge base.
* In case of overlapping synonym words between 2 sets of alterations, it may have unexpected results and it is not recommended to use overlapping sets. * Special characters are not allowed for synonyms. For hyphenated words like "COVID-19", they are treated the same as "COVID 19", and "space" can be used as a term separator. Following is the list of special characters **not allowed**:
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/overview.md
Conversation summarization feature would simplify the text into the following:
|Example summary | Format | Conversation aspect | ||-|-|
-| Customer wants to use the wifi connection on their Smart Brew 300. They canΓÇÖt connect it using the Contoso Coffee app. | One or two sentences | issue |
-| Checked if the power light is blinking slowly. Tried to do a factory reset. | One or more sentences, generated from multiple lines of the transcript. | resolution |
+| Customer wants to use the wifi connection on their Smart Brew 300. But it didn't work. | One or two sentences | issue |
+| Checked if the power light is blinking slowly. Checked the Contoso coffee app. It had no prompt. Tried to do a factory reset. | One or more sentences, generated from multiple lines of the transcript. | resolution |
connectors Connectors Create Api Informix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-informix.md
Title: Connect to IBM Informix database
description: Automate tasks and workflows that manage resources stored in IBM Informix by using Azure Logic Apps ms.suite: integration--++ Last updated 01/07/2020
connectors Managed https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/managed.md
For more information, see these topics:
[youtube-icon]: ./media/apis-list/youtube.png <!--Managed connector doc links-->
-[apache-impala-doc]: /connectors/azureimpala/ "Connect to your Impala database to read data from tables"
+[apache-impala-doc]: /connectors/impala/ "Connect to your Impala database to read data from tables"
[azure-automation-doc]: /connectors/azureautomation/ "Create and manage automation jobs for your cloud and on-premises infrastructure" [azure-blob-storage-doc]: ./connectors-create-api-azureblobstorage.md "Manage files in your blob container with Azure blob storage connector" [azure-cosmos-db-doc]: ./connectors-create-api-cosmos-db.md "Connect to Azure Cosmos DB so that you can access and manage Azure Cosmos DB documents"
For more information, see these topics:
[x12-encode-doc]: ../logic-apps/logic-apps-enterprise-integration-X12-encode.md "Encode messages that use the X12 protocol" <!--Other doc links-->
-[gateway-doc]: ../logic-apps/logic-apps-gateway-connection.md "Connect to data sources on-premises from logic apps with on-premises data gateway"
+[gateway-doc]: ../logic-apps/logic-apps-gateway-connection.md "Connect to data sources on-premises from logic apps with on-premises data gateway"
container-apps Compare Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/compare-options.md
Title: 'Comparing Container Apps with other Azure container options' description: Understand when to use Azure Container Apps and how it compares to other container options including Azure Container Instances, Azure App Service, Azure Functions, and Azure Kubernetes Service. -+ Last updated 11/03/2021-+
container-apps Quickstart Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/quickstart-portal.md
In this quickstart, you create a secure Container Apps environment and deploy yo
## Prerequisites
-An Azure account with an active subscription is required. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+An Azure account with an active subscription is required. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Also, please make sure to have the Resource Provider "Microsoft.App" registered.
## Setup
container-apps Revisions Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/revisions-manage.md
As you interact with this example, replace the placeholders surrounded by `<>` w
## Deactivate
-Deactivate revisions that are no longer in use with `az container app revision deactivate`. Deactivation stops all running replicas of a revision.
+Deactivate revisions that are no longer in use with `az containerapp revision deactivate`. Deactivation stops all running replicas of a revision.
# [Bash](#tab/bash)
container-instances Container Instances Custom Dns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-custom-dns.md
+
+ Title: Configure custom DNS settings for container group in Azure Container Instances
+description: Configure a public or private DNS configuration for a container group
+++++ Last updated : 05/25/2022++
+# Deploy a container group with custom DNS settings
+
+In [Azure Virtual Network](../virtual-network/virtual-networks-overview.md), you can deploy container groups using the `az container create` command in the Azure CLI. You can also provide advanced configuration settings to the `az container create` command using a YAML configuration file.
+
+This article demonstrates how to deploy a container group with custom DNS settings using a YAML configuration file.
+
+For more information on deploying container groups to a virtual network, see the [Deploy in a virtual network article](container-instances-vnet.md).
+
+> [!IMPORTANT]
+> Previously, the process of deploying container groups on virtual networks used [network profiles](/azure/container-instances/container-instances-virtual-network-concepts#network-profile) for configuration. However, network profiles have been retired as of the `2021-07-01` API version. We recommend you use the latest API version, which relies on [subnet IDs](/azure/virtual-network/subnet-delegation-overview) instead.
+
+## Prerequisites
+
+* An **active Azure subscription**. If you don't have an active Azure subscription, create a [free account](https://azure.microsoft.com/free) before you begin.
+
+* **Azure CLI**. The command-line examples in this article use the [Azure CLI](/cli/azure/) and are formatted for the Bash shell. You can [install the Azure CLI](/cli/azure/install-azure-cli) locally or use the [Azure Cloud Shell][cloud-shell-bash].
+
+* A **resource group** to manage all the resources you use in this how-to guide. We use the example resource group name **ACIResourceGroup** throughout this article.
+
+ ```azurecli-interactive
+ az group create --name ACIResourceGroup --location westus
+ ```
+
+## Limitations
+
+For networking scenarios and limitations, see [Virtual network scenarios and resources for Azure Container Instances](container-instances-virtual-network-concepts.md).
+
+> [!IMPORTANT]
+> Container group deployment to a virtual network is available for Linux containers in most regions where Azure Container Instances is available. For details, see [Regions and resource availability](container-instances-region-availability.md).
+Examples in this article are formatted for the Bash shell. For PowerShell or command prompt, adjust the line continuation characters accordingly.
+
+## Create your virtual network
+
+You'll need a virtual network to deploy a container group with a custom DNS configuration. This virtual network will require a subnet with permissions to create Azure Container Instances resources and a linked private DNS zone to test name resolution.
+
+This guide uses a virtual network named `aci-vnet`, a subnet named `aci-subnet`, and a private DNS zone named `private.contoso.com`. We use **Azure Private DNS Zones**, which you can learn about in the [Private DNS Overview](../dns/private-dns-overview.md).
+
+If you have an existing virtual network that meets these criteria, you can skip to [Deploy your container group](#deploy-your-container-group).
+
+> [!TIP]
+> You can modify the following commands with your own information as needed.
+
+1. Create the virtual network using the [az network vnet create][az-network-vnet-create] command. Enter address prefixes in Classless Inter-Domain Routing (CIDR) format (for example: `10.0.0.0/16`).
+
+ ```azurecli
+ az network vnet create \
+ --name aci-vnet \
+ --resource-group ACIResourceGroup \
+ --location westus \
+ --address-prefix 10.0.0.0/16
+ ```
+
+1. Create the subnet using the [az network vnet subnet create][az-network-vnet-subnet-create] command. The following command creates a subnet in your virtual network with a delegation that permits it to create container groups. For more information about working with subnets, see the [Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md). For more information about subnet delegation, see the [Virtual Network Scenarios and Resources article section on delegated subnets](container-instances-virtual-network-concepts.md#subnet-delegated).
+
+ ```azurecli
+ az network vnet subnet create \
+ --name aci-subnet \
+ --resource-group ACIResourceGroup \
+ --vnet-name aci-vnet \
+ --address-prefixes 10.0.0.0/24 \
+ --delegations Microsoft.ContainerInstance/containerGroups
+ ```
+
+1. Record the subnet ID key-value pair from the output of this command. You'll use this in your YAML configuration file later. It will take the form `"id"`: `"/subscriptions/<subscription-ID>/resourceGroups/ACIResourceGroup/providers/Microsoft.Network/virtualNetworks/aci-vnet/subnets/aci-subnet"`.
+
+1. Create the private DNS Zone using the [az network private-dns zone create][az-network-private-dns-zone-create] command.
+
+ ```azurecli
+ az network private-dns zone create -g ACIResourceGroup -n private.contoso.com
+ ```
+
+1. Link the DNS zone to your virtual network using the [az network private-dns link vnet create][az-network-private-dns-link-vnet-create] command. The DNS server is only required to test name resolution. The `-e` flag enables automatic hostname registration, which is unneeded, so we set it to `false`.
+
+ ```azurecli
+ az network private-dns link vnet create \
+ -g ACIResourceGroup \
+ -n aciDNSLink \
+ -z private.contoso.com \
+ -v aci-vnet \
+ -e false
+ ```
+
+Once you've completed the steps above, you should see an output with a final key-value pair that reads `"virtualNetworkLinkState"`: `"Completed"`.
+
+## Deploy your container group
+
+> [!NOTE]
+> Custom DNS settings are not currently available in the Azure portal for container group deployments. They must be provided with YAML file, Resource Manager template, [REST API](/rest/api/container-instances/containergroups/createorupdate), or an [Azure SDK](https://azure.microsoft.com/downloads/).
+
+Copy the following YAML into a new file named *custom-dns-deploy-aci.yaml*. Edit the following configurations with your values:
+
+* `dnsConfig`: DNS settings for your containers within your container group.
+ * `nameServers`: A list of name servers to be used for DNS lookups.
+ * `searchDomains`: DNS suffixes to be appended for DNS lookups.
+* `ipAddress`: The private IP address settings for the container group.
+ * `ports`: The ports to open, if any.
+ * `protocol`: The protocol (TCP or UDP) for the opened port.
+* `subnetIDs`: Network settings for the subnet(s) in the virtual network.
+ * `id`: The full Resource Manager resource ID of the subnet, which you obtained earlier.
+
+> [!NOTE]
+> The DNS config fields aren't automatically queried at this time, so these fields must be explicitly filled out.
+
+```yaml
+apiVersion: '2021-07-01'
+location: westus
+name: pwsh-vnet-dns
+properties:
+ containers:
+ - name: pwsh-vnet-dns
+ properties:
+ command:
+ - /bin/bash
+ - -c
+ - echo hello; sleep 10000
+ environmentVariables: []
+ image: mcr.microsoft.com/powershell:latest
+ ports:
+ - port: 80
+ resources:
+ requests:
+ cpu: 1.0
+ memoryInGB: 2.0
+ dnsConfig:
+ nameServers:
+ - 10.0.0.10 # DNS Server 1
+ - 10.0.0.11 # DNS Server 2
+ searchDomains: contoso.com # DNS search suffix
+ ipAddress:
+ type: Private
+ ports:
+ - port: 80
+ subnetIds:
+ - id: /subscriptions/<subscription-ID>/resourceGroups/ACIResourceGroup/providers/Microsoft.Network/virtualNetworks/aci-vnet/subnets/aci-subnet
+ osType: Linux
+tags: null
+type: Microsoft.ContainerInstance/containerGroups
+```
+
+Deploy the container group with the [az container create][az-container-create] command, specifying the YAML file name with the `--file` parameter:
+
+```azurecli
+az container create --resource-group ACIResourceGroup \
+ --file custom-dns-deploy-aci.yaml
+```
+
+Once the deployment is complete, run the [az container show][az-container-show] command to display its status. Sample output:
+
+```azurecli
+az container show --resource-group ACIResourceGroup --name pwsh-vnet-dns -o table
+```
+
+```console
+Name ResourceGroup Status Image IP:ports Network CPU/Memory OsType Location
+- -- -- -- -
+pwsh-vnet-dns ACIResourceGroup Running mcr.microsoft.com/powershell 10.0.0.5:80 Private 1.0 core/2.0 gb Linux westus
+```
+
+After the status shows `Running`, execute the [az container exec][az-container-exec] command to obtain bash access within the container.
+
+```azurecli
+az container exec --resource-group ACIResourceGroup --name pwsh-vnet-dns --exec-command "/bin/bash"
+```
+
+Validate that DNS is working as expected from within your container. For example, read the `/etc/resolv.conf` file to ensure it's configured with the DNS settings provided in the YAML file.
+
+```console
+root@wk-caas-81d609b206c541589e11058a6d260b38-90b0aff460a737f346b3b0:/# cat /etc/resolv.conf
+
+nameserver 10.0.0.10
+nameserver 10.0.0.11
+search contoso.com
+```
+
+## Clean up resources
+
+### Delete container instances
+
+When you're finished with the container instance you created, delete it with the [az container delete][az-container-delete] command:
+
+```azurecli
+az container delete --resource-group ACIResourceGroup --name pwsh-vnet-dns -y
+```
+
+### Delete network resources
+
+If you don't plan to use this virtual network again, you can delete it with the [az network vnet delete][az-network-vnet-delete] command:
+
+```azurecli
+az network vnet delete --resource-group ACIResourceGroup --name aci-vnet
+```
+
+### Delete resource group
+
+If you don't plan to use this resource group outside of this guide, you can delete it with [az group delete][az-group-delete] command:
+
+```azurecli
+az group delete --name ACIResourceGroup
+```
+
+Enter `y` when prompted if you're sure you wish to perform the operation.
+
+## Next steps
+
+See the Azure quickstart template [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet), to deploy a container group within a virtual network.
+
+<!-- LINKS - Internal -->
+[az-network-vnet-create]: /cli/azure/network/vnet#az-network-vnet-create
+[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-create
+[az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone#az-network-private-dns-zone-create
+[az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create
+[az-container-create]: /cli/azure/container#az-container-create
+[az-container-show]: /cli/azure/container#az-container-show
+[az-container-exec]: /cli/azure/container#az-container-exec
+[az-container-delete]: /cli/azure/container#az-container-delete
+[az-network-vnet-delete]: /cli/azure/network/vnet#az-network-vnet-delete
+[az-group-delete]: /cli/azure/group#az-group-create
+[cloud-shell-bash]: /cloud-shell/overview.md
container-registry Buffer Gate Public Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/buffer-gate-public-content.md
For details, see [Docker Hub authenticated pulls on App Service](https://azure.g
To begin managing copies of public images, you can create an Azure container registry if you don't already have one. Create a registry using the [Azure CLI](container-registry-get-started-azure-cli.md), [Azure portal](container-registry-get-started-portal.md), [Azure PowerShell](container-registry-get-started-powershell.md), or other tools.
+# [Azure CLI](#tab/azure-cli)
+ As a recommended one-time step, [import](container-registry-import-images.md) base images and other public content to your Azure container registry. The [az acr import](/cli/azure/acr#az-acr-import) command in the Azure CLI supports image import from public registries such as Docker Hub and Microsoft Container Registry and from other private container registries. `az acr import` doesn't require a local Docker installation. You can run it with a local installation of the Azure CLI or directly in Azure Cloud Shell. It supports images of any OS type, multi-architecture images, or OCI artifacts such as Helm charts. Depending on your organization's needs, you can import to a dedicated registry or a repository in a shared registry.
-# [Azure CLI](#tab/azure-cli)
-Example:
- ```azurecli-interactive az acr import \ --name myregistry \
az acr import \
--password <Docker Hub token> ```
-# [PowerShell](#tab/azure-powershell)
-Example:
+# [Azure PowerShell](#tab/azure-powershell)
+
+As a recommended one-time step, [import](container-registry-import-images.md) base images and other public content to your Azure container registry. The [Import-AzContainerRegistryImage](/powershell/module/az.containerregistry/import-azcontainerregistryimage) command in the Azure PowerShell supports image import from public registries such as Docker Hub and Microsoft Container Registry and from other private container registries.
+
+`Import-AzContainerRegistryImage` doesn't require a local Docker installation. You can run it with a local installation of the Azure PowerShell or directly in Azure Cloud Shell. It supports images of any OS type, multi-architecture images, or OCI artifacts such as Helm charts.
+
+Depending on your organization's needs, you can import to a dedicated registry or a repository in a shared registry.
```azurepowershell-interactive
-Import-AzContainerRegistryImage
- -SourceImage library/busybox:latest
- -ResourceGroupName $resourceGroupName
- -RegistryName $RegistryName
- -SourceRegistryUri docker.io
- -TargetTag busybox:latest
+$Params = @{
+ SourceImage = 'library/busybox:latest'
+ ResourceGroupName = $resourceGroupName
+ RegistryName = $RegistryName
+ SourceRegistryUri = 'docker.io'
+ TargetTag = 'busybox:latest'
+}
+Import-AzContainerRegistryImage @Params
```
- Credentials are required if the source registry is not available publicly or the admin user is disabled.
+
+Credentials are required if the source registry is not available publicly or the admin user is disabled.
++ ## Update image references
container-registry Container Registry Tasks Base Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-tasks-base-images.md
See the following tutorials for scenarios to automate application image builds a
* [Automate container image builds when a base image is updated in the same registry](container-registry-tutorial-base-image-update.md)
-* [Automate container image builds when a base image is updated in a different registry](container-registry-tutorial-base-image-update.md)
+* [Automate container image builds when a base image is updated in a different registry](container-registry-tutorial-private-base-image-update.md)
<!-- LINKS - External -->
cosmos-db Migrate Data Databricks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/migrate-data-databricks.md
Select **Install**, and then restart the cluster when installation is complete.
> [!NOTE] > Make sure that you restart the Databricks cluster after the Cassandra Connector library has been installed.
+> [!WARNING]
+> The samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+ ## Create Scala Notebook for migration Create a Scala Notebook in Databricks. Replace your source and target Cassandra configurations with the corresponding credentials, and source and target keyspaces and tables. Then run the following code:
cosmos-db Spark Create Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-create-operations.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API
cosmos-db Spark Databricks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-databricks.md
This article details how to work with Azure Cosmos DB Cassandra API from Spark o
* **Azure Cosmos DB Cassandra API-specific library:** - If you are using Spark 2.x, a custom connection factory is required to configure the retry policy from the Cassandra Spark connector to Azure Cosmos DB Cassandra API. Add the `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0`[maven coordinates](https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) to attach the library to the cluster. > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB Cassandra API-specific library mentioned above.
+> If you are using Spark 3.0, you do not need to install the Cosmos DB Cassandra API-specific library mentioned above.
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Sample notebooks
cosmos-db Spark Ddl Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-ddl-operations.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
+> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Keyspace DDL operations
cosmos-db Spark Delete Operation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-delete-operation.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `delete` as shown below), connection properties need to be defined at the cluster level.
+> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `delete` as shown below), connection properties need to be defined at the cluster level.
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Sample data generator We will use this code fragment to generate sample data:
cosmos-db Spark Read Operation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-read-operation.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector(see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector(see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API
cosmos-db Spark Table Copy Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-table-copy-operations.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
> [!NOTE] > If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+ ## Insert sample data ```scala val booksDF = Seq(
cosmos-db Spark Upsert Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-upsert-operations.md
spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `update` as shown below), connection properties need to be defined at the cluster level.
+> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `update` as shown below), connection properties need to be defined at the cluster level.
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API
cosmos-db Concepts Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/concepts-limits.md
Depending on the current RU/s provisioned and resource settings, each resource c
| Maximum RU/s per container | 5,000 | | Maximum storage across all items per (logical) partition | 20 GB | | Maximum number of distinct (logical) partition keys | Unlimited |
-| Maximum storage per container (SQL API, Mongo API, Table API, Gremlin API)| 50 GB |
+| Maximum storage per container (SQL API, Mongo API, Table API, Gremlin API)| 50 GB<sup>1</sup> |
| Maximum storage per container (Cassandra API)| 30 GB |
+<sup>1</sup> Serverless containers up to 1 TB are currently in preview with Azure Cosmos DB. To try the new feature, register the *"Azure Cosmos DB Serverless 1 TB Container Preview"* [preview feature in your Azure subscription](../azure-resource-manager/management/preview-features.md).
## Control plane operations
An Azure Cosmos item can represent either a document in a collection, a row in a
| Maximum level of nesting for embedded objects / arrays | 128 | | Maximum TTL value |2147483647 |
-<sup>1</sup> Large document sizes up to 16 Mb are currently in preview with Azure Cosmos DB API for MongoDB only. Sign-up for the feature ΓÇ£Azure Cosmos DB API For MongoDB 16MB Document SupportΓÇ¥ from [Preview Features the Azure portal](./access-previews.md), to try the new feature.
+<sup>1</sup> Large document sizes up to 16 Mb are currently in preview with Azure Cosmos DB API for MongoDB only. Sign-up for the feature ΓÇ£Azure Cosmos DB API For MongoDB 16 MB Document SupportΓÇ¥ from [Preview Features the Azure portal](./access-previews.md), to try the new feature.
There are no restrictions on the item payloads (like number of properties and nesting depth), except for the length restrictions on partition key and ID values, and the overall size restriction of 2 MB. You may have to configure indexing policy for containers with large or complex item structures to reduce RU consumption. See [Modeling items in Cosmos DB](how-to-model-partition-example.md) for a real-world example, and patterns to manage large items.
See the [Autoscale](provision-throughput-autoscale.md#autoscale-limits) article
| Current RU/s the system is scaled to | `0.1*Tmax <= T <= Tmax`, based on usage| | Minimum billable RU/s per hour| `0.1 * Tmax` <br></br>Billing is done on a per-hour basis, where you're billed for the highest RU/s the system scaled to in the hour, or `0.1*Tmax`, whichever is higher. | | Minimum autoscale max RU/s for a container | `MAX(1000, highest max RU/s ever provisioned / 10, current storage in GB * 100)` rounded to nearest 1000 RU/s |
-| Minimum autoscale max RU/s for a database | `MAX(1000, highest max RU/s ever provisioned / 10, current storage in GB * 100, 1000 + (MAX(Container count - 25, 0) * 1000))`, rounded to nearest 1000 RU/s. <br></br>Note if your database has more than 25 containers, the system increments the minimum autoscale max RU/s by 1000 RU/s per additional container. For example, if you have 30 containers, the lowest autoscale maximum RU/s you can set is 6000 RU/s (scales between 600 - 6000 RU/s).
+| Minimum autoscale max RU/s for a database | `MAX(1000, highest max RU/s ever provisioned / 10, current storage in GB * 100, 1000 + (MAX(Container count - 25, 0) * 1000))`, rounded to nearest 1000 RU/s. <br></br>Note if your database has more than 25 containers, the system increments the minimum autoscale max RU/s by 1000 RU/s per extra container. For example, if you have 30 containers, the lowest autoscale maximum RU/s you can set is 6000 RU/s (scales between 600 - 6000 RU/s).
## SQL query limits
Get started with Azure Cosmos DB with one of our quickstarts:
* [Get started with Azure Cosmos DB Gremlin API](create-graph-dotnet.md) * [Get started with Azure Cosmos DB Table API](table/create-table-dotnet.md) * Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.
- * If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)
+ * If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)
* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md) > [!div class="nextstepaction"]
cosmos-db Merge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/merge.md
Support for these connectors is planned for the future.
## Next steps
-* Learn more about [using Azure CLI with Azure Cosmos DB.](/cli/azure/azure-cli-reference-for-cosmos-db.md)
+* Learn more about [using Azure CLI with Azure Cosmos DB.](/cli/azure/azure-cli-reference-for-cosmos-db)
* Learn more about [using Azure PowerShell with Azure Cosmos DB.](/powershell/module/az.cosmosdb/) * Learn more about [partitioning in Azure Cosmos DB.](partitioning-overview.md)
cosmos-db Sql Query Bitwise Operators https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/sql-query-bitwise-operators.md
+
+ Title: Bitwise operators in Azure Cosmos DB
+description: Learn about SQL bitwise operators supported by Azure Cosmos DB.
++++++ Last updated : 05/31/2022++
+# Bitwise operators in Azure Cosmos DB
++
+This article details the bitwise operators supported by Azure Cosmos DB. Bitwise operators are useful for constructing JSON result-sets on the fly. The bitwise operators work similarly to higher-level programming languages like C# and JavaScript. For examples of C# bitwise operators, see [Bitwise and shift operators](/dotnet/csharp/language-reference/operators/bitwise-and-shift-operators).
+
+## Understanding bitwise operations
+
+The following table shows the explanations and examples of bitwise operations in the SQL API between two values.
+
+| Operation | Operator | Description |
+| | | |
+| **Left shift** | ``<<`` | Shift left-hand value *left* by the specified number of bits. |
+| **Right shift** | ``>>`` | Shift left-hand value *right* by the specified number of bits. |
+| **Zero-fill (unsigned) right shift** | ``>>>`` | Shift left-hand value *right* by the specified number of bits without filling left-most bits. |
+| **AND** | ``&`` | Computes bitwise logical AND. |
+| **OR** | ``|`` | Computes bitwise logical OR. |
+| **XOR** | ``^`` | Computes bitwise logical exclusive OR. |
++
+For example, the following query uses each of the bitwise operators and renders a result.
+
+```sql
+SELECT
+ (100 >> 2) AS rightShift,
+ (100 << 2) AS leftShift,
+ (100 >>> 0) AS zeroFillRightShift,
+ (100 & 1000) AS logicalAnd,
+ (100 | 1000) AS logicalOr,
+ (100 ^ 1000) AS logicalExclusiveOr
+```
+
+The example query's results as a JSON object.
+
+```json
+[
+ {
+ "rightShift": 25,
+ "leftShift": 400,
+ "zeroFillRightShift": 100,
+ "logicalAnd": 96,
+ "logicalOr": 1004,
+ "logicalExclusiveOr": 908
+ }
+]
+```
+
+> [!IMPORTANT]
+> In this example, the values on the left and right side of the operands are 32-bit integer values.
+
+## Next steps
+
+- [Azure Cosmos DB .NET samples](https://github.com/Azure/azure-cosmos-dotnet-v3)
+- [Keywords](sql-query-keywords.md)
+- [SELECT clause](sql-query-select.md)
cosmos-db Sql Query Date Time Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/sql-query-date-time-functions.md
or numeric ticks whose value is the number of 100 nanosecond ticks which have el
The following functions allow you to easily manipulate DateTime, timestamp, and tick values: * [DateTimeAdd](sql-query-datetimeadd.md)
+* [DateTimeBin](sql-query-datetimebin.md)
* [DateTimeDiff](sql-query-datetimediff.md) * [DateTimeFromParts](sql-query-datetimefromparts.md) * [DateTimePart](sql-query-datetimepart.md)
cosmos-db Sql Query Datetimebin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/sql-query-datetimebin.md
+
+ Title: DateTimeBin in Azure Cosmos DB query language
+description: Learn about SQL system function DateTimeBin in Azure Cosmos DB.
++++ Last updated : 05/27/2022 ++
+
+
+# DateTimeBin (Azure Cosmos DB)
+ [!INCLUDE[appliesto-sql-api](../includes/appliesto-sql-api.md)]
+
+Returns the nearest multiple of *BinSize* below the specified DateTime given the unit of measurement *DateTimePart* and start value of *BinAtDateTime*.
++
+## Syntax
+
+```sql
+DateTimeBin (<DateTime> , <DateTimePart> [,BinSize] [,BinAtDateTime])
+```
++
+## Arguments
+
+*DateTime*
+ The string value date and time to be binned. A UTC date and time ISO 8601 string value in the format `YYYY-MM-DDThh:mm:ss.fffffffZ` where:
+
+|Format|Description|
+|-|-|
+|YYYY|four-digit year|
+|MM|two-digit month (01 = January, etc.)|
+|DD|two-digit day of month (01 through 31)|
+|T|signifier for beginning of time elements|
+|hh|two-digit hour (00 through 23)|
+|mm|two-digit minutes (00 through 59)|
+|ss|two-digit seconds (00 through 59)|
+|.fffffff|seven-digit fractional seconds|
+|Z|UTC (Coordinated Universal Time) designator|
+
+For more information on the ISO 8601 format, see [ISO_8601](https://en.wikipedia.org/wiki/ISO_8601)
+
+*DateTimePart*
+ The date time part specifies the units for BinSize. DateTimeBin is Undefined for DayOfWeek, Year, and Month. The finest granularity for binning by Nanosecond is 100 nanosecond ticks; if Nanosecond is specified with a BinSize less than 100, the result is Undefined. This table lists all valid DateTimePart arguments for DateTimeBin:
+
+| DateTimePart | abbreviations |
+| | -- |
+| Day | "day", "dd", "d" |
+| Hour | "hour", "hh" |
+| Minute | "minute", "mi", "n" |
+| Second | "second", "ss", "s" |
+| Millisecond | "millisecond", "ms" |
+| Microsecond | "microsecond", "mcs" |
+| Nanosecond | "nanosecond", "ns" |
+
+*BinSize* (optional)
+ Numeric value that specifies the size of bins. If not specified, the default value is one.
++
+*BinAtDateTime* (optional)
+ A UTC date and time ISO 8601 string value in the format `YYYY-MM-DDThh:mm:ss.fffffffZ` that specifies the start date to bin from. Default value is the Unix epoch, ΓÇÿ1970-01-01T00:00:00.000000ZΓÇÖ.
++
+## Return types
+
+Returns the result of binning the *DateTime* value.
++
+## Remarks
+
+DateTimeBin will return `Undefined` for the following reasons:
+- The DateTimePart value specified is invalid
+- The BinSize value is zero or negative
+- The DateTime or BinAtDateTime isn't a valid ISO 8601 DateTime or precedes the year 1601 (the Windows epoch)
++
+## Examples
+
+The following example bins ΓÇÿ2021-06-28T17:24:29.2991234ZΓÇÖ by one hour:
+
+```sql
+SELECT DateTimeBin('2021-06-28T17:24:29.2991234Z', 'hh') AS BinByHour
+```
+
+```json
+[
+    {
+        "BinByHour": "2021-06-28T17:00:00.0000000Z"
+    }
+]
+```
+
+The following example bins ΓÇÿ2021-06-28T17:24:29.2991234ZΓÇÖ given different *BinAtDateTime* values:
+
+```sql
+SELECTΓÇ»
+DateTimeBin('2021-06-28T17:24:29.2991234Z', 'day', 5) AS One_BinByFiveDaysUnixEpochImplicit,
+DateTimeBin('2021-06-28T17:24:29.2991234Z', 'day', 5, '1970-01-01T00:00:00.0000000Z') AS Two_BinByFiveDaysUnixEpochExplicit,
+DateTimeBin('2021-06-28T17:24:29.2991234Z', 'day', 5, '1601-01-01T00:00:00.0000000Z') AS Three_BinByFiveDaysFromWindowsEpoch,
+DateTimeBin('2021-06-28T17:24:29.2991234Z', 'day', 5, '2021-01-01T00:00:00.0000000Z') AS Four_BinByFiveDaysFromYearStart,
+DateTimeBin('2021-06-28T17:24:29.2991234Z', 'day', 5, '0001-01-01T00:00:00.0000000Z') AS Five_BinByFiveDaysFromUndefinedYear
+```
+
+```json
+[
+    {
+        "One_BinByFiveDaysUnixEpochImplicit": "2021-06-27T00:00:00.0000000Z",
+        "Two_BinByFiveDaysUnixEpochExplicit": "2021-06-27T00:00:00.0000000Z",
+        "Three_BinByFiveDaysFromWindowsEpoch": "2021-06-28T00:00:00.0000000Z",
+        "Four_BinByFiveDaysFromYearStart": "2021-06-25T00:00:00.0000000Z"
+    }
+]
+```
+
+## Next steps
+
+- [Date and time functions Azure Cosmos DB](sql-query-date-time-functions.md)
+- [System functions Azure Cosmos DB](sql-query-system-functions.md)
+- [Introduction to Azure Cosmos DB](../introduction.md)
cosmos-db Create Table Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/create-table-dotnet.md
Title: 'Quickstart: Table API with .NET - Azure Cosmos DB' description: This quickstart shows how to access the Azure Cosmos DB Table API from a .NET application using the Azure.Data.Tables SDK-+ ms.devlang: csharp Last updated 09/26/2021-+
cost-management-billing Direct Ea Azure Usage Charges Invoices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/direct-ea-azure-usage-charges-invoices.md
Enterprise administrators can also view an overall summary of the charges for th
## Download or view your Azure billing invoice
-You can download your invoice from the [Azure portal](https://portal.azure.com) or have it sent in email. Invoices are sent to whoever is set up to receive invoices for the enrollment.
+An EA administrator can download the invoice from the [Azure portal](https://portal.azure.com) or have it sent in email. Invoices are sent to whoever is set up to receive invoices for the enrollment.
-Only an Enterprise Administrator has permission to view and get the billing invoice. To learn more about getting access to billing information, see [Manage access to Azure billing using roles](manage-billing-access.md).
+Only an Enterprise Administrator has permission to view and download the billing invoice. To learn more about getting access to billing information, see [Manage access to Azure billing using roles](manage-billing-access.md).
You receive an Azure invoice when any of the following events occur during your billing cycle:
cost-management-billing Ea Portal Enrollment Invoices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-portal-enrollment-invoices.md
Title: Azure Enterprise enrollment invoices
description: This article explains how to manage and act on your Azure Enterprise invoice. Previously updated : 12/03/2021 Last updated : 05/31/2022
If an Amendment M503 is signed, you can move any agreement from any frequency to
### Request an invoice copy
-To request a copy of your invoice, contact your partner.
+If you're an indirect enterprise agreement customer, contact your partner to request a copy of your invoice.
## Credits and adjustments
cost-management-billing Reservation Renew https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/reservation-renew.md
The following conditions are required to renew a reservation:
## Default renewal settings
-By default, the renewal inherits all properties from the expiring reservation. A reservation renewal purchase has the same SKU, region, scope, billing subscription, term, and quantity.
+By default, the renewal inherits all properties except automatic renewal setting from the expiring reservation. A reservation renewal purchase has the same SKU, region, scope, billing subscription, term, and quantity.
However, you can update the renewal reservation purchase quantity to optimize your savings.
cost-management-billing Download Azure Invoice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/understand/download-azure-invoice.md
# View and download your Microsoft Azure invoice
-You can download your invoice in the [Azure portal](https://portal.azure.com/) or have it sent in email. If you're an Azure customer with an Enterprise Agreement (EA customer), you can't download your organization's invoice. Instead, invoices are sent to the person set to receive invoices for the enrollment.
+You can download your invoice in the [Azure portal](https://portal.azure.com/) or have it sent in email. If you're an Azure customer with an Enterprise Agreement (EA customer), only an EA administrator can download and view your organization's invoice. Invoices are sent to the person set to receive invoices for the enrollment.
## When invoices are generated
data-factory Connector Google Adwords https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-google-adwords.md
Previously updated : 02/24/2022 Last updated : 05/30/2022 # Copy data from Google AdWords using Azure Data Factory or Synapse Analytics
The following properties are supported for Google AdWords linked service:
| clientId | The client ID of the Google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | clientSecret | The client secret of the google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | email | The service account email ID that is used for ServiceAuthentication and can only be used on self-hosted IR. | No |
-| keyFilePath | The full path to the .p12 key file that is used to authenticate the service account email address and can only be used on self-hosted IR. | No |
+| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address and can only be used on self-hosted IR. | No |
| trustedCertPath | The full path of the .pem file containing trusted CA certificates for verifying the server when connecting over TLS. This property can only be set when using TLS on self-hosted IR. The default value is the cacerts.pem file installed with the IR. | No | | useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified PEM file. The default value is false. | No |
data-factory Connector Google Bigquery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-google-bigquery.md
Previously updated : 04/26/2022 Last updated : 05/30/2022 # Copy data from Google BigQuery using Azure Data Factory or Synapse Analytics
Set "authenticationType" property to **ServiceAuthentication**, and specify the
| Property | Description | Required | |: |: |: | | email | The service account email ID that is used for ServiceAuthentication. It can be used only on Self-hosted Integration Runtime. | No |
-| keyFilePath | The full path to the .p12 key file that is used to authenticate the service account email address. | No |
+| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address. | No |
| trustedCertPath | The full path of the .pem file that contains trusted CA certificates used to verify the server when you connect over TLS. This property can be set only when you use TLS on Self-hosted Integration Runtime. The default value is the cacerts.pem file installed with the integration runtime. | No | | useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified .pem file. The default value is **false**. | No |
Set "authenticationType" property to **ServiceAuthentication**, and specify the
"requestGoogleDriveScope" : true, "authenticationType" : "ServiceAuthentication", "email": "<email>",
- "keyFilePath": "<.p12 key path on the IR machine>"
+ "keyFilePath": "<.p12 or .json key path on the IR machine>"
}, "connectVia": { "referenceName": "<name of Self-hosted Integration Runtime>",
data-factory Data Flow Source https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-flow-source.md
Previously updated : 05/27/2022 Last updated : 05/31/2022 # Source transformation in mapping data flow
If your text file has no defined schema, select **Detect data type** so that the
**Reset schema** resets the projection to what is defined in the referenced dataset.
-You can modify the column data types in a downstream derived-column transformation. Use a select transformation to modify the column names.
+**Overwrite schema** allows you to modify the projected data types here the source, overwriting the schema-defined data types. You can alternatively modify the column data types in a downstream derived-column transformation. Use a select transformation to modify the column names.
### Import schema
defender-for-cloud Defender For Cloud Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-cloud-introduction.md
Last updated 05/19/2022
# What is Microsoft Defender for Cloud?
-Microsoft Defender for Cloud is a Cloud Workload Protection Platform (CWPP) that also delivers Cloud Security Posture Management (CSPM) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources.
--- [**Defender for Cloud recommendations**](security-policy-concept.md) identify cloud workloads that require security actions and provide you with steps to protect your workloads from security risks.-- [**Defender for Cloud secure score**](secure-score-security-controls.md) gives you a clear view of your security posture based on the implementation of the security recommendations so you can track new security opportunities and precisely report on the progress of your security efforts.-- [**Defender for Cloud alerts**](alerts-overview.md) warn you about security events in your workloads in real-time, including the indicators that led to the event.-
-Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:
+Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multi-cloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:
:::image type="content" source="media/defender-for-cloud-introduction/defender-for-cloud-synopsis.png" alt-text="Understanding the core functionality of Microsoft Defender for Cloud.":::
-|Security requirement | Defender for Cloud solution|
-|||
-|**Continuous assessment** - Understand your current security posture. | **Secure score** - A single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level. |
-|**Secure** - Harden all connected resources and services. | **Security recommendations** - Customized and prioritized hardening tasks to improve your posture. You implement a recommendation by following the detailed remediation steps provided in the recommendation. For many recommendations, Defender for Cloud offers a "Fix" button for automated implementation!|
-|**Defend** - Detect and resolve threats to those resources and services. | **Security alerts** - With the enhanced security features enabled, Defender for Cloud detects threats to your resources and workloads. These alerts appear in the Azure portal and Defender for Cloud can also send them by email to the relevant personnel in your organization. Alerts can also be streamed to SIEM, SOAR, or IT Service Management solutions as required. |
+- [**Defender for Cloud secure score**](secure-score-security-controls.md) **continually assesses** your security posture so you can track new security opportunities and precisely report on the progress of your security efforts.
+- [**Defender for Cloud recommendations**](security-policy-concept.md) **secures** your workloads with step-by-step actions that protect your workloads from known security risks.
+- [**Defender for Cloud alerts**](alerts-overview.md) **defends** your workloads in real-time so you can react immediately and prevent security events from developing.
+
+For a step-by-step walkthrough of Defender for Cloud, check out this [interactive tutorial](https://mslearn.cloudguides.com/en-us/guides/Protect%20your%20multi-cloud%20environment%20with%20Microsoft%20Defender%20for%20Cloud).
-## Posture management and workload protection
+## Protect your resources and track your security progress
-Microsoft Defender for Cloud's features covers the two broad pillars of cloud security: cloud security posture management and cloud workload protection.
+Microsoft Defender for Cloud's features covers the two broad pillars of cloud security: Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM).
-### Cloud security posture management (CSPM)
+### CSPM - Remediate security issues and watch your security posture improve
In Defender for Cloud, the posture management features provide: -- **Visibility** - to help you understand your current security situation - **Hardening guidance** - to help you efficiently and effectively improve your security
+- **Visibility** - to help you understand your current security situation
-The central feature in Defender for Cloud that enables you to achieve those goals is **secure score**. Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
+Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues and shows your security posture in **secure score**, an aggregated score of the security findings that tells you, at a glance, your current security situation: the higher the score, the lower the identified risk level.
-When you open Defender for Cloud for the first time, it will meet the visibility and strengthening goals as follows:
+As soon as you open Defender for Cloud for the first time, Defender for Cloud:
-1. **Generate a secure score** for your subscriptions based on an assessment of your connected resources compared with the guidance in [Azure Security Benchmark](/security/benchmark/azure/overview). Use the score to understand your security posture, and the compliance dashboard to review your compliance with the built-in benchmark. When you've enabled the enhanced security features, you can customize the standards used to assess your compliance, and add other regulations (such as NIST and Azure CIS) or organization-specific security requirements. You can also apply recommendations, and score based on the AWS Foundational Security Best practices standards.
+- **Generates a secure score** for your subscriptions based on an assessment of your connected resources compared with the guidance in [Azure Security Benchmark](/security/benchmark/azure/overview). Use the score to understand your security posture, and the compliance dashboard to review your compliance with the built-in benchmark. When you've enabled the enhanced security features, you can customize the standards used to assess your compliance, and add other regulations (such as NIST and Azure CIS) or organization-specific security requirements. You can also apply recommendations, and score based on the AWS Foundational Security Best practices standards.
-1. **Provide hardening recommendations** based on any identified security misconfigurations and weaknesses. Use these security recommendations to strengthen the security posture of your organization's Azure, hybrid, and multicloud resources.
+- **Provides hardening recommendations** based on any identified security misconfigurations and weaknesses. Use these security recommendations to strengthen the security posture of your organization's Azure, hybrid, and multi-cloud resources.
[Learn more about secure score](secure-score-security-controls.md).
-### Cloud workload protection (CWP)
+### CWP - Identify unique workload security requirements
-Defender for Cloud offers security alerts that are powered by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684). It also includes a range of advanced, intelligent, protections for your workloads. The workload protections are provided through Microsoft Defender plans specific to the types of resources in your subscriptions. For example, you can enable **Microsoft Defender for Storage** to get alerted about suspicious activities related to your Azure Storage accounts.
+Defender for Cloud offers security alerts that are powered by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684). It also includes a range of advanced, intelligent, protections for your workloads. The workload protections are provided through Microsoft Defender plans specific to the types of resources in your subscriptions. For example, you can enable **Microsoft Defender for Storage** to get alerted about suspicious activities related to your storage resources.
-## Azure, hybrid, and multicloud protections
+## Protect all of your resources under one roof
-Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment.
+Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment, but you can also add resources the are on-premises or in other public clouds.
When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-related data. For Azure machines, deployment is handled directly. For hybrid and multicloud environments, Microsoft Defender plans are extended to non Azure machines with the help of [Azure Arc](https://azure.microsoft.com/services/azure-arc/). CSPM features are extended to multicloud machines without the need for any agents (see [Defend resources running on other clouds](#defend-resources-running-on-other-clouds)).
-### Azure-native protections
+### Defend your Azure-native resources
Defender for Cloud helps you detect threats across:
Defender for Cloud helps you detect threats across:
- **Networks** - Defender for Cloud helps you limit exposure to brute force attacks. By reducing access to virtual machine ports, using the just-in-time VM access, you can harden your network by preventing unnecessary access. You can set secure access policies on selected ports, for only authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.
-### Defend your hybrid resources
+### Defend your on-premises resources
In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers. To help you focus on what matters the mostΓÇï, you'll get customized threat intelligence and prioritized alerts according to your specific environment.
For example, if you've [connected an Amazon Web Services (AWS) account](quicksta
Learn more about connecting your [AWS](quickstart-onboard-aws.md) and [GCP](quickstart-onboard-gcp.md) accounts to Microsoft Defender for Cloud.
-## Vulnerability assessment and management
+## Close vulnerabilities before they get exploited
:::image type="content" source="media/defender-for-cloud-introduction/defender-for-cloud-expanded-assess.png" alt-text="Focus on the assessment features of Microsoft Defender for Cloud.":::
Learn more on the following pages:
- [Defender for Cloud's integrated Qualys scanner for Azure and hybrid machines](deploy-vulnerability-assessment-vm.md) - [Identify vulnerabilities in images in Azure container registries](defender-for-containers-usage.md#identify-vulnerabilities-in-images-in-other-container-registries)
-## Optimize and improve security by configuring recommended controls
+## Enforce your security policy from the top down
:::image type="content" source="media/defender-for-cloud-introduction/defender-for-cloud-expanded-secure.png" alt-text="Focus on the 'secure' features of Microsoft Defender for Cloud.":::
To help you understand how important each recommendation is to your overall secu
:::image type="content" source="./media/defender-for-cloud-introduction/sc-secure-score.png" alt-text="Defender for Cloud secure score.":::
-## Defend against threats
+## Extend Defender for Cloud with Defender plans and external monitoring
:::image type="content" source="media/defender-for-cloud-introduction/defender-for-cloud-expanded-defend.png" alt-text="Focus on the 'defend'' features of Microsoft Defender for Cloud.":::
-Defender for Cloud provides:
--- **Security alerts** - When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Whether an alert is generated by Defender for Cloud, or received by Defender for Cloud from an integrated security product, you can export it. To export your alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md). Defender for Cloud's threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started and what kind of impact it had on your resources. [Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix](alerts-reference.md#intentions).
+You can extend the Defender for Cloud protection with:
- **Advanced threat protection features** for virtual machines, SQL databases, containers, web applications, your network, and more - Protections include securing the management ports of your VMs with [just-in-time access](just-in-time-access-overview.md), and [adaptive application controls](adaptive-application-controls.md) to create allowlists for what apps should and shouldn't run on your machines.
-The **Defender plans** page of Microsoft Defender for Cloud offers the following plans for comprehensive defenses for the compute, data, and service layers of your environment:
+The **Defender plans** of Microsoft Defender for Cloud offer comprehensive defenses for the compute, data, and service layers of your environment:
- [Microsoft Defender for Servers](defender-for-servers-introduction.md) - [Microsoft Defender for Storage](defender-for-storage-introduction.md)
Use the advanced protection tiles in the [workload protections dashboard](worklo
> [!TIP] > Microsoft Defender for IoT is a separate product. You'll find all the details in [Introducing Microsoft Defender for IoT](../defender-for-iot/overview.md).
+- **Security alerts** - When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Whether an alert is generated by Defender for Cloud, or received by Defender for Cloud from an integrated security product, you can export it. To export your alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md). Defender for Cloud's threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started and what kind of impact it had on your resources. [Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix](alerts-reference.md#intentions).
+ ## Learn More If you would like to learn more about Defender for Cloud from a cybersecurity expert, check out [Lessons Learned from the Field](episode-six.md).
defender-for-cloud Defender For Containers Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-architecture.md
+
+ Title: Container security architecture in Microsoft Defender for Cloud
+description: Learn about the architecture of Microsoft Defender for Containers for each container platform
+++ Last updated : 05/31/2022+
+# Defender for Containers architecture
+
+Defender for Containers is designed differently for each container environment whether they're running in:
+
+- **Azure Kubernetes Service (AKS)** - Microsoft's managed service for developing, deploying, and managing containerized applications.
+
+- **Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account** - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
+
+- **Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project** - GoogleΓÇÖs managed environment for deploying, managing, and scaling applications using GCP infrastructure.
+
+- **An unmanaged Kubernetes distribution** (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.
+
+> [!NOTE]
+> Defender for Containers support for Arc-enabled Kubernetes clusters (AWS EKS and GCP GKE) is a preview feature.
+
+To protect your Kubernetes containers, Defender for Containers receives and analyzes:
+
+- Audit logs and security events from the API server
+- Cluster configuration information from the control plane
+- Workload configuration from Azure Policy
+- Security signals and events from the node level
+
+## Architecture for each container environment
+
+## [**Azure (AKS)**](#tab/defender-for-container-arch-aks)
+
+### Architecture diagram of Defender for Cloud and AKS clusters<a name="jit-asc"></a>
+
+When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and frictionless.
+
+The **Defender profile (preview)** deployed to each node provides the runtime protections and collects signals from nodes using [eBPF technology](https://ebpf.io/).
+
+The **Azure Policy add-on for Kubernetes** collects cluster and workload configuration for admission control policies as explained in [Protect your Kubernetes workloads](kubernetes-workload-protections.md).
+
+> [!NOTE]
+> Defender for Containers **Defender profile** is a preview feature.
++
+### Defender profile component details
+
+| Pod Name | Namespace | Kind | Short Description | Capabilities | Resource limits | Egress Required |
+|--|--|--|--|--|--|--|
+| azuredefender-collector-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment. | SYS_ADMIN, <br>SYS_RESOURCE, <br>SYS_PTRACE | memory: 64Mi<br> <br> cpu: 60m | No |
+| azuredefender-collector-misc-* | kube-system | [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node. | N/A | memory: 64Mi <br> <br>cpu: 60m | No |
+| azuredefender-publisher-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | Publish the collected data to Microsoft Defender for Containers backend service where the data will be processed for and analyzed. | N/A | memory: 200Mi  <br> <br> cpu: 60m | Https 443 <br> <br> Learn more about the [outbound access prerequisites](../aks/limit-egress-traffic.md#microsoft-defender-for-containers) |
+
+\* resource limits aren't configurable
+
+## [**On-premises / IaaS (Arc)**](#tab/defender-for-container-arch-arc)
+
+### Architecture diagram of Defender for Cloud and Arc-enabled Kubernetes clusters
+
+For all clusters hosted outside of Azure, [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) is required to connect the clusters to Azure and provide Azure services such as Defender for Containers.
+
+When a non-Azure container is connected to Azure with Arc, the [Arc extension](../azure-arc/kubernetes/extensions.md) collects Kubernetes audit logs data from all control plane nodes in the cluster. The extension sends the log data to the Microsoft Defender for Cloud backend in the cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit log data isn't stored in the Log Analytics workspace.
+
+Workload configuration information is collected by an Azure Policy add-on. As explained in [this Azure Policy for Kubernetes page](../governance/policy/concepts/policy-for-kubernetes.md), the add-on extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) admission controller webhook for [Open Policy Agent](https://www.openpolicyagent.org/). Kubernetes admission controllers are plugins that enforce how your clusters are used. The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
+
+> [!NOTE]
+> Defender for Containers support for Arc-enabled Kubernetes clusters is a preview feature.
++
+## [**AWS (EKS)**](#tab/defender-for-container-arch-eks)
+
+### Architecture diagram of Defender for Cloud and EKS clusters
+
+These components are required in order to receive the full protection offered by Microsoft Defender for Containers:
+
+- **[Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)** ΓÇô [AWS accountΓÇÖs CloudWatch](https://aws.amazon.com/cloudwatch/) enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
+
+- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - An agent based solution that connects your EKS clusters to Azure. Azure then is capable of providing services such as Defender, and Policy as [Arc extensions](../azure-arc/kubernetes/extensions.md).
+
+- **The Defender extension** ΓÇô The [DeamonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) that collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The extension is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace.
+
+- **The Azure Policy extension** - The workload's configuration information is collected by the Azure Policy add-on. The Azure Policy add-on extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) admission controller webhook for [Open Policy Agent](https://www.openpolicyagent.org/). The extension registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. For more information, see [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
+
+> [!NOTE]
+> Defender for Containers support for AWS EKS clusters is a preview feature.
++
+## [**GCP (GKE)**](#tab/defender-for-container-gke)
+
+### Architecture diagram of Defender for Cloud and GKE clusters<a name="jit-asc"></a>
+
+These components are required in order to receive the full protection offered by Microsoft Defender for Containers:
+
+- **[Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)** ΓÇô [GCP Cloud Logging](https://cloud.google.com/logging/) enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
+
+- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - An agent based solution that connects your EKS clusters to Azure. Azure then is capable of providing services such as Defender, and Policy as [Arc extensions](../azure-arc/kubernetes/extensions.md).
+
+- **The Defender extension** ΓÇô The [DeamonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) that collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The extension is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace.
+
+- **The Azure Policy extension** - The workload's configuration information is collected by the Azure Policy add-on. The Azure Policy add-on extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) admission controller webhook for [Open Policy Agent](https://www.openpolicyagent.org/). The extension registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. For more information, see [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
+
+> [!NOTE]
+> Defender for Containers support for GCP GKE clusters is a preview feature.
++++
+## Next steps
+
+In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see:
+
+> [!div class="nextstepaction"]
+> [Enable Defender for Containers](defender-for-containers-enable.md)
defender-for-cloud Defender For Containers Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-introduction.md
Title: Container security with Microsoft Defender for Cloud description: Learn about Microsoft Defender for Containers++ Last updated 05/25/2022 # Overview of Microsoft Defender for Containers
-Microsoft Defender for Containers is the cloud-native solution for securing your containers.
+Microsoft Defender for Containers is the cloud-native solution for securing your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.
-On this page, you'll learn how you can use Defender for Containers to improve, monitor, and maintain the security of your clusters, containers, and their applications.
+[How does Defender for Containers work in each Kubernetes platform?](defender-for-containers-architecture.md)
## Microsoft Defender for Containers plan availability
On this page, you'll learn how you can use Defender for Containers to improve, m
| Feature availability | Refer to the [availability](supported-machines-endpoint-solutions-clouds-containers.md) section for additional information on feature release state and availability.| | Pricing: | **Microsoft Defender for Containers** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) | | Required roles and permissions: | ΓÇó To auto provision the required components, see the [permissions for each of the components](enable-data-collection.md?tabs=autoprovision-containers)<br> ΓÇó **Security admin** can dismiss alerts<br> ΓÇó **Security reader** can view vulnerability assessment findings<br> See also [Azure Container Registry roles and permissions](../container-registry/container-registry-roles.md) |
-| Clouds: | **Azure**:<br>:::image type="icon" source="./medi#defender-for-containers-feature-availability). |
-
+| Clouds: | **Azure**:<br>:::image type="icon" source="./medi#defender-for-containers-feature-availability). |
## What are the benefits of Microsoft Defender for Containers? Defender for Containers helps with the core aspects of container security: -- **Environment hardening** - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises / IaaS, or Amazon EKS. By continuously assessing clusters, Defender for Containers provides visibility into misconfigurations and guidelines to help mitigate identified threats. Learn more in [Hardening](#hardening).
+- [**Environment hardening**](#hardening) - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises/IaaS, or Amazon EKS. By continuously assessing clusters, Defender for Containers provides visibility into misconfigurations and guidelines to help mitigate identified threats.
-- **Vulnerability assessment** - Vulnerability assessment and management tools for images **stored** in ACR registries and **running** in Azure Kubernetes Service. Learn more in [Vulnerability assessment](#vulnerability-assessment).
+- [**Vulnerability assessment**](#vulnerability-assessment) - Vulnerability assessment and management tools for images **stored** in ACR registries and **running** in Azure Kubernetes Service.
-- **Run-time threat protection for nodes and clusters** - Threat protection for clusters and Linux nodes generates security alerts for suspicious activities. Learn more in [Run-time protection for Kubernetes nodes, clusters, and hosts](#run-time-protection-for-kubernetes-nodes-and-clusters).
+- [**Run-time threat protection for nodes and clusters**](#run-time-protection-for-kubernetes-nodes-and-clusters) - Threat protection for clusters and Linux nodes generates security alerts for suspicious activities.
## Hardening
Defender for Containers helps with the core aspects of container security:
Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations. Use Defender for Cloud's **recommendations page** to view recommendations and remediate issues. For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the [compute section](recommendations-reference.md#recs-container) of the recommendations reference table.
-For Kubernetes clusters on EKS, you'll need to connect your AWS account to Microsoft Defender for Cloud via the environment settings page as described in [Connect your AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md). Then ensure you've enabled the CSPM plan.
+For Kubernetes clusters on EKS, you'll need to [connect your AWS account to Microsoft Defender for Cloud](quickstart-onboard-aws.md). Then ensure you've enabled the CSPM plan.
When reviewing the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page, you can use the resource filter:
When reviewing the outstanding recommendations for your container-related resour
### Kubernetes data plane hardening
-For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the **Azure Policy for Kubernetes**. You can also auto deploy this component as explained in [enable auto provisioning of agents and extensions](enable-data-collection.md#auto-provision-mma).
+To protect the workloads of your Kubernetes containers with tailored recommendations, install the **Azure Policy for Kubernetes**. You can also auto deploy this component as explained in [enable auto provisioning of agents and extensions](enable-data-collection.md#auto-provision-mma).
With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to **enforce** the best practices and mandate them for future workloads.
Learn more in [Vulnerability assessment](defender-for-containers-usage.md).
:::image type="content" source="./media/defender-for-containers/recommendation-acr-images-with-vulnerabilities.png" alt-text="Sample Microsoft Defender for Cloud recommendation about vulnerabilities discovered in Azure Container Registry (ACR) hosted images." lightbox="./media/defender-for-containers/recommendation-acr-images-with-vulnerabilities.png":::
-### View vulnerabilities for running images
+### View vulnerabilities for running images
-The recommendation **Running container images should have vulnerability findings resolved** shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non ACR registry, will appear under the **Not applicable** tab.
+The recommendation **Running container images should have vulnerability findings resolved** shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non-ACR registry, will appear under the **Not applicable** tab.
## Run-time protection for Kubernetes nodes and clusters
-Defender for Cloud provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
+Defender for Containers provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers. Threat protection at the cluster level is provided by the Defender profile and analysis of the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high-privileged roles, and the creation of sensitive mounts.
-Threat protection at the cluster level is provided by the Defender profile and analysis of the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high-privileged roles, and the creation of sensitive mounts.
+In addition, our threat detection goes beyond the Kubernetes management layer. Defender for Containers includes **host-level threat detection** with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. Our global team of security researchers constantly monitor the threat landsc