Updates from: 06/10/2021 03:10:44
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-powershell.md
To install and use the AADCloudSyncTools module use the following steps:
5. You should now see information about the module. 6. Next, to install the AADCloudSyncTools module pre-requisites run: `Install-AADCloudSyncToolsPrerequisites` 7. On the first run, the PoweShellGet module will be installed if not present. To load the new PowershellGet module close the PowerShell Window and open a new PowerShell session with administrative privileges.
-8. Import the module again using step 3.
+8. Import the module again using step 2.
9. Run `Install-AADCloudSyncToolsPrerequisites` to install the MSAL and AzureAD modules 11. All pre-reqs should be successfully installed ![Install module](media/reference-powershell/install-1.png)
active-directory V2 Oauth2 Client Creds Grant Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md
Previously updated : 4/1/2021 Last updated : 6/8/2021
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865 &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
-&client_secret=qWgdYAmab0YSkuL1qKv5bPX
+&client_secret=5ampl3Cr3dentia1s
&grant_type=client_credentials ```
active-directory Manage Stale Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/manage-stale-devices.md
To clean up Azure AD:
>* Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access). Read additional information on how to [remove registration on the client](faq.yml). >* Deleting a Windows 10 device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in "Pending" state. A re-registration is required on the device. >* Removing the device from sync scope for Windows 10/Server 2016 devices will delete the Azure AD device. Adding it back to sync scope will place a new object in "Pending" state. A re-registration of the device is required.
->* If you not using Azure AD Connect for Windows 10 devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices.
+>* If you are not using Azure AD Connect for Windows 10 devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices.
### Azure AD joined devices
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| MICROSOFT INTUNE DEVICE FOR GOVERNMENT | INTUNE_A_D_GOV | 2c21e77a-e0d6-4570-b38a-7ff2dc17d2ca | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | | MICROSOFT POWER APPS PLAN 2 TRIAL | POWERAPPS_VIRAL | dcb1a3ae-b33f-4487-846a-a640262fadf4 | DYN365_CDS_VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_P2_VIRAL (50e68c76-46c6-4674-81f9-75456511b170)<br/>FLOW_P2_VIRAL_REAL (d20bfa21-e9ae-43fc-93c2-20783f0840c3)<br/>POWERAPPS_P2_VIRAL (d5368ca3-357e-4acb-9c21-8495fb025d1f) | COMMON DATA SERVICE ΓÇô VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW FREE (50e68c76-46c6-4674-81f9-75456511b170)<br/>FLOW P2 VIRAL (d20bfa21-e9ae-43fc-93c2-20783f0840c3)<br/>POWERAPPS TRIAL (d5368ca3-357e-4acb-9c21-8495fb025d1f) | | MICROSOFT INTUNE SMB | INTUNE_SMB | e6025b08-2fa5-4313-bd0a-7e5ffca32958 | AAD_SMB (de377cbc-0019-4ec2-b77c-3f223947e102)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>INTUNE_SMBIZ (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/> | AZURE ACTIVE DIRECTORY (de377cbc-0019-4ec2-b77c-3f223947e102)<br/> EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/> MICROSOFT INTUNE (8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2)<br/> MICROSOFT INTUNE (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) |
-| MICROSOFT POWER APPS PLAN 2 TRIAL | POWERAPPS_VIRAL | dcb1a3ae-b33f-4487-846a-a640262fadf4 | DYN365_CDS_VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_P2_VIRAL (50e68c76-46c6-4674-81f9-75456511b170)<br/>FLOW_P2_VIRAL_REAL (d20bfa21-e9ae-43fc-93c2-20783f0840c3)<br/>POWERAPPS_P2_VIRAL (d5368ca3-357e-4acb-9c21-8495fb025d1f) | COMMON DATA SERVICE - VIRAL(17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW FREE (50e68c76-46c6-4674-81f9-75456511b170)<br/>FLOW P2 VIRAL (d20bfa21-e9ae-43fc-93c2-20783f0840c3)<br/>POWERAPPS TRIAL (d5368ca3-357e-4acb-9c21-8495fb025d1f) |
| MICROSOFT STREAM | STREAM | 1f2f344a-700d-42c9-9427-5cea1d5d7ba6 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MICROSOFTSTREAM (acffdce6-c30f-4dc2-81c0-372e33c515ec) | EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MICROSOFT STREAM (acffdce6-c30f-4dc2-81c0-372e33c515ec) | | MICROSOFT TEAM (FREE) | TEAMS_FREE | 16ddbbfc-09ea-4de2-b1d7-312db6112d70 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MCOFREE (617d9209-3b90-4879-96e6-838c42b2701d)<br/>TEAMS_FREE (4fa4026d-ce74-4962-a151-8e96d57ea8e4)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>TEAMS_FREE_SERVICE (bd6f2ac2-991a-49f9-b23c-18c96a02c228)<br/>WHITEBOARD_FIRSTLINE1 (36b29273-c6d0-477a-aca6-6fbe24f538e3) | EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MCO FREE FOR MICROSOFT TEAMS (FREE) (617d9209-3b90-4879-96e6-838c42b2701d)<br/>MICROSOFT TEAMS (FREE) (4fa4026d-ce74-4962-a151-8e96d57ea8e4)<br/>SHAREPOINT KIOSK (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>TEAMS FREE SERVICE (bd6f2ac2-991a-49f9-b23c-18c96a02c228)<br/>WHITEBOARD (FIRSTLINE) (36b29273-c6d0-477a-aca6-6fbe24f538e3) | | MICROSOFT TEAMS EXPLORATORY | TEAMS_EXPLORATORY | 710779e8-3d4a-4c88-adb9-386c958d1fdf | CDS_O365_P1 (bed136c6-b799-4462-824d-fc045d3a9d25)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>PROJECTWORKMANAGEMENT(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>DESKLESS (s8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCO_TEAMS_IW (42a3ec34-28ba-46b6-992f-db53a675ac5b)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>POWER_VIRTUAL_AGENTS_O365_P1 (0683001c-0492-4d59-9515-d9a6426b5813)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | COMMON DATA SERVICE FOR TEAMS_P1 (bed136c6-b799-4462-824d-fc045d3a9d25)<br/>EXCHANGE ONLINE (PLAN 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INSIGHTS BY MYANALYTICS (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>MICROSOFT FORMS (PLAN E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>MICROSOFT PLANNER (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>MICROSOFT STREAM FOR O365 E1 SKU (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>MICROSOFT TEAMS (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MICROSOFT TEAMS (42a3ec34-28ba-46b6-992f-db53a675ac5b)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE FOR THE WEB (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICE MOBILE APPS FOR OFFICE 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWER APPS FOR OFFICE 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>POWER AUTOMATE FOR OFFICE 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>POWER VIRTUAL AGENTS FOR OFFICE 365 P1 (0683001c-0492-4d59-9515-d9a6426b5813)<br/>SHAREPOINT STANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TO-DO (PLAN 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>WHITEBOARD (PLAN 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653 |
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
The What's new in Azure Active Directory? release notes provide information abou
### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES deprecation
-**Type:** Plan for change
+**Type:** Plan for change
**Service category:** All Azure AD applications **Product capability:** Standards
Azure AD Connect is in the process of transitioning our email alert system(s), p
You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services".
-For more information, see [Troubleshooting Errors during synchronization](../hybrid/tshoot-connect-sync-errors.md#federateddomainchangeerror).
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Organizations in the Microsoft Azure Government cloud can now enable their guest
In March 2021 we have added following 37 new applications in our App gallery with Federation support:
-[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://jsd.schoolstreamk12.com/AS)
+[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://jsd.schoolstreamk12.com/AS)
You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
active-directory How To Connect Azureadaccount https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-azureadaccount.md
The Azure AD Connector account is supposed to be service free. If you need to re
## Reset the credentials If the Azure AD Connector account cannot contact Azure AD due to authentication problems, the password can be reset.
-1. Sign in to the Azure AD Connect sync server and start PowerShell.
-2. Run `Add-ADSyncAADServiceAccount`.
- ![PowerShell cmdlet addadsyncaadserviceaccount](./media/how-to-connect-azureadaccount/addadsyncaadserviceaccount.png)
-3. Provide Azure AD Global admin credentials.
+1. Sign in to the Azure AD Connect sync server and open PowerShell.
+2. To provide the Azure AD Global admin credentials, run `$credential = Get-Credential`.
+3. Run the cmdlet `Add-ADSyncAADServiceAccount -AADCredential $credential`.
-This cmdlet resets the password for the service account and update it both in Azure AD and in the sync engine.
+ If the cmdlet is successful, the PowerShell command prompt appears.
+
+The cmdlet resets the password for the service account and updates it both in Azure AD and the sync engine.
## Known issues these steps can solve This section is a list of errors reported by customers that were fixed by a credentials reset on the Azure AD Connector account.
active-directory How To Connect Health Ad Fs Sign In https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-health-ad-fs-sign-in.md
AD FS sign-ins can now be integrated into the Azure Active Directory sign-ins re
The Connect Health for AD FS agent correlates multiple Event IDs from AD FS, dependent on the server version, to provide information about the request and error details if the request fails. This information is correlated to the Azure AD sign-ins report schema and displayed in the Azure AD Sign-In Report UX. Alongside the report, a new Log Analytics stream is available with the AD FS data and a new Azure Monitor Workbook template. The template can be used and modified for an in-depth analysis for scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts. ## Prerequisites
-* Azure AD Connect Health for AD FS installed and upgraded to latest version.
+* Azure AD Connect Health for AD FS installed and upgraded to latest version (3.1.95.0 or later).
* Global administrator or reports reader role to view the Azure AD sign-ins ## What data is displayed in the report?
active-directory How To Connect Install Multiple Domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-install-multiple-domains.md
Another thing that `-SupportMultipleDomain` does is that it ensures that the AD
Thus during authentication to Azure AD or Microsoft 365, the IssuerUri element in the userΓÇÖs token is used to locate the domain in Azure AD. If, a match cannot be found, the authentication will fail.
-For example, if a userΓÇÖs UPN is bsimon@bmcontoso.com, the IssuerUri element in the token, AD FS issues, will be set to `http://bmcontoso.com/adfs/services/trust`. This element will match the Azure AD configuration, and authentication will succeed.
+For example, if a userΓÇÖs UPN is bsimon@bmcontoso.com, the IssuerUri element in the token, AD FS issuer, will be set to `http://bmcontoso.com/adfs/services/trust`. This element will match the Azure AD configuration, and authentication will succeed.
The following is the customized claim rule that implements this logic:
Learn more about these features, which were enabled with the installation: [Auto
Learn more about these common topics: [scheduler and how to trigger sync](how-to-connect-sync-feature-scheduler.md).
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory How To Connect Sso Quick Start https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md
If you have overridden the [AuthNegotiateDelegateWhitelist](https://www.chromium
#### Google Chrome (macOS and other non-Windows platforms)
-For Google Chrome on macOS and other non-Windows platforms, refer to [The Chromium Project Policy List](https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist) for information on how to control the allow list for the Azure AD URL for integrated authentication.
+For Google Chrome on macOS and other non-Windows platforms, refer to [The Chromium Project Policy List](https://chromeenterprise.google/policies/) for information on how to control the allow list for the Azure AD URL for integrated authentication.
The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.
active-directory How To Connect Sync Change Serviceacct Pass https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass.md
As the existing passwords stored inside the database can no longer be decrypted,
#### Reinitialize the password of the ADSync service account You cannot directly provide the password of the Azure AD service account to the Synchronization Service. Instead, you need to use the cmdlet **Add-ADSyncAADServiceAccount** to reinitialize the Azure AD service account. The cmdlet resets the account password and makes it available to the Synchronization Service:
-1. Start a new PowerShell session on the Azure AD Connect server.
-2. Run cmdlet `Add-ADSyncAADServiceAccount`.
-3. In the pop-up dialog, provide the Azure AD Global admin credentials for your Azure AD tenant.
-![Azure AD Connect Sync Encryption Key Utility](./media/how-to-connect-sync-change-serviceacct-pass/key7.png)
-4. If it is successful, you will see the PowerShell command prompt.
+1. Sign in to the Azure AD Connect sync server and open PowerShell.
+2. To provide the Azure AD Global admin credentials, run `$credential = Get-Credential`.
+3. Run the cmdlet `Add-ADSyncAADServiceAccount -AADCredential $credential`.
+
+ If the cmdlet is successful, the PowerShell command prompt appears.
+
+The cmdlet resets the password for the service account and updates it both in Azure AD and the sync engine.
+ #### Start the Synchronization Service Now that the Synchronization Service has access to the encryption key and all the passwords it needs, you can restart the service in the Windows Service Control
active-directory How To Connect Sync Feature Preferreddatalocation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md
na ms.devlang: na Previously updated : 06/08/2021 Last updated : 06/09/2021
# Azure Active Directory Connect sync: Configure preferred data location for Microsoft 365 resources The purpose of this topic is to walk you through how to configure the attribute for preferred data location in Azure Active Directory (Azure AD) Connect sync. When someone uses Multi-Geo capabilities in Microsoft 365, you use this attribute to designate the geo-location of the userΓÇÖs Microsoft 365 data. (The terms *region* and *geo* are used interchangeably.)
+## Supported Multi-Geo locations
+For a list of all geos supported by Azure AD Connect see [Microsoft 365 Multi-Geo availability](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide#microsoft-365-multi-geo-availability)
+ ## Enable synchronization of preferred data location By default, Microsoft 365 resources for your users are located in the same geo as your Azure AD tenant. For example, if your tenant is located in North America, then the users' Exchange mailboxes are also located in North America. For a multinational organization, this might not be optimal.
By setting the attribute **preferredDataLocation**, you can define a user's geo.
> [!IMPORTANT] > Multi-Geo is currently available to customers with an active Enterprise Agreement and a minimum of 250 Microsoft 365 Services subscriptions. Please talk to your Microsoft representative for details. >
->
+> For a list of all geos supported by Azure AD Connect see [Microsoft 365 Multi-Geo availability](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide#microsoft-365-multi-geo-availability).
+
-A list of all geos for Microsoft 365 can be found in [Where is your data located?](/microsoft-365/enterprise/o365-data-locations). Azure AD Connect supports all the geos in Microsoft 365.
### Azure AD Connect support for synchronization
active-directory Reference Connect Sync Attributes Synchronized https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-sync-attributes-synchronized.md
In this case, start with the list of attributes in this topic and identify those
| Attribute Name | User | Contact | Group | Comment | | |::|::|::| | | accountEnabled |X | | |Defines if an account is enabled. |
-| assistant |X |X | | |
| altRecipient |X | | |Requires Azure AD Connect build 1.1.552.0 or after. | | authOrig |X |X |X | | | c |X |X | | |
Device objects are created in Active Directory. These objects can be devices joi
## Next steps Learn more about the [Azure AD Connect sync](how-to-connect-sync-whatis.md) configuration.
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Tshoot Connect Sync Errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/tshoot-connect-sync-errors.md
a. Ensure that the userPrincipalName attribute has supported characters and requ
#### Related Articles * [Prepare to provision users through directory synchronization to Microsoft 365](https://support.office.com/article/Prepare-to-provision-users-through-directory-synchronization-to-Office-365-01920974-9e6f-4331-a370-13aea4e82b3e)
-### FederatedDomainChangeError
-#### Description
-This case results in a **"FederatedDomainChangeError"** sync error when the suffix of a user's UserPrincipalName is changed from one federated domain to another federated domain.
-
-#### Scenarios
-For a synchronized user, the UserPrincipalName suffix was changed from one federated domain to another federated domain on premises. For example, *UserPrincipalName = bob\@contoso.com* was changed to *UserPrincipalName = bob\@fabrikam.com*.
-
-#### Example
-1. Bob Smith, an account for Contoso.com, gets added as a new user in Active Directory with the UserPrincipalName bob@contoso.com
-2. Bob moves to a different division of Contoso.com called Fabrikam.com and their UserPrincipalName is changed to bob@fabrikam.com
-3. Both contoso.com and fabrikam.com domains are federated domains with Azure Active Directory.
-4. Bob's userPrincipalName does not get updated and results in a "FederatedDomainChangeError" sync error.
-
-#### How to fix
-If a user's UserPrincipalName suffix was updated from bob@**contoso.com** to bob\@**fabrikam.com**, where both **contoso.com** and **fabrikam.com** are **federated domains**, then follow these steps to fix the sync error
-
-1. Update the user's UserPrincipalName in Azure AD from bob@contoso.com to bob@contoso.onmicrosoft.com. You can use the following PowerShell command with the Azure AD PowerShell Module:
- `Set-MsolUserPrincipalName -UserPrincipalName bob@contoso.com -NewUserPrincipalName bob@contoso.onmicrosoft.com`
-2. Allow the next sync cycle to attempt synchronization. This time synchronization will be successful and it will update the UserPrincipalName of Bob to bob@fabrikam.com as expected.
-
-#### Related Articles
-* [Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain](./howto-troubleshoot-upn-changes.md)
- ## LargeObject ### Description When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema, the synchronization operation results in the **LargeObject** or **ExceededAllowedLength** sync error. Typically this error occurs for the following attributes
To resolve this issue do the following:
## Related links * [Locate Active Directory Objects in Active Directory Administrative Center](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560661(v=ws.10))
-* [How to query Azure Active Directory for an object using Azure Active Directory PowerShell](/previous-versions/azure/jj151815(v=azure.100))
+* [How to query Azure Active Directory for an object using Azure Active Directory PowerShell](/previous-versions/azure/jj151815(v=azure.100))
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
In the example below, ΓÇ£Virtual Machine 4ΓÇ¥ has both a user-assigned identity,
## Limits
-View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits)
-and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits).
+View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits)
+and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits).
## Maintenance
active-directory Groups Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/privileged-identity-management/groups-features.md
Some organizations use tools like Azure AD business-to-business (B2B) collaborat
## Activate multiple role assignments in a single request
-With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 3 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When the admins elevate into the group, theyΓÇÖll become members of all four Azure AD roles.
+With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 0 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 0 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When the admins elevate into the group, theyΓÇÖll become members of all four Azure AD roles.
## Extend and renew group assignments
active-directory Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/prerequisites.md
To use AzureAD, follow these steps to make sure it is imported into the current
Get-Module -Name AzureAD ```
-1. If you don't see any output in the previous step, use [Import-Module](/powershell/module/powershellget/import-module) to import AzureAD. The `-Force` parameter removes the loaded module and then imports it again.
+1. If you don't see any output in the previous step, use [Import-Module](/powershell/module/microsoft.powershell.core/import-module) to import AzureAD. The `-Force` parameter removes the loaded module and then imports it again.
```powershell Import-Module -Name AzureAD -Force
active-directory Abbyy Flexicapture Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/abbyy-flexicapture-cloud-tutorial.md
Previously updated : 10/21/2020 Last updated : 06/09/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ABBYY FlexiCapture Cloud supports **SP and IDP** initiated SSO
-* ABBYY FlexiCapture Cloud supports **Just In Time** user provisioning
+* ABBYY FlexiCapture Cloud supports **SP and IDP** initiated SSO.
+* ABBYY FlexiCapture Cloud supports **Just In Time** user provisioning.
-## Adding ABBYY FlexiCapture Cloud from the gallery
+## Add ABBYY FlexiCapture Cloud from the gallery
To configure the integration of ABBYY FlexiCapture Cloud into Azure AD, you need to add ABBYY FlexiCapture Cloud from the gallery to your list of managed SaaS apps.
To configure the integration of ABBYY FlexiCapture Cloud into Azure AD, you need
1. In the **Add from the gallery** section, type **ABBYY FlexiCapture Cloud** in the search box. 1. Select **ABBYY FlexiCapture Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for ABBYY FlexiCapture Cloud Configure and test Azure AD SSO with ABBYY FlexiCapture Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ABBYY FlexiCapture Cloud.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **ABBYY FlexiCapture Cloud** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.flexicapture.com/FlexiCapture12/Login/<TENANT_NAME>/AccessToken/Saml`
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up ABBYY FlexiCapture Cloud** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the ABBYY FlexiCapture Cloud for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ABBYY FlexiCapture Cloud for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the ABBYY FlexiCapture Cloud tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ABBYY FlexiCapture Cloud for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the ABBYY FlexiCapture Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ABBYY FlexiCapture Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Assetsonar Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/assetsonar-tutorial.md
Previously updated : 12/04/2019 Last updated : 06/09/2021
In this tutorial, you'll learn how to integrate AssetSonar with Azure Active Dir
* Enable your users to be automatically signed-in to AssetSonar with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* AssetSonar supports **SP** initiated SSO
-* AssetSonar supports **Just In Time** user provisioning
+* AssetSonar supports **SP** initiated SSO.
+* AssetSonar supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding AssetSonar from the gallery
+## Add AssetSonar from the gallery
To configure the integration of AssetSonar into Azure AD, you need to add AssetSonar from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **AssetSonar** in the search box. 1. Select **AssetSonar** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for AssetSonar
+## Configure and test Azure AD SSO for AssetSonar
Configure and test Azure AD SSO with AssetSonar using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AssetSonar.
-To configure and test Azure AD SSO with AssetSonar, complete the following building blocks:
+To configure and test Azure AD SSO with AssetSonar, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure AssetSonar SSO](#configure-assetsonar-sso)** - to configure the single sign-on settings on application side.
- * **[Create AssetSonar test user](#create-assetsonar-test-user)** - to have a counterpart of B.Simon in AssetSonar that is linked to the Azure AD representation of user.
+ 1. **[Create AssetSonar test user](#create-assetsonar-test-user)** - to have a counterpart of B.Simon in AssetSonar that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **AssetSonar** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **AssetSonar** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.assetsonar.com/users/sign_in`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **AssetSonar**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure AssetSonar SSO
In this section, a user called B.Simon is created in AssetSonar. AssetSonar supp
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the AssetSonar tile in the Access Panel, you should be automatically signed in to the AssetSonar for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to AssetSonar Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to AssetSonar Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the AssetSonar tile in the My Apps, this will redirect to AssetSonar Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try AssetSonar with Azure AD](https://aad.portal.azure.com/)
+Once you configure AssetSonar you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Autotaskendpointbackup Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/autotaskendpointbackup-tutorial.md
Previously updated : 1/19/2019 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with Autotask Endpoint Backup
-In this tutorial, you learn how to integrate Autotask Endpoint Backup with Azure Active Directory (Azure AD).
-Integrating Autotask Endpoint Backup with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Autotask Endpoint Backup with Azure Active Directory (Azure AD). When you integrate Autotask Endpoint Backup with Azure AD, you can:
-* You can control in Azure AD who has access to Autotask Endpoint Backup.
-* You can enable your users to be automatically signed-in to Autotask Endpoint Backup (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Autotask Endpoint Backup.
+* Enable your users to be automatically signed-in to Autotask Endpoint Backup with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Autotask Endpoint Backup, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Autotask Endpoint Backup single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Autotask Endpoint Backup single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Autotask Endpoint Backup supports **IDP** initiated SSO
+* Autotask Endpoint Backup supports **IDP** initiated SSO.
-## Adding Autotask Endpoint Backup from the gallery
+## Add Autotask Endpoint Backup from the gallery
To configure the integration of Autotask Endpoint Backup into Azure AD, you need to add Autotask Endpoint Backup from the gallery to your list of managed SaaS apps.
-**To add Autotask Endpoint Backup from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Autotask Endpoint Backup**, select **Autotask Endpoint Backup** from result panel then click **Add** button to add the application.
-
- ![Autotask Endpoint Backup in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Autotask Endpoint Backup** in the search box.
+1. Select **Autotask Endpoint Backup** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Autotask Endpoint Backup based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Autotask Endpoint Backup needs to be established.
+## Configure and test Azure AD SSO for Autotask Endpoint Backup
-To configure and test Azure AD single sign-on with Autotask Endpoint Backup, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Autotask Endpoint Backup using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Autotask Endpoint Backup.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Autotask Endpoint Backup Single Sign-On](#configure-autotask-endpoint-backup-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Autotask Endpoint Backup test user](#create-autotask-endpoint-backup-test-user)** - to have a counterpart of Britta Simon in Autotask Endpoint Backup that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Autotask Endpoint Backup, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Autotask Endpoint Backup SSO](#configure-autotask-endpoint-backup-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Autotask Endpoint Backup test user](#create-autotask-endpoint-backup-test-user)** - to have a counterpart of B.Simon in Autotask Endpoint Backup that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Autotask Endpoint Backup, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Autotask Endpoint Backup** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Autotask Endpoint Backup** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Autotask Endpoint Backup Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<subdomain>.backup.autotask.net/singlesignon/saml/metadata`
+ `https://<SUBDOMAIN>.backup.autotask.net/singlesignon/saml/metadata`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.backup.autotask.net/singlesignon/saml/SSO`
+ `https://<SUBDOMAIN>.backup.autotask.net/singlesignon/saml/SSO`
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Autotask Endpoint Backup Client support team](https://backup.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Autotask Endpoint Backup, perform the
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Autotask Endpoint Backup Single Sign-On
-
-To configure single sign-on on **Autotask Endpoint Backup** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Autotask Endpoint Backup support team](https://backup.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Autotask Endpoint Backup.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Autotask Endpoint Backup**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Autotask Endpoint Backup.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Autotask Endpoint Backup**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Autotask Endpoint Backup**.
+## Configure Autotask Endpoint Backup SSO
- ![The Autotask Endpoint Backup link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Autotask Endpoint Backup** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Autotask Endpoint Backup support team](https://backup.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Autotask Endpoint Backup test user In this section, you create a user called Britta Simon in Autotask Endpoint Backup. Work with [Autotask Endpoint Backup support team](https://backup.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to add the users in the Autotask Endpoint Backup platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Autotask Endpoint Backup tile in the Access Panel, you should be automatically signed in to the Autotask Endpoint Backup for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Autotask Endpoint Backup for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Autotask Endpoint Backup tile in the My Apps, you should be automatically signed in to the Autotask Endpoint Backup for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Autotask Endpoint Backup you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Banyan Command Center Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/banyan-command-center-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Banyan Command Center | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Banyan Command Center.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Zero Trust Remote Access Platform | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Zero Trust Remote Access Platform.
Previously updated : 04/22/2021 Last updated : 06/08/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Banyan Command Center
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Zero Trust Remote Access Platform
-In this tutorial, you'll learn how to integrate Banyan Command Center with Azure Active Directory (Azure AD). When you integrate Banyan Command Center with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Zero Trust Remote Access Platform with Azure Active Directory (Azure AD). When you integrate Zero Trust Remote Access Platform with Azure AD, you can:
-* Control in Azure AD who has access to Banyan Command Center.
-* Enable your users to be automatically signed-in to Banyan Command Center with their Azure AD accounts.
+* Control in Azure AD who has access to Zero Trust Remote Access Platform.
+* Enable your users to be automatically signed-in to Zero Trust Remote Access Platform with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate Banyan Command Center with Azure
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Banyan Command Center single sign-on (SSO) enabled subscription.
+* Zero Trust Remote Access Platform single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Banyan Command Center supports **SP and IDP** initiated SSO.
-* Banyan Command Center supports **Just In Time** user provisioning.
+* Zero Trust Remote Access Platform supports **SP and IDP** initiated SSO.
+* Zero Trust Remote Access Platform supports **Just In Time** user provisioning.
+## Add Zero Trust Remote Access Platform from the gallery
-## Adding Banyan Command Center from the gallery
-
-To configure the integration of Banyan Command Center into Azure AD, you need to add Banyan Command Center from the gallery to your list of managed SaaS apps.
+To configure the integration of Zero Trust Remote Access Platform into Azure AD, you need to add Zero Trust Remote Access Platform from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Banyan Command Center** in the search box.
-1. Select **Banyan Command Center** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-
+1. In the **Add from the gallery** section, type **Zero Trust Remote Access Platform** in the search box.
+1. Select **Zero Trust Remote Access Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Banyan Command Center
+## Configure and test Azure AD SSO for Zero Trust Remote Access Platform
-Configure and test Azure AD SSO with Banyan Command Center using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Banyan Command Center.
+Configure and test Azure AD SSO with Zero Trust Remote Access Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zero Trust Remote Access Platform.
-To configure and test Azure AD SSO with Banyan Command Center, perform the following steps:
+To configure and test Azure AD SSO with Zero Trust Remote Access Platform, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Banyan Command Center SSO](#configure-banyan-command-center-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Banyan Command Center test user](#create-banyan-command-center-test-user)** - to have a counterpart of B.Simon in Banyan Command Center that is linked to the Azure AD representation of user.
+1. **[Configure Zero Trust Remote Access Platform SSO](#configure-zero-trust-remote-access-platform-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Zero Trust Remote Access Platform test user](#create-zero-trust-remote-access-platform-test-user)** - to have a counterpart of B.Simon in Zero Trust Remote Access Platform that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Banyan Command Center** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Zero Trust Remote Access Platform** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://net.banyanops.com/api/v1/sso?orgname=<YOUR_ORG_NAME>`
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://net.banyanops.com/api/v1/sso?orgname=<YOUR_ORG_NAME>` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Banyan Command Center Client support team](mailto:support@banyansecurity.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Zero Trust Remote Access Platform Client support team](mailto:support@banyansecurity.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Banyan Command Center.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zero Trust Remote Access Platform.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Banyan Command Center**.
+1. In the applications list, select **Zero Trust Remote Access Platform**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Banyan Command Center SSO
+## Configure Zero Trust Remote Access Platform SSO
-1. Log in to your Banyan Command Center website as an administrator.
+1. Log in to your Zero Trust Remote Access Platform website as an administrator.
1. Go to **Admin Settings -> Admin Sign-on**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
d. Click on the **Update** button.
-### Create Banyan Command Center test user
+### Create Zero Trust Remote Access Platform test user
-In this section, a user called Britta Simon is created in Banyan Command Center. Banyan Command Center supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Banyan Command Center, a new one is created after authentication.
+In this section, a user called Britta Simon is created in Zero Trust Remote Access Platform. Zero Trust Remote Access Platform supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zero Trust Remote Access Platform, a new one is created after authentication.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Banyan Command Center Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Zero Trust Remote Access Platform Sign on URL where you can initiate the login flow.
-* Go to Banyan Command Center Sign-on URL directly and initiate the login flow from there.
+* Go to Zero Trust Remote Access Platform Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Banyan Command Center for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Zero Trust Remote Access Platform for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Banyan Command Center tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Banyan Command Center for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Zero Trust Remote Access Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Zero Trust Remote Access Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Banyan Command Center you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Zero Trust Remote Access Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Blogin Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blogin-tutorial.md
Previously updated : 07/21/2020 Last updated : 06/09/2021
In this tutorial, you'll learn how to integrate BlogIn with Azure Active Directo
* Enable your users to be automatically signed-in to BlogIn with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* BlogIn supports **SP and IDP** initiated SSO
-* BlogIn supports **Just In Time** user provisioning
-* Once you configure BlogIn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* BlogIn supports **SP and IDP** initiated SSO.
+* BlogIn supports **Just In Time** user provisioning.
-## Adding BlogIn from the gallery
+## Add BlogIn from the gallery
To configure the integration of BlogIn into Azure AD, you need to add BlogIn from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **BlogIn** in the search box. 1. Select **BlogIn** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for BlogIn Configure and test Azure AD SSO with BlogIn using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BlogIn.
-To configure and test Azure AD SSO with BlogIn, complete the following building blocks:
+To configure and test Azure AD SSO with BlogIn, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with BlogIn, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **BlogIn** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **BlogIn** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you want to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you want to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.blogin.co/`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **BlogIn**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure BlogIn SSO
In this section, a user called B.Simon is created in BlogIn. BlogIn supports jus
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the BlogIn tile in the Access Panel, you should be automatically signed in to the BlogIn for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to BlogIn Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to BlogIn Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the BlogIn for which you set up the SSO.
-- [Try BlogIn with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the BlogIn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BlogIn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect BlogIn with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure BlogIn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Boxcryptor Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/boxcryptor-tutorial.md
Previously updated : 02/07/2019 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with Boxcryptor
-In this tutorial, you learn how to integrate Boxcryptor with Azure Active Directory (Azure AD).
-Integrating Boxcryptor with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Boxcryptor with Azure Active Directory (Azure AD). When you integrate Boxcryptor with Azure AD, you can:
-* You can control in Azure AD who has access to Boxcryptor.
-* You can enable your users to be automatically signed-in to Boxcryptor (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Boxcryptor.
+* Enable your users to be automatically signed-in to Boxcryptor with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Boxcryptor, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Boxcryptor single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Boxcryptor single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Boxcryptor supports **SP** initiated SSO
-* Boxcryptor supports **Just In Time** user provisioning
-
-## Adding Boxcryptor from the gallery
-
-To configure the integration of Boxcryptor into Azure AD, you need to add Boxcryptor from the gallery to your list of managed SaaS apps.
-
-**To add Boxcryptor from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Boxcryptor supports **SP** initiated SSO.
+* Boxcryptor supports **Just In Time** user provisioning.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Boxcryptor**, select **Boxcryptor** from result panel then click **Add** button to add the application.
+## Add Boxcryptor from the gallery
- ![Boxcryptor in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Boxcryptor based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Boxcryptor needs to be established.
-
-To configure and test Azure AD single sign-on with Boxcryptor, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Boxcryptor Single Sign-On](#configure-boxcryptor-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Boxcryptor test user](#create-boxcryptor-test-user)** - to have a counterpart of Britta Simon in Boxcryptor that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Boxcryptor into Azure AD, you need to add Boxcryptor from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Boxcryptor** in the search box.
+1. Select **Boxcryptor** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Boxcryptor
-To configure Azure AD single sign-on with Boxcryptor, perform the following steps:
+Configure and test Azure AD SSO with Boxcryptor using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Boxcryptor.
-1. In the [Azure portal](https://portal.azure.com/), on the **Boxcryptor** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Boxcryptor, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Boxcryptor SSO](#configure-boxcryptor-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Boxcryptor test user](#create-boxcryptor-test-user)** - to have a counterpart of B.Simon in Boxcryptor that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Boxcryptor** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Boxcryptor Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL:
+ a. In the **Sign on URL** text box, type the URL:
`https://www.boxcryptor.com/app` b. In the **Identifier (Entity ID)** text box, type the value:
To configure Azure AD single sign-on with Boxcryptor, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Boxcryptor Single Sign-On
-
-To configure single sign-on on **Boxcryptor** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Boxcryptor support team](mailto:support@boxcryptor.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Boxcryptor.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Boxcryptor**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Boxcryptor**.
-
- ![The Boxcryptor link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Boxcryptor.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Boxcryptor**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure Boxcryptor SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Boxcryptor** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Boxcryptor support team](mailto:support@boxcryptor.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Boxcryptor test user
-In this section, you create a user called Britta Simon in Boxcryptor. Work with [Boxcryptor support team](mailto:support@boxcryptor.com) to add the users or the domain that must be added to an allow list for the Boxcryptor platform. If the domain is added by the team, users will get automatically provisioned to the Boxcryptor platform. Users must be created and activated before you use single sign-on.
+In this section, a user called B.Simon is created in Boxcryptor. Boxcryptor supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Boxcryptor, a new one is created after authentication.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Boxcryptor tile in the Access Panel, you should be automatically signed in to the Boxcryptor for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Boxcryptor Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Boxcryptor Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Boxcryptor tile in the My Apps, this will redirect to Boxcryptor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Boxcryptor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Cakehr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cakehr-tutorial.md
Previously updated : 10/16/2019 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate CakeHR with Azure Active Directo
* Enable your users to be automatically signed-in to CakeHR with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* CakeHR supports **SP** initiated SSO
+* CakeHR supports **SP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding CakeHR from the gallery
+## Add CakeHR from the gallery
To configure the integration of CakeHR into Azure AD, you need to add CakeHR from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **CakeHR** in the search box. 1. Select **CakeHR** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for CakeHR
+## Configure and test Azure AD SSO for CakeHR
Configure and test Azure AD SSO with CakeHR using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in CakeHR.
-To configure and test Azure AD SSO with CakeHR, complete the following building blocks:
+To configure and test Azure AD SSO with CakeHR, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure CakeHR SSO](#configure-cakehr-sso)** - to configure the single sign-on settings on application side.
- * **[Create CakeHR test user](#create-cakehr-test-user)** - to have a counterpart of B.Simon in CakeHR that is linked to the Azure AD representation of user.
+ 1. **[Create CakeHR test user](#create-cakehr-test-user)** - to have a counterpart of B.Simon in CakeHR that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **CakeHR** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **CakeHR** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<yourcakedomain>.cake.hr/`
+ `https://<CAKE_DOMAIN>.cake.hr/`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<yourcakedomain>.cake.hr/services/saml/consume`
+ `https://<CAKE_DOMAIN>.cake.hr/services/saml/consume`
+
> [!NOTE] > These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact [CakeHR Client support team](mailto:info@cake.hr) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **CakeHR**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure CakeHR SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. On the top-right corner of the page, click on **Profile** and then navigate to **Settings**.
- ![Screenshot shows Profile with Settings selected.](./media/cakehr-tutorial/config01.png)
+ ![Screenshot shows Profile with Settings selected.](./media/cakehr-tutorial/profile.png)
1. From the left side of the menu bar, click on **INTEGRATIONS** > **SAML SSO** and perform the following steps:
- ![Screenshot shows the Setting pane where you perform these steps.](./media/cakehr-tutorial/config02.png)
+ ![Screenshot shows the Setting pane where you perform these steps.](./media/cakehr-tutorial/menu.png)
a. In the **Entity ID** text box, type `cake.hr`.
To enable Azure AD users to sign in to CakeHR, they must be provisioned into Cak
2. From the left side of the menu bar, click on **COMPANY** > **ADD**.
- ![Screenshot shows CakeHR with COMPANY and ADD selected.](./media/cakehr-tutorial/config03.png)
+ ![Screenshot shows CakeHR with COMPANY and ADD selected.](./media/cakehr-tutorial/account.png)
3. On the **Add new employee** pop-up, perform the following steps:
- ![Screenshot shows Add new employee where you perform these steps.](./media/cakehr-tutorial/config04.png)
+ ![Screenshot shows Add new employee where you perform these steps.](./media/cakehr-tutorial/add-account.png)
a. In **Full name** text box, enter the name of user like B.Simon.
To enable Azure AD users to sign in to CakeHR, they must be provisioned into Cak
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the CakeHR tile in the Access Panel, you should be automatically signed in to the CakeHR for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to CakeHR Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to CakeHR Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the CakeHR tile in the My Apps, this will redirect to CakeHR Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try CakeHR with Azure AD](https://aad.portal.azure.com/)
+Once you configure CakeHR you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Check Point Harmony Connect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/check-point-harmony-connect-tutorial.md
To test the Check Point Harmony Connect, go to their Authentication service and
## Next steps
-Once you configure Check Point Harmony Connect you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Check Point Harmony Connect you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Cisco Umbrella User Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md
# Tutorial: Configure Cisco Umbrella User Management for automatic user provisioning
-This tutorial describes the steps you need to perform in both Cisco Umbrella User Management and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cisco Umbrella User Management](https://umbrella.cisco.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Cisco Umbrella User Management and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cisco Umbrella User Management](https://umbrella.cisco.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both Cisco Umbrella Use
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A [Cisco Umbrella subscription](https://signup.umbrella.com). * A user account in Cisco Umbrella with full admin permissions. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Cisco Umbrella User Management](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Cisco Umbrella User Management](../app-provisioning/customize-application-attributes.md).
## Step 2. Import ObjectGUID attribute via Azure AD Connect (Optional) If you have previously provisioned user and group identities from on-premise AD to Cisco Umbrella and would now like to provision the same users and groups from Azure AD, you will need to synchronize the ObjectGUID attribute so that previously provisioned identities persist in the Umbrella policy.
When using Microsoft Azure AD Connect, the ObjectGUID attribute of users and gro
## Step 4. Add Cisco Umbrella User Management from the Azure AD application gallery
-Add Cisco Umbrella User Management from the Azure AD application gallery to start managing provisioning to Cisco Umbrella User Management. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Cisco Umbrella User Management from the Azure AD application gallery to start managing provisioning to Cisco Umbrella User Management. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 5. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Cisco Umbrella User Management, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Cisco Umbrella User Management, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 6. Configure automatic user provisioning to Cisco Umbrella User Management
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Cisco Umbrella User Management**.
-9. Review the user attributes that are synchronized from Azure AD to Cisco Umbrella User Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Cisco Umbrella User Management for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Cisco Umbrella User Management API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Cisco Umbrella User Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Cisco Umbrella User Management for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Cisco Umbrella User Management API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
> [!NOTE] > If you have imported the objectGUID attribute for groups via Azure AD Connect (refer Step 2), add a mapping from objectGUID to urn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:Group:nativeObjectId.
-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for Cisco Umbrella User Management, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users and groups
## Step 7. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Connector Limitations * Cisco Umbrella User Management supports provisioning a maximum of 200 groups. Any groups beyond this number that are in scope may not be provisioned to Cisco Umbrella. ## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Clearcompany Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clearcompany-tutorial.md
Previously updated : 01/21/2019 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with ClearCompany
-In this tutorial, you learn how to integrate ClearCompany with Azure Active Directory (Azure AD).
-Integrating ClearCompany with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate ClearCompany with Azure Active Directory (Azure AD). When you integrate ClearCompany with Azure AD, you can:
-* You can control in Azure AD who has access to ClearCompany.
-* You can enable your users to be automatically signed-in to ClearCompany (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ClearCompany.
+* Enable your users to be automatically signed-in to ClearCompany with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with ClearCompany, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* ClearCompany single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ClearCompany single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* ClearCompany supports **SP and IDP** initiated SSO
-
-## Adding ClearCompany from the gallery
-
-To configure the integration of ClearCompany into Azure AD, you need to add ClearCompany from the gallery to your list of managed SaaS apps.
-
-**To add ClearCompany from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* ClearCompany supports **SP and IDP** initiated SSO.
-4. In the search box, type **ClearCompany**, select **ClearCompany** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![ClearCompany in the results list](common/search-new-app.png)
+## Add ClearCompany from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with ClearCompany based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in ClearCompany needs to be established.
-
-To configure and test Azure AD single sign-on with ClearCompany, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ClearCompany Single Sign-On](#configure-clearcompany-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ClearCompany test user](#create-clearcompany-test-user)** - to have a counterpart of Britta Simon in ClearCompany that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of ClearCompany into Azure AD, you need to add ClearCompany from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ClearCompany** in the search box.
+1. Select **ClearCompany** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for ClearCompany
-To configure Azure AD single sign-on with ClearCompany, perform the following steps:
+Configure and test Azure AD SSO with ClearCompany using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ClearCompany.
-1. In the [Azure portal](https://portal.azure.com/), on the **ClearCompany** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with ClearCompany, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ClearCompany SSO](#configure-clearcompany-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ClearCompany test user](#create-clearcompany-test-user)** - to have a counterpart of B.Simon in ClearCompany that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **ClearCompany** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![ClearCompany Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL using the following pattern:
+ In the **Identifier** text box, type the URL:
`https://api.clearcompany.com` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![image](common/both-preintegrated-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<companyname>.clearcompany.com`
+ `https://<COMPANY_NAME>.clearcompany.com`
> [!NOTE] > The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact [ClearCompany Client support team](https://www.clearcompany.com/support) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with ClearCompany, perform the following st
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure ClearCompany Single Sign-On
-
-To configure single sign-on on **ClearCompany** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [ClearCompany support team](https://www.clearcompany.com/support). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ClearCompany.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ClearCompany.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ClearCompany**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ClearCompany**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure ClearCompany SSO
-2. In the applications list, select **ClearCompany**.
-
- ![The ClearCompany link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **ClearCompany** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [ClearCompany support team](https://www.clearcompany.com/support). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create ClearCompany test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in ClearCompany. Work with [ClearCompany support team](https://www.clearcompany.com/support) to add the users in the ClearCompany platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create ClearCompany test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in ClearCompany. Work with [ClearCompany support team](https://www.clearcompany.com/support) to add the users in the ClearCompany platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to ClearCompany Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to ClearCompany Sign-on URL directly and initiate the login flow from there.
-When you click the ClearCompany tile in the Access Panel, you should be automatically signed in to the ClearCompany for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ClearCompany for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ClearCompany tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ClearCompany for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ClearCompany you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Clebex Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clebex-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Clebex Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Clebex tile in the My Apps, this will redirect to Clebex Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Clebex tile in the My Apps, this will redirect to Clebex Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Clebex you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Clebex you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Cloud Academy Sso Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloud-academy-sso-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Cloud Academy - SSO for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cloud Academy - SSO.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 224777cb-fc03-4e4a-8c8d-5befe1174233
+++
+ na
+ms.devlang: na
+ Last updated : 06/02/2021+++
+# Tutorial: Configure Cloud Academy - SSO for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Cloud Academy - SSO and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cloud Academy - SSO](https://cloudacademy.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Cloud Academy - SSO
+> * Remove users in Cloud Academy - SSO when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Cloud Academy - SSO
+> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/cloud-academy-sso-tutorial) to Cloud Academy - SSO (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Cloud Academy with an Administrator role in your company to activate the AD Integration and generate the API Key.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Cloud Academy - SSO](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Cloud Academy - SSO to support provisioning with Azure AD
+
+1. Login to [Sigma Computing](https://cloudacademy.com/) admin portal.
+
+2. Click on **Dashboard** on the home page next to the profile icon.
+
+ ![Home](media/cloud-academy-sso-provisioning-tutorial/dashboard.png)
+
+3. Navigate to **your profile** > **Settings & Integrations**.
+
+ ![Integrations](media/cloud-academy-sso-provisioning-tutorial/settings.png)
+
+4. Click on **Integrations** tab and click on **View Integration** in Azure AD.
+
+ ![Directory](media/cloud-academy-sso-provisioning-tutorial/active.png)
+
+5. Click on **Generate a new API Key**.
+
+ ![Generate](media/cloud-academy-sso-provisioning-tutorial/key.png)
+
+6. Copy the full API Key. This value will be entered in the **Secret Token** field in the Provisioning tab of your Cloud Academy - SSO application in the Azure portal.
+
+ >[!Note]
+ >You can generate a new API Key as required. The old API Key will be marked as expired in the next **8 hours** to allow the time needed to update the configuration in the AD Portal.
+
+7. The Tenant URL is `https://cloudacademy.com/webhooks/ad/v1/scim` or `https://app.qa.com/webhooks/ad/v1/scim` based on where your company is registered. This value will be entered in the **Tenant URL** field in the Provisioning tab of your Cloud Academy - SSO application in the Azure portal.
+
+## Step 3. Add Cloud Academy - SSO from the Azure AD application gallery
+
+Add Cloud Academy - SSO from the Azure AD application gallery to start managing provisioning to Cloud Academy - SSO. If you have previously setup Cloud Academy - SSO for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Cloud Academy - SSO, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Cloud Academy - SSO
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Cloud Academy - SSO in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Cloud Academy - SSO**.
+
+ ![The Cloud Academy - SSO link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Cloud Academy - SSO Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Cloud Academy - SSO. If the connection fails, ensure your Cloud Academy - SSO account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Cloud Academy - SSO**.
+
+9. Review the user attributes that are synchronized from Azure AD to Cloud Academy - SSO in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Cloud Academy - SSO for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Cloud Academy - SSO API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported For Filtering|
+ ||||
+ |userName|String|&check;|
+ |externalId|String|
+ |active|Boolean|
+ |name.givenName|String|
+ |name.familyName|String|
+
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+11. To enable the Azure AD provisioning service for Cloud Academy - SSO, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+12. Define the users and/or groups that you would like to provision to Cloud Academy - SSO by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+13. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory Cloudtamer Io Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloudtamer-io-tutorial.md
Previously updated : 06/03/2021 Last updated : 06/09/2021
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
f. Copy **SERVICE PROVIDER ACS URL** value, paste this value into the **Reply URL** text box in the Basic SAML Configuration section in the Azure portal.
- g. Click **Create IDMS**.
+ g. Under Assertion Mapping, enter the following values:
+
+ | Field | Value |
+ |--|-|
+ | First Name | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` |
+ | Last Name | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` |
+ | Email | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` |
+ | Username | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` |
+ |
+
+1. Click **Create IDMS**.
### Create cloudtamer.io test user
active-directory Cognician Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cognician-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Cognician Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Cognician tile in the My Apps, this will redirect to Cognician Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Cognician tile in the My Apps, this will redirect to Cognician Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cognician you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Cognician you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Community Spark Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/community-spark-tutorial.md
Previously updated : 07/16/2020 Last updated : 06/09/2021
In this tutorial, you'll learn how to integrate Community Spark with Azure Activ
* Enable your users to be automatically signed-in to Community Spark with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Community Spark supports **SP** initiated SSO
-
-* Community Spark supports **Just In Time** user provisioning
+* Community Spark supports **SP** initiated SSO.
-* Once you configure Community Spark you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Community Spark supports **Just In Time** user provisioning.
-## Adding Community Spark from the gallery
+## Add Community Spark from the gallery
To configure the integration of Community Spark into Azure AD, you need to add Community Spark from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Community Spark** in the search box. 1. Select **Community Spark** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Community Spark Configure and test Azure AD SSO with Community Spark using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Community Spark.
-To configure and test Azure AD SSO with Community Spark, complete the following building blocks:
+To configure and test Azure AD SSO with Community Spark, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Community Spark, complete the following
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Community Spark** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Community Spark** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.communityspark.co/`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.communityspark.co/saml/metadata`
- c. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.communityspark.co/saml/consume`
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.communityspark.co/`
+ > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL, Reply URL and Identifier. Contact [Community Spark Client support team](mailto:support@socialassurance.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Community Spark Client support team](mailto:support@socialassurance.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Community Spark**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Community Spark SSO
In this section, a user called B.Simon is created in Community Spark. Community
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Community Spark tile in the Access Panel, you should be automatically signed in to the Community Spark for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Community Spark Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Community Spark Sign-on URL directly and initiate the login flow from there.
-- [Try Community Spark with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Community Spark tile in the My Apps, this will redirect to Community Spark Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Community Spark with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Community Spark you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Consent2go Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/consent2go-tutorial.md
Previously updated : 01/23/2019 Last updated : 06/08/2021 # Tutorial: Azure Active Directory integration with Consent2Go
-In this tutorial, you learn how to integrate Consent2Go with Azure Active Directory (Azure AD).
-Integrating Consent2Go with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Consent2Go with Azure Active Directory (Azure AD). When you integrate Consent2Go with Azure AD, you can:
-* You can control in Azure AD who has access to Consent2Go.
-* You can enable your users to be automatically signed-in to Consent2Go (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Consent2Go.
+* Enable your users to be automatically signed-in to Consent2Go with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Consent2Go, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Consent2Go single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Consent2Go single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Consent2Go supports **SP** initiated SSO
-
-## Adding Consent2Go from the gallery
-
-To configure the integration of Consent2Go into Azure AD, you need to add Consent2Go from the gallery to your list of managed SaaS apps.
-
-**To add Consent2Go from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Consent2Go supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Consent2Go**, select **Consent2Go** from result panel then click **Add** button to add the application.
+## Add Consent2Go from the gallery
- ![Consent2Go in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Consent2Go based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Consent2Go needs to be established.
-
-To configure and test Azure AD single sign-on with Consent2Go, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Consent2Go Single Sign-On](#configure-consent2go-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Consent2Go test user](#create-consent2go-test-user)** - to have a counterpart of Britta Simon in Consent2Go that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Consent2Go into Azure AD, you need to add Consent2Go from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Consent2Go** in the search box.
+1. Select **Consent2Go** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Consent2Go, perform the following steps:
+## Configure and test Azure AD SSO for Consent2Go
-1. In the [Azure portal](https://portal.azure.com/), on the **Consent2Go** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Consent2Go using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Consent2Go.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Consent2Go, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Consent2Go SSO](#configure-consent2go-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Consent2Go test user](#create-consent2go-test-user)** - to have a counterpart of B.Simon in Consent2Go that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Consent2Go** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Consent2Go Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://www.mcbschools.com/Login` 5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure Consent2Go Single Sign-On
-
-To configure single sign-on on **Consent2Go** side, you need to send the **App Federation Metadata Url** to [Consent2Go support team](mailto:support@consent2go.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Consent2Go.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Consent2Go.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Consent2Go**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Consent2Go**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Consent2Go SSO
-2. In the applications list, select **Consent2Go**.
-
- ![The Consent2Go link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Consent2Go** side, you need to send the **App Federation Metadata Url** to [Consent2Go support team](mailto:support@consent2go.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Consent2Go test user In this section, you create a user called Britta Simon in Consent2Go. Work with [Consent2Go support team](mailto:support@consent2go.com) to add the users in the Consent2Go platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Consent2Go tile in the Access Panel, you should be automatically signed in to the Consent2Go for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Consent2Go Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Consent2Go Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Consent2Go tile in the My Apps, this will redirect to Consent2Go Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Consent2Go you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Documo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/documo-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Documo for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Documo tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Documo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Documo tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Documo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Documo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Documo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Equisolve Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/equisolve-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Equisolve for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Equisolve tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Equisolve for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Equisolve tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Equisolve for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Equisolve you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Equisolve you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Euromonitor Passport Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/euromonitor-passport-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Euromonitor Passport for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Euromonitor Passport tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Euromonitor Passport for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Euromonitor Passport tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Euromonitor Passport for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Euromonitor Passport you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Euromonitor Passport you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fabric Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fabric-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Fabric | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Fabric.
++++++++ Last updated : 06/08/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Fabric
+
+In this tutorial, you'll learn how to integrate Fabric with Azure Active Directory (Azure AD). When you integrate Fabric with Azure AD, you can:
+
+* Control in Azure AD who has access to Fabric.
+* Enable your users to be automatically signed-in to Fabric with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Fabric single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Fabric supports **SP** initiated SSO.
+
+## Adding Fabric from the gallery
+
+To configure the integration of Fabric into Azure AD, you need to add Fabric from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Fabric** in the search box.
+1. Select **Fabric** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Fabric
+
+Configure and test Azure AD SSO with Fabric using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fabric.
+
+To configure and test Azure AD SSO with Fabric, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Fabric SSO](#configure-fabric-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Fabric test user](#create-fabric-test-user)** - to have a counterpart of B.Simon in Fabric that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Fabric** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `http://<HOSTNAME>/primary`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<HOSTNAME>:<PORT>/api/authenticate`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<HOSTNAME>:<PORT>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Fabric Client support team](mailto:support@k2view.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Fabric** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Fabric.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Fabric**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Fabric SSO
+
+To configure single sign-on on **Fabric** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fabric support team](mailto:support@k2view.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Fabric test user
+
+In this section, you create a user called Britta Simon in Fabric. Work with [Fabric support team](mailto:support@k2view.com) to add the users in the Fabric platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Fabric Sign-on URL where you can initiate the login flow.
+
+* Go to Fabric Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Fabric tile in the My Apps, this will redirect to Fabric Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
++
+## Next steps
+
+Once you configure Fabric you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Fax Plus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fax-plus-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with FAX.PLUS | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and FAX.PLUS.
++++++++ Last updated : 05/19/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with FAX.PLUS
+
+In this tutorial, you'll learn how to integrate FAX.PLUS with Azure Active Directory (Azure AD). When you integrate FAX.PLUS with Azure AD, you can:
+
+* Control in Azure AD who has access to FAX.PLUS.
+* Enable your users to be automatically signed-in to FAX.PLUS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* FAX.PLUS single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* FAX.PLUS supports **SP and IDP** initiated SSO.
+* FAX.PLUS supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add FAX.PLUS from the gallery
+
+To configure the integration of FAX.PLUS into Azure AD, you need to add FAX.PLUS from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **FAX.PLUS** in the search box.
+1. Select **FAX.PLUS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for FAX.PLUS
+
+Configure and test Azure AD SSO with FAX.PLUS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FAX.PLUS.
+
+To configure and test Azure AD SSO with FAX.PLUS, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure FAX.PLUS SSO](#configure-faxplus-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create FAX.PLUS test user](#create-faxplus-test-user)** - to have a counterpart of B.Simon in FAX.PLUS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **FAX.PLUS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://www.fax.plus/login`
+
+1. Click **Save**.
+
+1. FAX.PLUS application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, FAX.PLUS application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | | |
+ | firstname | user.givenname |
+ | lastname | user.surname |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up FAX.PLUS** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FAX.PLUS.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **FAX.PLUS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure FAX.PLUS SSO
+
+1. To automate the configuration within FAX.PLUS, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up FAX.PLUS** will direct you to the FAX.PLUS application. From there, provide the admin credentials to sign into FAX.PLUS. The browser extension will automatically configure the application for you and automate steps 3-5.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup FAX.PLUS manually, in a different web browser window, sign in to your FAX.PLUS company site as an administrator.
+
+2. Go to the **Security** section in your Admin Profile and scroll down to **Advanced**.
+
+3. On the **Configuration** panel, click on the **Activate Single Sign-On** button and perform the following steps.
+
+ ![Account](./media/fax.plus-tutorial/configuration.png "Account")
+
+ a. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.
+
+ b. In the **Single Sign-On URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+
+ c. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **X.509 Certificate** textbox.
+
+ d. If you want to login through SSO, enable **Only Allow SSO Login for Admin User** checkbox.
+
+ e. Click **Confirm**.
+
+### Create FAX.PLUS test user
+
+In this section, a user called Britta Simon is created in FAX.PLUS. FAX.PLUS supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in FAX.PLUS, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to FAX.PLUS Sign on URL where you can initiate the login flow.
+
+* Go to FAX.PLUS Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the FAX.PLUS for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the FAX.PLUS tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FAX.PLUS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure FAX.PLUS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fieldglass Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fieldglass-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Fieldglass for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Fieldglass tile in the My Apps, you should be automatically signed in to the Fieldglass for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Fieldglass tile in the My Apps, you should be automatically signed in to the Fieldglass for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Fieldglass you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Fieldglass you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Figma Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/figma-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Figma for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Figma tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Figma for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Figma tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Figma for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Figma you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Figma you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Fluxxlabs Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fluxxlabs-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Fluxx Labs for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Fluxx Labs tile in the My Apps, you should be automatically signed in to the Fluxx Labs for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Fluxx Labs tile in the My Apps, you should be automatically signed in to the Fluxx Labs for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Fluxx Labs you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Fluxx Labs you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Front Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/front-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Front for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Front tile in the My Apps, you should be automatically signed in to the Front for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Front tile in the My Apps, you should be automatically signed in to the Front for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Front you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Front you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Heroku Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/heroku-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Heroku Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Heroku tile in the My Apps, this will redirect to Heroku Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Heroku tile in the My Apps, this will redirect to Heroku Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Heroku you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Heroku you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Hive Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hive-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Hive for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Hive tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Hive tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Hive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Hive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Holmes Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/holmes-cloud-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Holmes Cloud for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Holmes Cloud.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: b1088904-2ea2-4440-b39e-c4b7712b8229
+++
+ na
+ms.devlang: na
+ Last updated : 06/07/2021+++
+# Tutorial: Configure Holmes Cloud for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Holmes Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Holmes Cloud](https://www.holmescloud.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Holmes Cloud.
+> * Remove users in Holmes Cloud when they do not require access anymore.
+> * Keep user attributes synchronized between Azure AD and Holmes Cloud.
+> * Provision groups and group memberships in Holmes Cloud.
+> * [Single sign-on](holmes-tutorial.md) to Holmes Cloud (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A [Holmes Cloud](https://www.holmescloud.com/) tenant.
+* A user account in Holmes Cloud with Admin permissions.
+* A Holmes Cloud subscription where single sign-on and user provisioning service are enabled.
++
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Holmes Cloud](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Holmes Cloud to support provisioning with Azure AD
+
+> [!NOTE]
+> * You will receive your Holmes Cloud tenant url from **Holmes Cloud Support** <cs@holmescloud.com> team after purchasing the subscription.
+> * You can find the requried information(endpoint url, token, etc.) to set up the provisioning service in the **Company Settings** page as long as you subscribe single sign-on and user provisioning service.
+
+1. Login to Holmes Cloud account with your Holmes Cloud credentials.
+1. Select "会社設定 (Company Settings)" menu and then select the hat shaped icon.
+1. See the information including API token on the card menu titled "アカウントプロビジョニング (Account Provisioning)".
+1. For token regeneration, select the link "APIキーを発行する (Issue API key)".
++
+## Step 3. Add Holmes Cloud from the Azure AD application gallery
+
+Add Holmes Cloud from the Azure AD application gallery to start managing provisioning to Holmes Cloud. If you have previously setup Holmes Cloud for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* When assigning users and groups to Holmes Cloud, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
++
+## Step 5. Configure automatic user provisioning to Holmes Cloud
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Holmes Cloud based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Holmes Cloud in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **Holmes Cloud**.
+
+ ![The Holmes Cloud link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input your Holmes Cloud **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Holmes Cloud. If the connection fails , ensure your Holmes Cloud account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Holmes Cloud**.
+
+1. Review the user attributes that are synchronized from Azure AD to Holmes Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Holmes Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Holmes Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;
+ |active|Boolean|
+ |displayName|String|
+ |externalId|String|
++
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Holmes Cloud**.
+
+1. Review the group attributes that are synchronized from Azure AD to Holmes Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Holmes Cloud for update operations. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |displayName|String|&check;
+ |members|Reference|
+ |externalId|String|
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Holmes Cloud, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to Holmes Cloud by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Icertisicm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/icertisicm-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Icertis Contract Management Platform Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Icertis Contract Management Platform tile in the My Apps, this will redirect to Icertis Contract Management Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Icertis Contract Management Platform tile in the My Apps, this will redirect to Icertis Contract Management Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Icertis Contract Management Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Icertis Contract Management Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Ilms Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ilms-tutorial.md
Previously updated : 05/14/2019 Last updated : 06/08/2021 # Tutorial: Integrate iLMS with Azure Active Directory
In this tutorial, you'll learn how to integrate iLMS with Azure Active Directory
* Enable your users to be automatically signed-in to iLMS with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* iLMS single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. iLMS supports **SP and IDP** initiated SSO
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* iLMS supports **SP and IDP** initiated SSO.
-## Adding iLMS from the gallery
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add iLMS from the gallery
To configure the integration of iLMS into Azure AD, you need to add iLMS from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **iLMS** in the search box. 1. Select **iLMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for iLMS
-Configure and test Azure AD SSO with iLMS using a test user called **Britta Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iLMS.
+Configure and test Azure AD SSO with iLMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iLMS.
-To configure and test Azure AD SSO with iLMS, complete the following building blocks:
+To configure and test Azure AD SSO with iLMS, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure iLMS SSO](#configure-ilms-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create iLMS test user](#create-ilms-test-user)** - to have a counterpart of Britta Simon in iLMS that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure iLMS SSO](#configure-ilms-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create iLMS test user](#create-ilms-test-user)** - to have a counterpart of B.Simon in iLMS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **iLMS** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **iLMS** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** page, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, paste the **Identifier** value you copy from **Service Provider** section of SAML settings in iLMS admin portal.
- b. In the **Reply URL** text box, paste the **Endpoint (URL)** value you copy from **Service Provider** section of SAML settings in iLMS admin portal having the following pattern `https://www.inspiredlms.com/Login/<instanceName>/consumer.aspx`
+ b. In the **Reply URL** text box, paste the **Endpoint (URL)** value you copy from **Service Provider** section of SAML settings in iLMS admin portal having the following pattern: `https://www.inspiredlms.com/Login/<INSTANCE_NAME>/consumer.aspx`.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, paste the **Endpoint (URL)** value you copy from **Service Provider** section of SAML settings in iLMS admin portal as `https://www.inspiredlms.com/Login/<instanceName>/consumer.aspx`
+ In the **Sign-on URL** text box, paste the **Endpoint (URL)** value you copy from **Service Provider** section of SAML settings in iLMS admin portal as `https://www.inspiredlms.com/Login/<INSTANCE_NAME>/consumer.aspx`.
1. To enable JIT provisioning, your iLMS application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
- b. Azure AD Identifier
+In this section, you'll create a test user in the Azure portal called Britta Simon.
- c. Logout URL
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `Britta Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
-### Configure iLMS SSO
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to iLMS.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **iLMS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure iLMS SSO
1. In a different web browser window, sign in to your **iLMS admin portal** as an administrator. 2. Click **SSO:SAML** under **Settings** tab to open SAML settings and perform the following steps:
- ![Screenshot shows the I L M S settings tab where you can select S S O: SAML.](./media/ilms-tutorial/1.png)
+ ![Screenshot shows the I L M S settings tab where you can select S S O: SAML.](./media/ilms-tutorial/settings.png)
3. Expand the **Service Provider** section and copy the **Identifier** and **Endpoint (URL)** value.
- ![Screenshot shows SAML Settings where you can get the values.](./media/ilms-tutorial/2.png)
+ ![Screenshot shows SAML Settings where you can get the values.](./media/ilms-tutorial/values.png)
4. Under **Identity Provider** section, click **Import Metadata**. 5. Select the **Federation Metadata** file downloaded from the Azure portal from the **SAML Signing Certificate** section.
- ![Screenshot shows SAML Settings where you can select the metadata file.](./media/ilms-tutorial/tutorial_ilms_ssoconfig1.png)
+ ![Screenshot shows SAML Settings where you can select the metadata file.](./media/ilms-tutorial/certificate.png)
6. If you want to enable JIT provisioning to create iLMS accounts for un-recognize users, follow below steps: a. Check **Create Un-recognized User Account**.
- ![Screenshot shows Create Un-recognized User Account option.](./media/ilms-tutorial/tutorial_ilms_ssoconfig2.png)
+ ![Screenshot shows Create Un-recognized User Account option.](./media/ilms-tutorial/accounts.png)
b. Map the attributes in Azure AD with the attributes in iLMS. In the attribute column, specify the attributes name or the default value. c. Go to **Business Rules** tab and perform the following steps:
- ![Screenshot shows Business Rules settings where you can enter the information in this step.](./media/ilms-tutorial/5.png)
+ ![Screenshot shows Business Rules settings where you can enter the information in this step.](./media/ilms-tutorial/rules.png)
d. Check **Create Un-recognized Regions, Divisions and Departments** to create Regions, Divisions, and Departments that do not already exist at the time of Single Sign-on.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Screenshot shows the Save button.](./media/ilms-tutorial/save.png)
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called Britta Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `Britta Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to iLMS.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **iLMS**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **Britta Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create iLMS test user Application supports Just in time user provisioning and after authentication users are created in the application automatically. JIT will work, if you have clicked the **Create Un-recognized User Account** checkbox during SAML configuration setting at iLMS admin portal.
If you need to create an user manually, then follow below steps:
2. Click **Register User** under **Users** tab to open **Register User** page.
- ![Screenshot shows the I L M S settings tab where you can select Register User.](./media/ilms-tutorial/3.png)
+ ![Screenshot shows the I L M S settings tab where you can select Register User.](./media/ilms-tutorial/user.png)
3. On the **Register User** page, perform the following steps.
- ![Screenshot shows the Register User page where you enter the specified information.](./media/ilms-tutorial/create_testuser_add.png)
+ ![Screenshot shows the Register User page where you enter the specified information.](./media/ilms-tutorial/add-user.png)
a. In the **First Name** textbox, type the first name like Britta.
If you need to create an user manually, then follow below steps:
> [!NOTE] > You can send registration mail to user by selecting **Send Registration Mail** checkbox.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to iLMS Sign on URL where you can initiate the login flow.
+
+* Go to iLMS Sign-on URL directly and initiate the login flow from there.
-When you select the iLMS tile in the Access Panel, you should be automatically signed in to the iLMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the iLMS for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the iLMS tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the iLMS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure iLMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ip Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ip-platform-tutorial.md
Previously updated : 03/12/2020 Last updated : 06/09/2021
In this tutorial, you'll learn how to integrate IP Platform with Azure Active Di
* Enable your users to be automatically signed-in to IP Platform with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
## Prerequisites
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* IP Platform supports **SP** initiated SSO
-* IP Platform supports **Just In Time** user provisioning
-* Once you configure IP Platform you can enforce Session Control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+* IP Platform supports **SP** initiated SSO.
+* IP Platform supports **Just In Time** user provisioning.
-## Adding IP Platform from the gallery
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add IP Platform from the gallery
To configure the integration of IP Platform into Azure AD, you need to add IP Platform from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **IP Platform** in the search box. 1. Select **IP Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for IP Platform
+## Configure and test Azure AD SSO for IP Platform
Configure and test Azure AD SSO with IP Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in IP Platform.
-To configure and test Azure AD SSO with IP Platform, complete the following building blocks:
+To configure and test Azure AD SSO with IP Platform, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with IP Platform, complete the following buil
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **IP Platform** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **IP Platform** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.ipplatform.com`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **IP Platform**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure IP Platform SSO
In this section, a user called Britta Simon is created in IP Platform. IP Platfo
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the IP Platform tile in the Access Panel, you should be automatically signed in to the IP Platform for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to IP Platform Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to IP Platform Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the IP Platform tile in the My Apps, this will redirect to IP Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try IP Platform with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure IP Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Itslearning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/itslearning-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to itslearning Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the itslearning tile in the My Apps, this will redirect to itslearning Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the itslearning tile in the My Apps, this will redirect to itslearning Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure itslearning you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure itslearning you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Jdacloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jdacloud-tutorial.md
Previously updated : 03/25/2019 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with JDA Cloud
-In this tutorial, you learn how to integrate JDA Cloud with Azure Active Directory (Azure AD).
-Integrating JDA Cloud with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate JDA Cloud with Azure Active Directory (Azure AD). When you integrate JDA Cloud with Azure AD, you can:
-* You can control in Azure AD who has access to JDA Cloud.
-* You can enable your users to be automatically signed-in to JDA Cloud (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to JDA Cloud.
+* Enable your users to be automatically signed-in to JDA Cloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with JDA Cloud, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* JDA Cloud single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* JDA Cloud single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* JDA Cloud supports **SP and IDP** initiated SSO
+* JDA Cloud supports **SP and IDP** initiated SSO.
-## Adding JDA Cloud from the gallery
+## Add JDA Cloud from the gallery
To configure the integration of JDA Cloud into Azure AD, you need to add JDA Cloud from the gallery to your list of managed SaaS apps.
-**To add JDA Cloud from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **JDA Cloud**, select **JDA Cloud** from result panel then click **Add** button to add the application.
-
- ![JDA Cloud in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **JDA Cloud** in the search box.
+1. Select **JDA Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with JDA Cloud based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in JDA Cloud needs to be established.
+## Configure and test Azure AD SSO for JDA Cloud
-To configure and test Azure AD single sign-on with JDA Cloud, you need to complete the following building blocks:
+Configure and test Azure AD SSO with JDA Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in JDA Cloud.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure JDA Cloud Single Sign-On](#configure-jda-cloud-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create JDA Cloud test user](#create-jda-cloud-test-user)** - to have a counterpart of Britta Simon in JDA Cloud that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with JDA Cloud, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure JDA Cloud SSO](#configure-jda-cloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create JDA Cloud test user](#create-jda-cloud-test-user)** - to have a counterpart of B.Simon in JDA Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with JDA Cloud, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **JDA Cloud** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **JDA Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.jdadelivers.com`
To configure Azure AD single sign-on with JDA Cloud, perform the following steps
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://ssonp-dl2.jdadelivers.com/sp/startSSO.ping?PartnerIdpId=<Azure AD Identifier>`
+ `https://ssonp-dl2.jdadelivers.com/sp/startSSO.ping?PartnerIdpId=<AZURE_AD_IDENTIFIER>`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. You will get the **Azure AD Identifier** value from the **Set up JDA Cloud** section. Contact [JDA Cloud Client support team](https://support.jda.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with JDA Cloud, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure JDA Cloud Single Sign-On
-
-To configure single sign-on on **JDA Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [JDA Cloud support team](https://support.jda.com/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to JDA Cloud.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to JDA Cloud.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **JDA Cloud**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **JDA Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure JDA Cloud SSO
-2. In the applications list, select **JDA Cloud**.
-
- ![The JDA Cloud link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **JDA Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [JDA Cloud support team](https://support.jda.com/). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create JDA Cloud test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in JDA Cloud. Work with [JDA Cloud support team](https://support.jda.com/) to add the users in the JDA Cloud platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create JDA Cloud test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in JDA Cloud. Work with [JDA Cloud support team](https://support.jda.com/) to add the users in the JDA Cloud platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to JDA Cloud Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to JDA Cloud Sign-on URL directly and initiate the login flow from there.
-When you click the JDA Cloud tile in the Access Panel, you should be automatically signed in to the JDA Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the JDA Cloud for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the JDA Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the JDA Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure JDA Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Knowledge Anywhere Lms Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/knowledge-anywhere-lms-tutorial.md
Previously updated : 05/22/2019 Last updated : 06/09/2021
In this tutorial, you'll learn how to integrate Knowledge Anywhere LMS with Azur
* Enable your users to be automatically signed-in to Knowledge Anywhere LMS with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Knowledge Anywhere LMS supports **SP** initiated SSO and supports **Just In Time** user provisioning.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Knowledge Anywhere LMS supports **SP** initiated SSO.
+* Knowledge Anywhere LMS supports **Just In Time** user provisioning.
-## Adding Knowledge Anywhere LMS from the gallery
+## Add Knowledge Anywhere LMS from the gallery
To configure the integration of Knowledge Anywhere LMS into Azure AD, you need to add Knowledge Anywhere LMS from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Knowledge Anywhere LMS** in the search box. 1. Select **Knowledge Anywhere LMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Knowledge Anywhere LMS
-Configure and test Azure AD SSO with Knowledge Anywhere LMS using a test user called **B. Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Knowledge Anywhere LMS.
+Configure and test Azure AD SSO with Knowledge Anywhere LMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Knowledge Anywhere LMS.
-To configure and test Azure AD SSO with Knowledge Anywhere LMS, complete the following building blocks:
+To configure and test Azure AD SSO with Knowledge Anywhere LMS, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Knowledge Anywhere LMS](#configure-knowledge-anywhere-lms)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B. Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B. Simon to use Azure AD single sign-on.
-5. **[Create Knowledge Anywhere LMS test user](#create-knowledge-anywhere-lms-test-user)** to have a counterpart of B. Simon in Knowledge Anywhere LMS that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Knowledge Anywhere LMS SSO](#configure-knowledge-anywhere-lms-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Knowledge Anywhere LMS test user](#create-knowledge-anywhere-lms-test-user)** - to have a counterpart of B.Simon in Knowledge Anywhere LMS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Knowledge Anywhere LMS** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Knowledge Anywhere LMS** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: 1. In the **Identifier** text box, type a URL using the following pattern:
- `https://<CLIENTNAME>.knowledgeanywhere.com/`
+ `https://<CLIENT_NAME>.knowledgeanywhere.com/`
1. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<CLIENTNAME>.knowledgeanywhere.com/SSO/SAML/Response.aspx?<IDPNAME>`
+ `https://<CLIENT_NAME>.knowledgeanywhere.com/SSO/SAML/Response.aspx?<IDP_NAME>`
> [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL, which is explained later in the tutorial.
+ > These values are not real. Update these values with the actual Identifier and Reply URL which is explained later in the tutorial.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Knowledge Anywhere LMS
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B. Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B. Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Knowledge Anywhere LMS.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Knowledge Anywhere LMS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Knowledge Anywhere LMS SSO
1. To automate the configuration within Knowledge Anywhere LMS, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. Select on the **Site** tab.
- ![Screenshot shows the Site tab.](./media/knowledge-anywhere-lms-tutorial/configure1.png)
+ ![Screenshot shows the Site tab.](./media/knowledge-anywhere-lms-tutorial/site.png)
5. Select on the **SAML Settings** tab.
- ![Screenshot shows the Knowledge anywhere page with SAML Settings selected.](./media/knowledge-anywhere-lms-tutorial/configure2.png)
+ ![Screenshot shows the Knowledge anywhere page with SAML Settings selected.](./media/knowledge-anywhere-lms-tutorial/settings.png)
6. Click on the **Add New**.
- ![Screenshot shows the Add New button in Service Provider Settings.](./media/knowledge-anywhere-lms-tutorial/configure3.png)
+ ![Screenshot shows the Add New button in Service Provider Settings.](./media/knowledge-anywhere-lms-tutorial/add-settings.png)
7. On the **Add/Update SAML Settings** page, perform the following steps:
- ![Screenshot shows the Add/Update SAML Settings page where you can make the changes described here.](./media/knowledge-anywhere-lms-tutorial/configure4.png)
+ ![Screenshot shows the Add/Update SAML Settings page where you can make the changes described here.](./media/knowledge-anywhere-lms-tutorial/update-settings.png)
a. Enter the IDP Name as per your organization. For ex:- `Azure`.
Follow these steps to enable Azure AD SSO in the Azure portal.
i. Click **Save**.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B. Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B. Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Knowledge Anywhere LMS.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Knowledge Anywhere LMS**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Knowledge Anywhere LMS test user In this section, a user called B. Simon is created in Knowledge Anywhere LMS. Knowledge Anywhere LMS supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Knowledge Anywhere LMS, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the Knowledge Anywhere LMS tile in the Access Panel, you should be automatically signed in to the Knowledge Anywhere LMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Knowledge Anywhere LMS Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Knowledge Anywhere LMS Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Knowledge Anywhere LMS tile in the My Apps, this will redirect to Knowledge Anywhere LMS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Knowledge Anywhere LMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Leadfamly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/leadfamly-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Leadfamly Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Leadfamly tile in the My Apps, this will redirect to Leadfamly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Leadfamly tile in the My Apps, this will redirect to Leadfamly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Leadfamly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Leadfamly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Lessonly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lessonly-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Lesson.ly Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Lesson.ly tile in the My Apps, this will redirect to Lesson.ly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Lesson.ly tile in the My Apps, this will redirect to Lesson.ly Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Lesson.ly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Lesson.ly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Limblecmms Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/limblecmms-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure LimbleCMMS for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to LimbleCMMS.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 5e0d5369-7230-4a16-bc3f-9eac2bc80a8c
+++
+ na
+ms.devlang: na
+ Last updated : 06/07/2021+++
+# Tutorial: Configure LimbleCMMS for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both LimbleCMMS and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [LimbleCMMS](https://limblecmms.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in LimbleCMMS.
+> * Remove users in LimbleCMMS when they do not require access anymore.
+> * Creates groups in LimbleCMMS.
+> * Adds/Removes users from groups in LimbleCMMS
+> * Removes groups in LimbleCMMS
+> * Keep user attributes synchronized between Azure AD and LimbleCMMS.
+> * Provision groups and group memberships in LimbleCMMS.
+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to LimbleCMMS (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A [LimbleCMMS](https://limblecmms.com/signup/?plan=business-yearly) tenant with Business Plus or above licensing.
+* A user account in LimbleCMMS with Super Admin permissions.
+* Single Sign On to be enabled in your LimbleCMMS tenant (contact your Customer Success Manager).
+* At least one group you plan on provisioning to LimbleCMMS (permissions in LimbleCMMS are based on groups, if you do not provision a group then the users that are provisioned will not have any permissions associated with them).
++
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and LimbleCMMS](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure LimbleCMMS to support provisioning with Azure AD
+
+1. Login to LimbleCMMS as a **Super Admin**.
+1. Navigate to **Advanced Settings > Manage SSO**.
+ ![Manage SSO](media/limblecmms-provisioning-tutorial/limble-manage-sso.png)
+1. Select **Azure Active Directory** as your SSO Provider.
+1. [Setup OIDC](https://help.limblecmms.com/en/articles/4446986-active-directory-oidc-sso-setup-guide) to support Single Sign On
+1. Click the **Generate SCIM Token** button to retrieve your SCIM token, save this for a future step.
+1. Click **"Enable SSO"**.
+
+## Step 3. Add LimbleCMMS from the Azure AD application gallery
+
+Add LimbleCMMS from the Azure AD application gallery to start managing provisioning to LimbleCMMS. If you have previously setup LimbleCMMS for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* When assigning users and groups to LimbleCMMS, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
++
+## Step 5. Configure automatic user provisioning to LimbleCMMS
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in LimbleCMMS based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for LimbleCMMS in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **LimbleCMMS**.
+
+ ![The LimbleCMMS link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input your LimbleCMMS **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to LimbleCMMS.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to LimbleCMMS**.
+
+1. Review the user attributes that are synchronized from Azure AD to LimbleCMMS in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in LimbleCMMS for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the LimbleCMMS SCIM API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;
+ |active|Boolean|
+ |emails[type eq "work"].value|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |externalId|String|
++
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Groups to LimbleCMMS**.
+
+1. Review the group attributes that are synchronized from Azure AD to LimbleCMMS in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in LimbleCMMS for update operations. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |displayName|String|&check;
+ |members|Reference|
+ |externalId|String|
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for LimbleCMMS, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to LimbleCMMS by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Ms Azure Sso Access For Ethidex Compliance Office Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Ethidex Compliance OfficeΓäó for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Ethidex Compliance OfficeΓäó tile in the My Apps, you should be automatically signed in to the Ethidex Compliance OfficeΓäó for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Ethidex Compliance OfficeΓäó tile in the My Apps, you should be automatically signed in to the Ethidex Compliance OfficeΓäó for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Ethidex Compliance OfficeΓäó you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Ethidex Compliance OfficeΓäó you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Namely Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/namely-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Namely Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Namely tile in the My Apps, this will redirect to Namely Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Namely tile in the My Apps, this will redirect to Namely Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Namely you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Namely you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Neogov Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/neogov-tutorial.md
Previously updated : 10/14/2019 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate NEOGOV with Azure Active Directo
* Enable your users to be automatically signed-in to NEOGOV with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* NEOGOV supports **IDP** initiated SSO
+* NEOGOV supports **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding NEOGOV from the gallery
+## Add NEOGOV from the gallery
To configure the integration of NEOGOV into Azure AD, you need to add NEOGOV from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **NEOGOV** in the search box. 1. Select **NEOGOV** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for NEOGOV
+## Configure and test Azure AD SSO for NEOGOV
Configure and test Azure AD SSO with NEOGOV using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NEOGOV.
-To configure and test Azure AD SSO with NEOGOV, complete the following building blocks:
+To configure and test Azure AD SSO with NEOGOV, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure NEOGOV SSO](#configure-neogov-sso)** - to configure the single sign-on settings on application side.
- * **[Create NEOGOV test user](#create-neogov-test-user)** - to have a counterpart of B.Simon in NEOGOV that is linked to the Azure AD representation of user.
+ 1. **[Create NEOGOV test user](#create-neogov-test-user)** - to have a counterpart of B.Simon in NEOGOV that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **NEOGOV** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **NEOGOV** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type one of the following URLs:
| Environment | URL pattern | | -- | -- |
Follow these steps to enable Azure AD SSO in the Azure portal.
| Sandbox | `https://www.uat.neogov.net/` | | | |
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type one of the following URLs:
| Environment | URL pattern | | -- | -- |
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **NEOGOV**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure NEOGOV SSO
In this section, you create a user called B.Simon in NEOGOV. Work with [NEOGOV
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the NEOGOV tile in the Access Panel, you should be automatically signed in to the NEOGOV for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the NEOGOV for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the NEOGOV tile in the My Apps, you should be automatically signed in to the NEOGOV for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try NEOGOV with Azure AD](https://aad.portal.azure.com/)
+Once you configure NEOGOV you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Netop Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netop-portal-tutorial.md
Previously updated : 10/18/2019 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate Netop Portal with Azure Active D
* Enable your users to be automatically signed-in to Netop Portal with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Netop Portal supports **IDP** initiated SSO
+* Netop Portal supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Netop Portal from the gallery
+## Add Netop Portal from the gallery
To configure the integration of Netop Portal into Azure AD, you need to add Netop Portal from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Netop Portal** in the search box. 1. Select **Netop Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Netop Portal
+## Configure and test Azure AD SSO for Netop Portal
Configure and test Azure AD SSO with Netop Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Netop Portal.
-To configure and test Azure AD SSO with Netop Portal, complete the following building blocks:
+To configure and test Azure AD SSO with Netop Portal, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Netop Portal, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Netop Portal** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Netop Portal** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set-up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set-up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Netop Portal**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Netop Portal SSO
In this section, you create a user called Britta Simon in Netop Portal. Work wit
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Netop Portal tile in the Access Panel, you should be automatically signed in to the Netop Portal for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Netop Portal for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Netop Portal tile in the My Apps, you should be automatically signed in to the Netop Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Netop Portal with Azure AD](https://aad.portal.azure.com/)
+Once you configure Netop Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Oc Tanner Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oc-tanner-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the O.C. Tanner - AppreciateHub tile in the My Apps, you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the O.C. Tanner - AppreciateHub tile in the My Apps, you should be automatically signed in to the O.C. Tanner - AppreciateHub for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure O.C. Tanner - AppreciateHub you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure O.C. Tanner - AppreciateHub you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Origami Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/origami-tutorial.md
Previously updated : 03/14/2019 Last updated : 06/08/2021 # Tutorial: Azure Active Directory integration with Origami
-In this tutorial, you learn how to integrate Origami with Azure Active Directory (Azure AD).
-Integrating Origami with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Origami with Azure Active Directory (Azure AD). When you integrate Origami with Azure AD, you can:
-* You can control in Azure AD who has access to Origami.
-* You can enable your users to be automatically signed-in to Origami (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Origami.
+* Enable your users to be automatically signed-in to Origami with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Origami, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Origami single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Origami single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Origami supports **SP** initiated SSO
-
-## Adding Origami from the gallery
-
-To configure the integration of Origami into Azure AD, you need to add Origami from the gallery to your list of managed SaaS apps.
-
-**To add Origami from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Origami**, select **Origami** from result panel then click **Add** button to add the application.
+* Origami supports **SP** initiated SSO.
- ![Origami in the results list](common/search-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Configure and test Azure AD single sign-on
+## Add Origami from the gallery
-In this section, you configure and test Azure AD single sign-on with Origami based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Origami needs to be established.
-
-To configure and test Azure AD single sign-on with Origami, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Origami Single Sign-On](#configure-origami-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Origami test user](#create-origami-test-user)** - to have a counterpart of Britta Simon in Origami that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Origami into Azure AD, you need to add Origami from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Origami** in the search box.
+1. Select **Origami** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Origami
-To configure Azure AD single sign-on with Origami, perform the following steps:
+Configure and test Azure AD SSO with Origami using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Origami.
-1. In the [Azure portal](https://portal.azure.com/), on the **Origami** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Origami, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Origami SSO](#configure-origami-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Origami test user](#create-origami-test-user)** - to have a counterpart of B.Simon in Origami that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Origami** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Origami Domain and URLs single sign-on information](common/sp-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://live.origamirisk.com/origami/account/login?account=<companyname>`
+ `https://live.origamirisk.com/origami/account/login?account=<COMPANY_NAME>`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Origami Client support team](https://wordpress.org/support/theme/origami) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Origami, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Origami.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Origami**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Origami Single Sign-On
+## Configure Origami SSO
1. Log in to the Origami account with Admin rights. 2. In the menu on the top, click **Admin**.
- ![Screenshot that shows the Origami home page with "Admin" selected.](./media/origami-tutorial/tutorial_origami_51.png)
+ ![Screenshot that shows the Origami home page with "Admin" selected.](./media/origami-tutorial/admin.png)
3. On the Single Sign On Setup dialog page, perform the following steps:
- ![Screenshot that shows the "Single Sign On Setup" page with "Enable Single Sign-on" selected, and the text boxes highlighted.](./media/origami-tutorial/tutorial_origami_531.png)
+ ![Screenshot that shows the "Single Sign On Setup" page with "Enable Single Sign-on" selected, and the text boxes highlighted.](./media/origami-tutorial/configuration.png)
a. Select **Enable Single Sign On**.
To configure Azure AD single sign-on with Origami, perform the following steps:
e. Click **Save Changes**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Origami.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Origami**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Origami**.
-
- ![The Origami link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Origami test user In this section, you create a user called Britta Simon in Origami.
In this section, you create a user called Britta Simon in Origami.
2. In the menu on the top, click **Admin**.
- ![Screenshot that shows the Origami account home page with "Admin" selected.](./media/origami-tutorial/tutorial_origami_51.png)
+ ![Screenshot that shows the Origami account home page with "Admin" selected.](./media/origami-tutorial/admin.png)
3. On the **Users and Security** dialog, click **Users**.
- ![Screenshot that shows the "Users and Security" dialog with "Users" selected.](./media/origami-tutorial/tutorial_origami_54.png)
+ ![Screenshot that shows the "Users and Security" dialog with "Users" selected.](./media/origami-tutorial/user.png)
4. Click **Add New User**.
- ![Screenshot that shows the "Add New User" button selected.](./media/origami-tutorial/tutorial_origami_55.png)
+ ![Screenshot that shows the "Add New User" button selected.](./media/origami-tutorial/add-user.png)
5. On the Add New User dialog, perform the following steps:
- ![Screenshot that shows the "Add New User" dialog with the "User Name", "First Name", and "Last Name" text boxes highlighted.](./media/origami-tutorial/tutorial_origami_56.png)
+ ![Screenshot that shows the "Add New User" dialog with the "User Name", "First Name", and "Last Name" text boxes highlighted.](./media/origami-tutorial/new-user.png)
a. In the **User Name** textbox, enter the email of user like **brittasimon\@contoso.com**.
In this section, you create a user called Britta Simon in Origami.
f. Click **Save**.
- ![Screenshot that shows the the "Save" button selected.](./media/origami-tutorial/tutorial_origami_57.png)
+ ![Screenshot that shows the the "Save" button selected.](./media/origami-tutorial/save.png)
6. Assign **User Roles** and **Client Access** to the user.
- ![Configure Single Sign-On](./media/origami-tutorial/tutorial_origami_58.png)
+ ![Configure Single Sign-On](./media/origami-tutorial/user-roles.png)
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Origami tile in the Access Panel, you should be automatically signed in to the Origami for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Origami Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Origami Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Origami tile in the My Apps, this will redirect to Origami Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Origami you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Pendo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pendo-tutorial.md
Previously updated : 04/09/2020 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate Pendo with Azure Active Director
* Enable your users to be automatically signed-in to Pendo with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Pendo supports **IDP** initiated SSO
-* Once you configure Pendo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Pendo supports **IDP** initiated SSO.
-## Adding Pendo from the gallery
+## Add Pendo from the gallery
To configure the integration of Pendo into Azure AD, you need to add Pendo from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Pendo** in the search box. 1. Select **Pendo** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Pendo
+## Configure and test Azure AD SSO for Pendo
Configure and test Azure AD SSO with Pendo using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Pendo.
-To configure and test Azure AD SSO with Pendo, complete the following building blocks:
+To configure and test Azure AD SSO with Pendo, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Pendo, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Pendo** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Pendo** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set-up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set-up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://sso.connect.pingidentity.com/<CUSTOM_GUID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Pendo**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Pendo SSO
In this section, you create a user called Britta Simon in Pendo. Work with [Pen
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Pendo tile in the Access Panel, you should be automatically signed in to the Pendo for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Pendo for which you set up the SSO.
-- [Try Pendo with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Pendo tile in the My Apps, you should be automatically signed in to the Pendo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Pendo with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Pendo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Qmarkets Idea Innovation Management Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/qmarkets-idea-innovation-management-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Qmarkets Idea & Innovation Management for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Qmarkets Idea & Innovation Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Qmarkets Idea & Innovation Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Qmarkets Idea & Innovation Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Qmarkets Idea & Innovation Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Qmarkets Idea & Innovation Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Qmarkets Idea & Innovation Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Rescana Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rescana-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Rescana for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Rescana tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Rescana for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Rescana tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Rescana for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Rescana you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Rescana you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Robin Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/robin-tutorial.md
Previously updated : 01/02/2020 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate Robin with Azure Active Director
* Enable your users to be automatically signed-in to Robin with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Robin single sign-on (SSO) enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Robin supports **SP and IDP** initiated SSO
-* Robin supports **Just In Time** user provisioning
+* Robin supports **SP and IDP** initiated SSO.
+* Robin supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Robin from the gallery
+## Add Robin from the gallery
To configure the integration of Robin into Azure AD, you need to add Robin from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Robin** in the search box. 1. Select **Robin** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Robin
+## Configure and test Azure AD SSO for Robin
Configure and test Azure AD SSO with Robin using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Robin.
-To configure and test Azure AD SSO with Robin, complete the following building blocks:
+To configure and test Azure AD SSO with Robin, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Robin, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Robin** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Robin** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://dashboard.robinpowered.com/` 1. Robin application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Robin**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Robin SSO
In this section, a user called Britta Simon is created in Robin. Robin supports
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Robin Sign on URL where you can initiate the login flow.
-When you click the Robin tile in the Access Panel, you should be automatically signed in to the Robin for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Robin Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Robin for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Robin tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Robin for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Robin with Azure AD](https://aad.portal.azure.com/)
+Once you configure Robin you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Samsara Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samsara-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Samsara for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Samsara tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Samsara for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Samsara tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Samsara for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Samsara you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Samsara you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Sectigo Certificate Manager Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sectigo-certificate-manager-tutorial.md
Select **Sectigo Certificate Manager** in the My Apps portal. If configured cor
## Next steps
-Once you configure Sectigo Certificate Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Sectigo Certificate Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Seismic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/seismic-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Seismic Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Seismic tile in the My Apps, this will redirect to Seismic Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Seismic tile in the My Apps, this will redirect to Seismic Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Seismic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Seismic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Sharepoint On Premises Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sharepoint-on-premises-tutorial.md
The basic configuration of the trust between SharePoint and Azure AD is now fini
## Sign in as a member user
-Azure Active Directory has [two type of users](https://docs.microsoft.com/azure/active-directory/active-directory-b2b-user-properties): Guest users and Member users. Let's start with a member user, which is merely a user that is homed in your organization.
+Azure Active Directory has [two type of users](../external-identities/user-properties.md): Guest users and Member users. Let's start with a member user, which is merely a user that is homed in your organization.
### Create a member user in Azure Active Directory
$t.Update()
1. In the section **Reply URL (Assertion Consumer Service URL)**, add the URL (for example, `https://otherwebapp.contoso.local/`) of all additional web applications that need to sign in users with Azure Active Directory and click **Save**.
-![Specify additional web applications](./media/sharepoint-on-premises-tutorial/azure-active-directory-app-reply-urls.png)
+![Specify additional web applications](./media/sharepoint-on-premises-tutorial/azure-active-directory-app-reply-urls.png)
active-directory Silkroad Life Suite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/silkroad-life-suite-tutorial.md
Previously updated : 04/16/2019 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with SilkRoad Life Suite
-In this tutorial, you learn how to integrate SilkRoad Life Suite with Azure Active Directory (Azure AD).
-Integrating SilkRoad Life Suite with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SilkRoad Life Suite with Azure Active Directory (Azure AD). When you integrate SilkRoad Life Suite with Azure AD, you can:
-* You can control in Azure AD who has access to SilkRoad Life Suite.
-* You can enable your users to be automatically signed-in to SilkRoad Life Suite (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SilkRoad Life Suite.
+* Enable your users to be automatically signed-in to SilkRoad Life Suite with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with SilkRoad Life Suite, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* SilkRoad Life Suite single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* SilkRoad Life Suite single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SilkRoad Life Suite supports **SP** initiated SSO
+* SilkRoad Life Suite supports **SP** initiated SSO.
-## Adding SilkRoad Life Suite from the gallery
+## Add SilkRoad Life Suite from the gallery
To configure the integration of SilkRoad Life Suite into Azure AD, you need to add SilkRoad Life Suite from the gallery to your list of managed SaaS apps.
-**To add SilkRoad Life Suite from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SilkRoad Life Suite**, select **SilkRoad Life Suite** from result panel then click **Add** button to add the application.
-
- ![SilkRoad Life Suite in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SilkRoad Life Suite based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SilkRoad Life Suite needs to be established.
-
-To configure and test Azure AD single sign-on with SilkRoad Life Suite, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SilkRoad Life Suite** in the search box.
+1. Select **SilkRoad Life Suite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SilkRoad Life Suite Single Sign-On](#configure-silkroad-life-suite-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SilkRoad Life Suite test user](#create-silkroad-life-suite-test-user)** - to have a counterpart of Britta Simon in SilkRoad Life Suite that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for SilkRoad Life Suite
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with SilkRoad Life Suite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SilkRoad Life Suite.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with SilkRoad Life Suite, perform the following steps:
-To configure Azure AD single sign-on with SilkRoad Life Suite, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SilkRoad Life Suite SSO](#configure-silkroad-life-suite-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SilkRoad Life Suite test user](#create-silkroad-life-suite-test-user)** - to have a counterpart of B.Simon in SilkRoad Life Suite that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **SilkRoad Life Suite** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **SilkRoad Life Suite** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps:
To configure Azure AD single sign-on with SilkRoad Life Suite, perform the follo
![Screenshot shows a dialog box where you can select and upload a file.](common/browse-upload-metadata.png)
- c. Once the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section:
-
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/sp-identifier-reply.png)
+ c. Once the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.
> [!Note]
- > If the **Identifier** and **Reply URL** values are not getting auto polulated, then fill in the values manually according to your requirement.
+ > If the **Identifier** and **Reply URL** values are not getting auto populated, then fill in the values manually according to your requirement.
d. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.silkroad-eng.com/Authentication/`
+ `https://<SUBDOMAIN>.silkroad-eng.com/Authentication/`
5. On the **Basic SAML Configuration** section, if you do not have **Service Provider metadata file**, perform the following steps:
- ![SilkRoad Life Suite Domain and URLs single sign-on information](common/sp-identifier-reply.png)
+ a. In the **Identifier** box, type a URL using one of the following patterns:
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.silkroad-eng.com/Authentication/`
+ | Identifier URL |
+ |--|
+ |`https://<SUBDOMAIN>.silkroad-eng.com/Authentication/SP`|
+ |`https://<SUBDOMAIN>.silkroad.com/Authentication/SP`|
+
- b. In the **Identifier** box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
- - `https://<subdomain>.silkroad-eng.com/Authentication/SP`
- - `https://<subdomain>.silkroad.com/Authentication/SP`
+ | Reply URL |
+ |--|
+ |`https://<SUBDOMAIN>.silkroad-eng.com/Authentication/`|
+ |`https://<SUBDOMAIN>.silkroad.com/Authentication/`|
- c. In the **Reply URL** text box, type a URL using the following pattern:
-
- - `https://<subdomain>.silkroad-eng.com/Authentication/`
- - `https://<subdomain>.silkroad.com/Authentication/`
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.silkroad-eng.com/Authentication/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact [SilkRoad Life Suite Client support team](https://www.silkroad.com/locations/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier,Reply URL and Sign-On URL. Contact [SilkRoad Life Suite Client support team](https://www.silkroad.com/locations/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with SilkRoad Life Suite, perform the follo
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SilkRoad Life Suite.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SilkRoad Life Suite**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure SilkRoad Life Suite Single Sign-On
+## Configure SilkRoad Life Suite SSO
1. Sign in to your SilkRoad company site as administrator.
To configure Azure AD single sign-on with SilkRoad Life Suite, perform the follo
1. Go to **Service Provider**, and then click **Federation Details**.
- ![Screenshot shows Federation Details selected from Service Provider.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_06.png)
+ ![Screenshot shows Federation Details selected from Service Provider.](./media/silkroad-life-suite-tutorial/details.png)
1. Click **Download Federation Metadata**, and then save the metadata file on your computer. Use Downloaded Federation Metadata as a **Service Provider metadata file** in the **Basic SAML Configuration** section in the Azure portal.
- ![Screenshot shows the Download Federation Metadata link.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_07.png)
+ ![Screenshot shows the Download Federation Metadata link.](./media/silkroad-life-suite-tutorial/metadata.png)
1. In your **SilkRoad** application, click **Authentication Sources**.
- ![Screenshot shows Authentication Sources selected.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_08.png)
+ ![Screenshot shows Authentication Sources selected.](./media/silkroad-life-suite-tutorial/sources.png)
1. Click **Add Authentication Source**.
- ![Screenshot shows the Add Authentication Source link.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_09.png)
+ ![Screenshot shows the Add Authentication Source link.](./media/silkroad-life-suite-tutorial/add-source.png)
1. In the **Add Authentication Source** section, perform the following steps:
- ![Screenshot shows Add Authentication Source with the Create Identity Provider using File Data button selected.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_10.png)
+ ![Screenshot shows Add Authentication Source with the Create Identity Provider using File Data button selected.](./media/silkroad-life-suite-tutorial/metadata-file.png)
a. Under **Option 2 - Metadata File**, click **Browse** to upload the downloaded metadata file from Azure portal.
To configure Azure AD single sign-on with SilkRoad Life Suite, perform the follo
1. In the **Authentication Sources** section, click **Edit**.
- ![Screenshot shows Authentication Sources with the Edit option selected.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_11.png)
+ ![Screenshot shows Authentication Sources with the Edit option selected.](./media/silkroad-life-suite-tutorial/edit-source.png)
1. On the **Edit Authentication Source** dialog, perform the following steps:
- ![Screenshot shows the Edit Authentication Source dialog box where you can enter the values described.](./media/silkroad-life-suite-tutorial/tutorial_silkroad_12.png)
+ ![Screenshot shows the Edit Authentication Source dialog box where you can enter the values described.](./media/silkroad-life-suite-tutorial/authentication.png)
a. As **Enabled**, select **Yes**. b. In the **EntityId** textbox, paste the value of **Azure AD Identifier** which you have copied from Azure portal.
- c. In the **IdP Description** textbox, type a description for your configuration (for example: *Azure AD SSO*).
+ c. In the **IdP Description** textbox, type a description for your configuration (for example: **Azure AD SSO**).
d. In the **Metadata File** textbox, Upload the **metadata** file which you have downloaded from Azure portal.
To configure Azure AD single sign-on with SilkRoad Life Suite, perform the follo
1. Disable all other authentication sources.
- ![Screenshot shows Authentication Sources where you can disable other sources. ](./media/silkroad-life-suite-tutorial/tutorial_silkroad_13.png)
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SilkRoad Life Suite.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SilkRoad Life Suite**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SilkRoad Life Suite**.
-
- ![The SilkRoad Life Suite link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ ![Screenshot shows Authentication Sources where you can disable other sources. ](./media/silkroad-life-suite-tutorial/manage-source.png)
### Create SilkRoad Life Suite test user In this section, you create a user called Britta Simon in SilkRoad Life Suite. Work with [SilkRoad Life Suite Client support team](https://www.silkroad.com/locations/) to add the users in the SilkRoad Life Suite platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SilkRoad Life Suite tile in the Access Panel, you should be automatically signed in to the SilkRoad Life Suite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SilkRoad Life Suite Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SilkRoad Life Suite Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SilkRoad Life Suite tile in the My Apps, this will redirect to SilkRoad Life Suite Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SilkRoad Life Suite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Smartrecruiters Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartrecruiters-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the SmartRecruiters for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the SmartRecruiters tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SmartRecruiters for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the SmartRecruiters tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SmartRecruiters for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure SmartRecruiters you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure SmartRecruiters you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Standard For Success Accreditation Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/standard-for-success-accreditation-tutorial.md
In this tutorial, you'll learn how to integrate Standard for Success Accreditati
* Control in Azure AD who has access to Standard for Success Accreditation. * Enable your users to be automatically signed-in to Standard for Success Accreditation with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
## Prerequisites
In this tutorial, you configure and test Azure AD SSO in a test environment.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Standard for Success Accreditation from the gallery
+## Add Standard for Success Accreditation from the gallery
To configure the integration of Standard for Success Accreditation into Azure AD, you need to add Standard for Success Accreditation from the gallery to your list of managed SaaS apps.
To configure the integration of Standard for Success Accreditation into Azure AD
1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Standard for Success Accreditation** in the search box.
-1. Select **Standard for Success Accreditation** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. Select **Standard for Success Accreditation** from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
## Configure and test Azure AD SSO for Standard for Success Accreditation
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields: In the **Reply URL** text box, type a URL using the following pattern:
- `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTIONID>`
+ `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTION-ID>`
1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode: a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://edu.sfsed.com/access/saml_int?did=<INSTITUTIONID>`
+ `https://edu.sfsed.com/access/saml_int?did=<INSTITUTION-ID>`
b. In the **Relay State** text box, type a URL using the following pattern:
- `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTIONID>`
+ `https://edu.sfsed.com/access/saml_consume?did=<INSTITUTION-ID>`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL, Sign-on URL and Relay State. Contact [Standard for Success Accreditation Client support team](mailto:help_he@standardforsuccess.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll create a test user in the Azure portal called B.Simon.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. In the **User name** field, enter the username@institutiondomain.extension. For example, `B.Simon@contoso.com`.
1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. 1. Click **Create**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Scroll down to **Single Sign On Settings** and click the **Microsoft Azure Single Sign On** link and perform the following steps.
- ![Microsoft Azure Single Sign On page.](./media/standard-for-success-accreditation-tutorial/configuration.png)
+ :::image type="content" source="./media/standard-for-success-accreditation-tutorial/configuration.png" alt-text="Screenshot that shows how to enable Azure single sign-on in Standard for Success Accreditation.":::
- a. **Enable Azure Single Sign On** checkbox.
+ a. Select the **Enable Azure Single Sign On** checkbox.
- b. Fill the **Azure Tenant ID** text box with Tenant ID value from the Azure portal.
+ b. Fill the URL and Identifier fields with the appropriate URLs copied from the Azure portal SAML setup.
- c. Fill the application ID in the **Application ID** text box.
+ c. Fill the Application ID in the **Application ID** text box.
- d. In the **Certificate Thumbprint** text box, paste the **Thumbprint Value** which you have copied from Azure portal.
+ d. In the **Certificate Thumbprint** text box, paste the **Thumbprint Value** that you copied from the Azure portal.
e. Click **Save**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Sign in to Standard for Success Accreditation as an Administrator with superuser privileges.
-1. From the menu, click on **Admin Portal -> Create New Evaluatee** and perform the following steps.
+1. From the menu, click on **Admin Portal** > **Create New Evaluatee** and perform the following steps.
![creating test user.](./media/standard-for-success-accreditation-tutorial/new-user.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
b. In **Last Name** text box, enter Simon.
- c. In **University Email** text box, enter your organization email address.
+ c. In **University Email** text box, enter the email address you added for B.Simon within Azure.
d. Scroll to the bottom and Click **Create User**.
active-directory Tap App Security Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tap-app-security-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to TAP App Security Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the TAP App Security tile in the My Apps, this will redirect to TAP App Security Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the TAP App Security tile in the My Apps, this will redirect to TAP App Security Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure TAP App Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure TAP App Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Tutorial List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tutorial-list.md
To find more tutorials, use the table of contents on the left.
| ![logo-Evernote](./medi)| | ![logo-ExpenseIn](./medi)| | ![logo-EZOfficeInventory](./medi)|
+| ![logo-FAX.PLUS](./medi)|
| ![logo-Foodee](./medi)| | ![logo-Freedcamp](./medi)| | ![logo-Freshservice](./medi)|
To find more tutorials, use the table of contents on the left.
| ![logo-Way We Do](./medi)| | ![logo-Whimsical](./medi)| | ![logo-WhosOffice](./medi)|
+| ![logo-Wootric](./medi)|
| ![logo-Workplace by Facebook](./medi)| | ![logo-Workteam](./medi)| | ![logo-XaitPorter](./medi)|
active-directory Whitesource Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/whitesource-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to Whitesource Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Whitesource tile in the My Apps, this will redirect to Whitesource Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Whitesource tile in the My Apps, this will redirect to Whitesource Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Whitesource you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Whitesource you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Yardione Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yardione-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to YardiOne Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the YardiOne tile in the My Apps, this will redirect to YardiOne Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the YardiOne tile in the My Apps, this will redirect to YardiOne Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure YardiOne you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure YardiOne you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zip Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zip-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Zip for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Zip tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Zip for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Zip tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Zip for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zip you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Zip you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Zscaler B2b User Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-b2b-user-portal-tutorial.md
Previously updated : 03/24/2020 Last updated : 06/08/2021
In this tutorial, you'll learn how to integrate Zscaler B2B User Portal with Azu
* Enable your users to be automatically signed-in to Zscaler B2B User Portal with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Zscaler B2B User Portal supports **IDP** initiated SSO
-
-* Zscaler B2B User Portal supports **Just In Time** user provisioning
+* Zscaler B2B User Portal supports **IDP** initiated SSO.
-* Once you configure Zscaler B2B User Portal you can enforce Session Control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+* Zscaler B2B User Portal supports **Just In Time** user provisioning.
-## Adding Zscaler B2B User Portal from the gallery
+## Add Zscaler B2B User Portal from the gallery
To configure the integration of Zscaler B2B User Portal into Azure AD, you need to add Zscaler B2B User Portal from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Zscaler B2B User Portal** in the search box. 1. Select **Zscaler B2B User Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Zscaler B2B User Portal
+## Configure and test Azure AD SSO for Zscaler B2B User Portal
Configure and test Azure AD SSO with Zscaler B2B User Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zscaler B2B User Portal.
-To configure and test Azure AD SSO with Zscaler B2B User Portal, complete the following building blocks:
+To configure and test Azure AD SSO with Zscaler B2B User Portal, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Zscaler B2B User Portal, complete the fo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Zscaler B2B User Portal** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Zscaler B2B User Portal** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://samlsp.private.zscaler.com/auth/metadata/<UniqueID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Zscaler B2B User Portal**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Zscaler B2B User Portal SSO
In this section, a user called Britta Simon is created in Zscaler B2B User Porta
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Zscaler B2B User Portal tile in the Access Panel, you should be automatically signed in to the Zscaler B2B User Portal for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Zscaler B2B User Portal for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Zscaler B2B User Portal tile in the My Apps, you should be automatically signed in to the Zscaler B2B User Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Zscaler B2B User Portal with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Zscaler B2B User Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Configure Azure Active Directory For Fedramp High Impact https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/configure-azure-active-directory-for-fedramp-high-impact.md
# Configure Azure Active Directory to meet FedRAMP High Impact level
-The [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) is an assessment and authorization process for cloud service providers (CSPs). Specifically, the process is for CSPs that create cloud solution offerings (CSOs) for use with federal agencies. Azure and Azure Government have earned a [Provisional Authority to Operate (P-ATO) at the High Impact level](https://docs.microsoft.com/compliance/regulatory/offering-fedramp) from the Joint Authorization Board, the highest bar for FedRAMP accreditation.
+The [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) is an assessment and authorization process for cloud service providers (CSPs). Specifically, the process is for CSPs that create cloud solution offerings (CSOs) for use with federal agencies. Azure and Azure Government have earned a [Provisional Authority to Operate (P-ATO) at the High Impact level](/compliance/regulatory/offering-fedramp) from the Joint Authorization Board, the highest bar for FedRAMP accreditation.
Azure provides the capability to fulfill all control requirements to achieve a FedRAMP high rating for your CSO, or as a federal agency. It's your organizationΓÇÖs responsibility to complete additional configurations or processes to be compliant. This responsibility applies to both CSPs seeking a FedRAMP high authorization for their CSO, and federal agencies seeking an Authority to Operate (ATO). ## Microsoft and FedRAMP
-Microsoft Azure supports more services at [FedRAMP High Impact](https://docs.microsoft.com/azure/azure-government/compliance/azure-services-in-fedramp-auditscope) levels than any other CSP. And while this level in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements might rely on the Azure Government cloud. Azure Government provides additional safeguards, such as the heightened screening of personnel.
+Microsoft Azure supports more services at [FedRAMP High Impact](../../azure-government/compliance/azure-services-in-fedramp-auditscope.md) levels than any other CSP. And while this level in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements might rely on the Azure Government cloud. Azure Government provides additional safeguards, such as the heightened screening of personnel.
Microsoft is required to recertify its cloud services each year to maintain its authorizations. To do so, Microsoft continuously monitors and assesses its security controls, and demonstrates that the security of its services remains in compliance. For more information, see [Microsoft cloud services FedRAMP authorizations](https://marketplace.fedramp.gov/), and [Microsoft FedRAMP Audit Reports](https://aka.ms/MicrosoftFedRAMPAuditDocuments). To receive other FedRAMP reports, send email to [Azure Federal Documentation](mailto:AzFedDoc@microsoft.com).
The following is a list of FedRAMP resources:
* [Azure Compliance Offerings](https://aka.ms/azurecompliance)
-* [FedRAMP High blueprint sample overview](https://docs.microsoft.com/azure/governance/blueprints/samples/fedramp-h/)
+* [FedRAMP High blueprint sample overview](../../governance/blueprints/samples/fedramp-h/index.md)
-* [Microsoft 365 compliance center](https://docs.microsoft.com///microsoft-365/compliance/microsoft-365-compliance-center)
+* [Microsoft 365 compliance center](///microsoft-365/compliance/microsoft-365-compliance-center)
-* [Microsoft Compliance Manager](https://docs.microsoft.com///microsoft-365/compliance/compliance-manager)
+* [Microsoft Compliance Manager](///microsoft-365/compliance/compliance-manager)
## Next steps
The following is a list of FedRAMP resources:
[Configure other controls](fedramp-other-controls.md)
-
active-directory Fedramp Access Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/fedramp-access-controls.md
Each row in the following table provides prescriptive guidance to help you devel
| Control ID | Customer responsibilities and guidance | | - | - |
-| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br><li>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br><li>[Add or delete users using Azure Active Directory](/azure/active-directory/fundamentals/add-users-azure-active-directory)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br><li>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)<p>Review accounts<br><li>[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)<br><li>[Create an access review of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-create)<br><li>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](/azure/active-directory/roles/permissions-reference)<br><li>[Dynamic Groups in Azure AD](/azure/active-directory/enterprise-users/groups-create-rule) |
-| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Azure Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](/azure/active-directory/app-provisioning/plan-cloud-hr-provision)<br><li>[Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis)<br><li>[What is automated SaaS app user provisioning in Azure AD?](/azure/active-directory/app-provisioning/user-provisioning)<br><li>[SaaS app integration tutorials for use with Azure AD](/azure/active-directory/saas-apps/tutorial-list)<p>Monitor and audit<br><li>[Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub)ΓÇÄ|
-| AC-02(2)<br>AC-02(3)| **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts)<br><li>[Manage stale devices in Azure AD](/azure/active-directory/devices/manage-stale-devices)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p>Use [Azure AD PowerShell](/powershell/module/azuread/)<br><li>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br><li>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br><li>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br><li>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
-| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Azure Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<P>Notification<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(5)| **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
-| AC-02(7)| **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Azure Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br><li>[Activation maximum duration](/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Connect data from Azure Active Directory](/azure/sentinel/connect-azure-active-directory)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(11)| **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create conditional access policies to enforce access control decisions across users and devices.<p>Conditional access<br><li>[Create a conditional access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[What is conditional access?](/azure/active-directory/conditional-access/overview) |
-| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Azure Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<br><li>[Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)<br><li>[Azure Active Directory Identity Protection notifications](/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications)<p>Monitor accounts<br><li>[What is Azure Sentinel?](/azure/sentinel/overview)<br><li>[Audit activity reports in the Azure Active Directory portal](/azure/active-directory/reports-monitoring/concept-audit-logs)<br><li>[Connect Azure Active Directory data to Azure Sentinel](/azure/sentinel/connect-azure-active-directory) <br><li>[Tutorial: Stream logs to an Azure event hub](/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub) |
-| AC-02(13)|**Disable customer-controlled accounts of users that pose a significant risk within one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](/azure/active-directory/identity-protection/overview-identity-protection)<p>Conditional access<br><li>[What is conditional access?](/azure/active-directory/conditional-access/overview)<br><li>[Create a conditional access policy](/azure/active-directory/authentication/tutorial-enable-azure-mfa?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[Conditional access: User risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Conditional access: Sign-in risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Self-remediation with risk policy](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock) |
-| AC-06(7)| **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review)<br><li>[Review access of an access package in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-access-reviews-review-access) |
-| AC-07| **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<br><li>[Manage Azure AD smart lockout values](/azure/active-directory/authentication/howto-password-smart-lockout) |
-| AC-08| **Display and require user acknowledgment of privacy and security notices before granting access to information systems.**<p>With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via conditional access policies.<p>Terms of use<br><li>[Azure Active Directory terms of use](/azure/active-directory/conditional-access/terms-of-use)<br><li>[View report of who has accepted and declined](/azure/active-directory/conditional-access/terms-of-use) |
-| AC-10|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)<p>Conditional access<br><li>[What is conditional access in Azure AD?](/azure/active-directory/conditional-access/overview)<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>Device policies<br><li>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](/azure/active-directory/authentication/howto-password-smart-lockout)<p>See AC-12 for more session reevaluation and risk mitigation guidance. |
-| AC-11<br>AC-11(1)| **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[User sign-in frequency](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
-| AC-12| **Automatically terminate user sessions when organizational defined conditions or trigger events occur.**<p>Implement automatic user session reevaluation with Azure AD features such as risk-based conditional access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.<p>Resources<br><li>[Sign-in risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)<br><li>[User risk-based conditional access](/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)<br><li>[Continuous access evaluation](/azure/active-directory/conditional-access/concept-continuous-access-evaluation)
-| AC-12(1)| **Provide a logout capability for all sessions and display an explicit logout message.** <p>All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out. <p>Logout capability<br><li>When the user selects [Sign-out everywhere](https://aka.ms/mysignins), all current issued tokens are revoked. <p>Display message<br>Azure AD automatically displays a message after user-initiated logout.<br><p>![Screenshot that shows an access control message.](media/fedramp/fedramp-access-controls-image-1.png)<p>Resources<br><li>[View and search your recent sign-in activity from the My Sign-Ins page](/azure/active-directory/user-help/my-account-portal-sign-ins-page)<br><li>[Single Sign-Out SAML Protocol](/azure/active-directory/develop/single-sign-out-saml-protocol) |
-| AC-20<br>AC-20(1)| **Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.**<p>Require terms of use acceptance for authorized users who access resources from external systems. Implement conditional access policies to restrict access from external systems. Conditional access policies might also be integrated with Cloud App Security to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.<P>Terms and conditions<br><li>[Terms of use: Azure Active Directory](/azure/active-directory/conditional-access/terms-of-use)<p>Conditional access<br><li>[Require device to be marked as compliant](/azure/active-directory/conditional-access/require-managed-devices)<br><li>[Conditions in conditional access policy: Device state (preview)](/azure/active-directory/conditional-access/concept-conditional-access-conditions)<br><li>[Protect with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br><li>[Location condition in Azure Active Directory conditional access](/azure/active-directory/conditional-access/location-condition)<p>MDM<br><li>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br><li>[What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security)<br><li>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resource<br><li>[Integrate on-premises apps with Cloud App Security](/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security) |
+| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Azure Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Azure Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Azure AD](../enterprise-users/groups-create-rule.md) |
+| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Azure Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Azure AD](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Azure Sentinel?](../../sentinel/overview.md)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)ΓÇÄ|
+| AC-02(2)<br>AC-02(3)| **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br><li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p>Use [Azure AD PowerShell](/powershell/module/azuread/)<br><li>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br><li>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br><li>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br><li>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
+| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Azure Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Azure Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Azure Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(5)| **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
+| AC-02(7)| **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Azure Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-start-security-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Azure Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(11)| **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create conditional access policies to enforce access control decisions across users and devices.<p>Conditional access<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[What is conditional access?](../conditional-access/overview.md) |
+| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Azure Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Azure Active Directory Identity Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Azure Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Azure Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(13)|**Disable customer-controlled accounts of users that pose a significant risk within one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional access<br><li>[What is conditional access?](../conditional-access/overview.md)<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[Conditional access: User risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional access: Sign-in risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) |
+| AC-06(7)| **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-start-security-review.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md) |
+| AC-07| **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<br><li>[Manage Azure AD smart lockout values](../authentication/howto-password-smart-lockout.md) |
+| AC-08| **Display and require user acknowledgment of privacy and security notices before granting access to information systems.**<p>With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via conditional access policies.<p>Terms of use<br><li>[Azure Active Directory terms of use](../conditional-access/terms-of-use.md)<br><li>[View report of who has accepted and declined](../conditional-access/terms-of-use.md) |
+| AC-10|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Nowadays, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use conditional access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](../conditional-access/concept-continuous-access-evaluation.md)<p>Conditional access<br><li>[What is conditional access in Azure AD?](../conditional-access/overview.md)<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>Device policies<br><li>[Use PowerShell scripts on Windows 10 devices in Intune](/mem/intune/apps/intune-management-extension)<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<p>See AC-12 for more session reevaluation and risk mitigation guidance. |
+| AC-11<br>AC-11(1)| **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a conditional access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
+| AC-12| **Automatically terminate user sessions when organizational defined conditions or trigger events occur.**<p>Implement automatic user session reevaluation with Azure AD features such as risk-based conditional access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.<p>Resources<br><li>[Sign-in risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk.md)<br><li>[User risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md)
+| AC-12(1)| **Provide a logout capability for all sessions and display an explicit logout message.** <p>All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out. <p>Logout capability<br><li>When the user selects [Sign-out everywhere](https://aka.ms/mysignins), all current issued tokens are revoked. <p>Display message<br>Azure AD automatically displays a message after user-initiated logout.<br><p>![Screenshot that shows an access control message.](medi) |
+| AC-20<br>AC-20(1)| **Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.**<p>Require terms of use acceptance for authorized users who access resources from external systems. Implement conditional access policies to restrict access from external systems. Conditional access policies might also be integrated with Cloud App Security to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.<P>Terms and conditions<br><li>[Terms of use: Azure Active Directory](../conditional-access/terms-of-use.md)<p>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[Conditions in conditional access policy: Device state (preview)](../conditional-access/concept-conditional-access-conditions.md)<br><li>[Protect with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br><li>[Location condition in Azure Active Directory conditional access](../conditional-access/location-condition.md)<p>MDM<br><li>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br><li>[What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security)<br><li>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resource<br><li>[Integrate on-premises apps with Cloud App Security](../app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md) |
## Next steps - [FedRAMP compliance overview](configure-azure-active-directory-for-fedramp-high-impact.md) - [Configure identification and authentication controls to meet FedRAMP High Impact level](fedramp-identification-and-authentication-controls.md)-- [Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md)-
+- [Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md)
active-directory Nist About Authenticator Assurance Levels https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-about-authenticator-assurance-levels.md
The FedRAMP audit of Azure and Azure Government included the information securit
Azure continues to support more services at FedRAMP High Impact levels than any other cloud provider. And while FedRAMP High in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements rely on Azure Government. Azure Government provides additional safeguards, such as the heightened screening of personnel. Microsoft lists all Azure public services currently available in Azure Government to the FedRAMP High boundary, as well as services planned for the current year.
-In addition, Microsoft is fully committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist you. To view a complete list of our compliance offerings, see [Microsoft compliance offering](https://docs.microsoft.com/compliance/regulatory/offering-home).
+In addition, Microsoft is fully committed to [protecting and managing customer data](https://www.microsoft.com/trust-center/privacy/data-management) with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist you. To view a complete list of our compliance offerings, see [Microsoft compliance offering](/compliance/regulatory/offering-home).
## Next steps
In addition, Microsoft is fully committed to [protecting and managing customer d
[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md) [Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
-ΓÇÄ
+ΓÇÄ
active-directory Nist Authentication Basics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authentication-basics.md
The following terminology is used throughout these NIST articles.
Trusted Platform Module technology is designed to provide hardware-based security-related functions. A TPM chip, or hardware TPM, is a secure cryptographic processor that helps you with actions like generating, storing, and limiting the use of cryptographic keys.
-Microsoft provides significant information on how TPMs work with Windows. For more information, see [Trusted Platform Module](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node).
+Microsoft provides significant information on how TPMs work with Windows. For more information, see [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-top-node).
A software TPM is an emulator that mimics hardware TPM functionality.
NIST provides limited guidance about the relative strength of authentication fac
* [Password complexity requirements](https://www.microsoft.com/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf)
-* [Banned passwords](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-configure-custom-password-protection)
+* [Banned passwords](../authentication/tutorial-configure-custom-password-protection.md)
-* [Leaked credentials identification](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
+* [Leaked credentials identification](../identity-protection/overview-identity-protection.md)
* [Secure hashed storage](https://aka.ms/AADDataWhitepaper)
-* [Account lockout](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-smart-lockout)
+* [Account lockout](../authentication/howto-password-smart-lockout.md)
**Something you have**. The strength of *something you have* is based on how likely the subscriber is to keep it in possession and the difficulty for an attacker to gain access to it. For example, when you're trying to protect against internal threats, a personal mobile device or hardware key will have a higher affinity. So it will be more secure than a desktop computer in an office.
One example is the Microsoft Authenticator app used in passwordless mode. With t
[Achieving NIST AAL2 by using Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieving NIST AAL3 by using Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieving NIST AAL3 by using Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Assurance Level 2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-assurance-level-2.md
The following table provides details about the authenticator types permitted for
To achieve AAL2, use multifactor cryptographic hardware or software authenticators. Passwordless authentication eliminates the greatest attack surface (the password), and offers users a streamlined method to authenticate.
-For detailed guidance on selecting a passwordless authentication method, see [Plan a passwordless authentication deployment in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
+For detailed guidance on selecting a passwordless authentication method, see [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md).
-For more information on implementing Windows Hello for Business, see the [Windows Hello for Business deployment guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-deployment-guide).
+For more information on implementing Windows Hello for Business, see the [Windows Hello for Business deployment guide](/windows/security/identity-protection/hello-for-business/hello-deployment-guide).
## FIPS 140 validation
Azure AD uses the Windows FIPS 140 Level 1 overall validated cryptographic ΓÇÄmo
### Authenticator requirements
-The cryptographic authenticators of government agencies are required to be validated for FIPS 140 Level 1 overall. This isn't a requirement for non-governmental agencies. The following Azure AD authenticators meet the requirement when running on [Windows in a FIPS 140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation):
+The cryptographic authenticators of government agencies are required to be validated for FIPS 140 Level 1 overall. This isn't a requirement for non-governmental agencies. The following Azure AD authenticators meet the requirement when running on [Windows in a FIPS 140 approved mode of operation](/windows/security/threat-protection/fips-140-validation):
* Password
The cryptographic authenticators of government agencies are required to be valid
While the Microsoft Authenticator app in all its modes (notification, OTP and passwordless) uses FIPS 140 approved cryptography, it is not FIPS 140 Level 1 validated.
-FIDO2 security key providers are in various stages of FIPS certification, including some that have completed validation. We recommend you review the [list of supported FIDO2 key vendors](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-key-providers) and check with your provider for current FIPS validation status.
+FIDO2 security key providers are in various stages of FIPS certification, including some that have completed validation. We recommend you review the [list of supported FIDO2 key vendors](../authentication/concept-authentication-passwordless.md#fido2-security-key-providers) and check with your provider for current FIPS validation status.
## Reauthentication At the AAL2 level, NIST requires reauthentication every 12 hours, regardless of user activity. Reauthentication is also required after any period of inactivity lasting 30 minutes or longer. Presentation of something you know or something you are is required, because the session secret is something you have.
-To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) to 12 hours.
+To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md) to 12 hours.
NIST also allows the use of compensating controls for confirming the subscriberΓÇÖs presence:
All Azure AD authentication methods at AAL2 use either nonce or challenges. The
[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Nist Authenticator Assurance Level 3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-assurance-level-3.md
We recommend using a multifactor cryptographic hardware authenticator to achieve
Note that FIDO2 keys and Windows Hello for Business haven't been validated at the required FIPS 140 Security Level. So federal customers need to conduct risk assessment and evaluation before accepting these authenticators as AAL3.
-For detailed guidance, see [Plan a passwordless authentication deployment in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-deployment).
+For detailed guidance, see [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md).
-For more information on implementing Windows Hello for Business, see the [Windows Hello for Business deployment guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-deployment-guide).
+For more information on implementing Windows Hello for Business, see the [Windows Hello for Business deployment guide](/windows/security/identity-protection/hello-for-business/hello-deployment-guide).
## FIPS 140 validation
Single-factor and multifactor cryptographic hardware authenticators have differe
Azure AD joined and Hybrid Azure AD joined devices meet this requirement when:
-* You run [Windows in a FIPS-140 approved mode of operation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation).
+* You run [Windows in a FIPS-140 approved mode of operation](/windows/security/threat-protection/fips-140-validation).
* On a machine with a TPM that's FIPS 140 Level 1 Overall (or higher) with FIPS 140 Level 3 Physical Security.
Check with your mobile device vendor to learn about your vendor's adherence with
FIDO2 security keys, smart cards, and Windows Hello for Business can help you meet these requirements.
-* FIDO2 key providers are in various stages of FIPS certification, including some that have completed validation. We recommend you review the [list of supported FIDO2 key vendors](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-key-providers) and check with your provider for current FIPS validation status.
+* FIDO2 key providers are in various stages of FIPS certification, including some that have completed validation. We recommend you review the [list of supported FIDO2 key vendors](../authentication/concept-authentication-passwordless.md#fido2-security-key-providers) and check with your provider for current FIPS validation status.
* Smart cards are a proven technology. Multiple vendor products meet FIPS requirements.
FIPS 140 requires the entire cryptographic boundary, including software, firmwar
At the AAL3 level, NIST requires reauthentication every 12 hours, regardless of user activity. Reauthentication is also required after any period of inactivity that lasts 15 minutes or longer. Presentation of both factors is required.
-To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](https://aka.ms/NIST/38) to 12 hours.
+To meet the requirement for reauthentication regardless of user activity, Microsoft recommends configuring [user sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md) to 12 hours.
NIST also allows the use of compensating controls for confirming the subscriber's presence:
NIST allows the use of compensating controls for mitigating malware risk. Any In
[Achieving NIST AAL1 by using Azure AD](nist-authenticator-assurance-level-1.md)
-[Achieving NIST AAL2 by using Azure AD](nist-authenticator-assurance-level-2.md)
--
+[Achieving NIST AAL2 by using Azure AD](nist-authenticator-assurance-level-2.md)
active-directory Nist Authenticator Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/nist-authenticator-types.md
The authentication process begins when a claimant asserts its control of one of
<sup data-htmlnode="">1</sup> OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety.
-<sup data-htmlnode="">2</sup> For more information on device join states, see [Azure AD device identity documentation](https://docs.microsoft.com/azure/active-directory/devices/).
+<sup data-htmlnode="">2</sup> For more information on device join states, see [Azure AD device identity documentation](../devices/index.yml).
## Why SMS isn't recommended
SMS text messages meet the NIST standard, but NIST doesn't recommend them. The r
[Achieve NIST AAL2 with Azure AD](nist-authenticator-assurance-level-2.md)
-[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)
active-directory Standards Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/standards/standards-overview.md
In today's world of interconnected infrastructures, compliance with governmental and industry frameworks and standards is often mandatory.
-Compliance frameworks can be extremely complex. Microsoft engages with governments, regulators, and standards bodies to understand and meet compliance needs in its Azure platform. You can take advantage of more than [90 Azure compliance certifications](https://docs.microsoft.com/azure/compliance). These compliance offerings include many that are specific to global regions and countries. Azure also offers 35 compliance offerings specific to key industries, including health, government, finance, education, manufacturing, and media.
+Compliance frameworks can be extremely complex. Microsoft engages with governments, regulators, and standards bodies to understand and meet compliance needs in its Azure platform. You can take advantage of more than [90 Azure compliance certifications](../../compliance/index.yml). These compliance offerings include many that are specific to global regions and countries. Azure also offers 35 compliance offerings specific to key industries, including health, government, finance, education, manufacturing, and media.
## Azure compliance provides a head start Compliance is a shared responsibility among Microsoft, cloud service providers (CSPs), and organizations. You can rely on Azure compliance certifications as a basis for your compliance, and then configure Azure Active Directory to meet identity standards. CSPs, governmental agencies, and those who work with them must often meet stringent standards for one or more governments. These standards can include the following:
-* [US Federal Risk and Authorization Management Program (FedRAMP)](https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp)
-* [National Institute of Standards and Technologies (NIST)](https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-53).
+* [US Federal Risk and Authorization Management Program (FedRAMP)](/azure/compliance/offerings/offering-fedramp)
+* [National Institute of Standards and Technologies (NIST)](/azure/compliance/offerings/offering-nist-800-53).
CSPs and organizations in industries such as healthcare and finance must also meet industry standards, such as:
-* [HIPPA](https://docs.microsoft.com/azure/compliance/offerings/offering-hipaa-us)
-* [Sorbanes-Oxley (SOX)](https://docs.microsoft.com/azure/compliance/offerings/offering-sox-us)
+* [HIPPA](/azure/compliance/offerings/offering-hipaa-us)
+* [Sorbanes-Oxley (SOX)](/azure/compliance/offerings/offering-sox-us)
-To learn more about supported compliance frameworks, see [Azure compliance offerings](https://docs.microsoft.com/azure/compliance/offerings/).
+To learn more about supported compliance frameworks, see [Azure compliance offerings](/azure/compliance/offerings/).
## Next steps
active-directory My Apps Portal End User Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/my-apps-portal-end-user-access.md
The **My Apps Secure Sign-in Extension** helps you:
- Sign in directly to apps from the sign-in page. - Start any apps using the **Quick search** feature. - See the last apps you used in the **Recently Used** section.-- Use internal company URLs when remote using [Application Proxy](../manage-apps/application-proxy.md).
+- Use internal company URLs when remote using [Application Proxy](../app-proxy/application-proxy.md).
### To download and install the extension
advisor Advisor High Availability Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-high-availability-recommendations.md
Azure Advisor identifies Azure Cosmos DB accounts that are using old versions of
## Upgrade your Azure Cosmos DB Spark connector to the latest version from Maven
-Azure Advisor identifies Azure Cosmos DB accounts that are using old versions of the Azure Cosmos DB Spark connector. It recommends that you upgrade to the latest version from Maven for the latest fixes, performance improvements, and feature capabilities. [Learn more about Azure Cosmos DB Spark connector.](../cosmos-db/spark-connector.md)
+Azure Advisor identifies Azure Cosmos DB accounts that are using old versions of the Azure Cosmos DB Spark connector. It recommends that you upgrade to the latest version from Maven for the latest fixes, performance improvements, and feature capabilities. [Learn more about Azure Cosmos DB Spark connector.](../cosmos-db/create-sql-api-spark.md)
## Consider moving to Kafka 2.1 on HDInsight 4.0
aks Aks Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/aks-migration.md
In this article we will summarize migration details for:
Azure Migrate offers a unified platform to assess and migrate to Azure on-premises servers, infrastructure, applications, and data. For AKS, you can use Azure Migrate for the following tasks:
-* [Containerize ASP.NET applications and migrate to AKS](/azure/migrate/tutorial-app-containerization-aspnet-kubernetes)
+* [Containerize ASP.NET applications and migrate to AKS](../migrate/tutorial-app-containerization-aspnet-kubernetes.md)
* [Containerize Java web applications and migrate to AKS](../migrate/tutorial-containerize-java-kubernetes.md) ## AKS with Standard Load Balancer and Virtual Machine Scale Sets
In this article, we summarized migration details for:
> * Deployment of your cluster configuration
-[region-availability]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service
+[region-availability]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service
aks Api Server Authorized Ip Ranges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/api-server-authorized-ip-ranges.md
For more information, see [Security concepts for applications and clusters in AK
<!-- LINKS - external --> [cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md
-[dev-spaces-ranges]: ../dev-spaces/configure-networking.md#aks-cluster-network-requirements
+[dev-spaces-ranges]: ../dev-spaces/index.yml#aks-cluster-network-requirements
[kubenet]: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#kubenet <!-- LINKS - internal -->
For more information, see [Security concepts for applications and clusters in AK
[install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-cluster-security]: operator-best-practices-cluster-security.md [route-tables]: ../virtual-network/manage-route-table.md
-[standard-sku-lb]: load-balancer-standard.md
+[standard-sku-lb]: load-balancer-standard.md
aks Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/faq.md
Azure automatically applies security patches to the Linux nodes in your cluster
For Windows Server nodes, Windows Update does not automatically run and apply the latest updates. On a regular schedule around the Windows Update release cycle and your own validation process, you should perform an upgrade on the cluster and the Windows Server node pool(s) in your AKS cluster. This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. For more information on this process, see [Upgrade a node pool in AKS][nodepool-upgrade].
+### Are there additional security threats relevant to AKS that customers should be aware of?
+
+Microsoft provides guidance on additional actions you can take to secure your workloads through services like [Azure Security Center](https://azure.microsoft.com/services/security-center/). The following is a list of additional security threats related to AKS and Kubernetes that customers should be aware of:
+
+* [New large-scale campaign targets Kubeflow](https://techcommunity.microsoft.com/t5/azure-security-center/new-large-scale-campaign-targets-kubeflow/ba-p/2425750) - June 8, 2021
+ ## Why are two resource groups created with AKS? AKS builds upon a number of Azure infrastructure resources, including virtual machine scale sets, virtual networks, and managed disks. This enables you to leverage many of the core capabilities of the Azure platform within the managed Kubernetes environment provided by AKS. For example, most Azure virtual machine types can be used directly with AKS and Azure Reservations can be used to receive discounts on those resources automatically.
aks Kubernetes Action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-action.md
When your Kubernetes cluster, container registry, and repository are no longer n
> [Learn about Azure Kubernetes Service](/azure/architecture/reference-architectures/containers/aks-start-here) > [!div class="nextstepaction"]
-> [Learn how to create multiple pipelines on GitHub Actions with AKS](https://docs.microsoft.com/learn/modules/aks-deployment-pipeline-github-actions)
+> [Learn how to create multiple pipelines on GitHub Actions with AKS](/learn/modules/aks-deployment-pipeline-github-actions)
### More Kubernetes GitHub Actions
When your Kubernetes cluster, container registry, and repository are no longer n
* [Kubernetes deploy](https://github.com/Azure/k8s-deploy) (`azure/k8s-deploy`): Bake and deploy manifests to Kubernetes clusters. * [Setup Helm](https://github.com/Azure/setup-helm) (`azure/setup-helm`): Install a specific version of Helm binary on the runner. * [Kubernetes bake](https://github.com/Azure/k8s-bake) (`azure/k8s-bake`): Bake manifest file to be used for deployments using helm2, kustomize or kompose.
-* [Kubernetes lint](https://github.com/azure/k8s-lint) (`azure/k8s-lint`): Validate/lint your manifest files.
+* [Kubernetes lint](https://github.com/azure/k8s-lint) (`azure/k8s-lint`): Validate/lint your manifest files.
aks Start Stop Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/start-stop-cluster.md
When using the cluster start/stop feature, the following restrictions apply:
- This feature is only supported for Virtual Machine Scale Sets backed clusters. - The cluster state of a stopped AKS cluster is preserved for up to 12 months. If your cluster is stopped for more than 12 months, the cluster state cannot be recovered. For more information, see the [AKS Support Policies](support-policies.md). - You can only start or delete a stopped AKS cluster. To perform any operation like scale or upgrade, start your cluster first.
+- The customer provisioned PrivateEndpoints linked to private cluster need to be deleted and recreated again when you start a stopped AKS cluster.
## Stop an AKS Cluster
analysis-services Analysis Services Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-template.md
If your environment meets the prerequisites and you're familiar with using ARM t
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-analysis-services-create/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/analysis-services-create/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.analysisservices/analysis-services-create/azuredeploy.json":::
api-management Api Management Access Restriction Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-access-restriction-policies.md
documentationcenter: '' Previously updated : 02/26/2021 Last updated : 06/02/2021
This topic provides a reference for the following API Management policies. For i
- [Set usage quota by subscription](#SetUsageQuota) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. - [Set usage quota by key](#SetUsageQuotaByKey) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. - [Validate JWT](#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
+- [Validate client certificate](#validate-client-certificate) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
> [!TIP] > You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with AAD authentication by applying the `validate-jwt` policy on the API level or you can apply it on the API operation level and use `claims` for more granular control.
This policy can be used in the following policy [sections](./api-management-howt
- **Policy sections:** inbound - **Policy scopes:** all scopes +
+## Validate client certificate
+
+Use the `validate-client-certificate` policy to enforce that a certificate presented by a client to an API Management instance matches specified validation rules and claims such as subject or issuer for one or more certificate identities.
+
+To be considered valid, a client certificate must match all the validation rules defined by the attributes at the top-level element and match all defined claims for at least one of the defined identities.
+
+Use this policy to check incoming certificate properties against desired properties. Also use this policy to override default validation of client certificates in these cases:
+
+* If you have uploaded custom CA certificates to validate client requests to the managed gateway
+* If you configured custom certificate authorities to validate client requests to a self-managed gateway
+
+For more information about custom CA certificates and certificate authorities, see [How to add a custom CA certificate in Azure API Management](api-management-howto-ca-certificates.md).
+
+### Policy statement
+
+```xml
+<validate-client-certificate>
+    validate-revocation="true|false"
+    validate-trust="true|false"
+    validate-not-before="true|false"
+    validate-not-after="true|false"
+    ignore-error="true|false">
+    <identities>
+        <identity 
+            thumbprint="certificate thumbprint" 
+            serial-number="certificate serial number"
+            common-name="certificate common name" 
+            subject="certificate subject string" 
+            dns-name="certificate DNS name"
+            issuer="certificate issuer"
+            issuer-thumbprint="certificate issuer thumbprint" 
+            issuer-certificate-id="certificate identifier" />
+    </identities>
+</validate-client-certificate>
+```
+
+### Example
+
+The following example validates a client certificate to match the policy's default validation rules and checks whether the subject and issuer match specified values.
+
+```xml
+<validate-client-certificate>
+    validate-revocation="true"
+    validate-trust="true"
+    validate-not-before="true"
+    validate-not-after="true"
+    ignore-error="false"
+    <identities>
+        <identity 
+ subject="C=US, ST=Illinois, L=Chicago, O=Contoso Corp., CN=*.contoso.com"
+ issuer="C=BE, O=FabrikamSign nv-sa, OU=Root CA, CN=FabrikamSign Root CA" />
+    </identities>
+</validate-client-certificate>
+```
+
+### Elements
+
+| Element | Description | Required |
+| - | -- | -- |
+| validate-client-certificate | Root element. | Yes |
+| identities | Contains a list of identities with defined claims on the client certificate. | No |
+
+### Attributes
+
+| Name | Description | Required | Default |
+| - | | -- | |
+| validate-revocationΓÇ» | Boolean. Specifies whether certificate is validated against online revocation list.ΓÇ» | noΓÇ» | True |
+| validate-trustΓÇ»| Boolean. Specifies if validation should fail in case chain cannot be successfully built up to trusted CA. | no | True |
+| validate-not-before | Boolean. Validates value against current time. | noΓÇ»| True |
+| validate-not-afterΓÇ» | Boolean. Validates value against current time. | noΓÇ»| True|
+| ignore-errorΓÇ» | Boolean. Specifies if policy should proceed to the next handler or jump to on-error upon failed validation. | no. | False |ΓÇ»
+| identity | String. Combination of certificate claim values that make certificate valid. | yes | N/A |
+| thumbprint | Certificate thumbprint. | no | N/A |
+| serial-number | Certificate serial number. | no | N/A |
+| common-name | Certificate common name (part of Subject string). | no | N/A |
+| subject | Subject string. Must follow format of Distinguished Name. | no | N/A |
+| dns-name | Value of dnsName entry inside Subject Alternative Name claim. | no | N/A |
+| issuer | IssuerΓÇÖs subject. Must follow format of Distinguished Name. | no | N/A |
+| issuer-thumbprint | Issuer thumbprint. | no | N/A |
+| issuer-certificate-id | Identifier of existing Certificate entity representing IssuerΓÇÖs public key. | no | N/A |
+
+### Usage
+
+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).
+
+- **Policy sections:** inbound
+- **Policy scopes:** all scopes
+ ## Next steps For more information working with policies, see:
api-management Api Management Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-faq.md
To learn how to configure an OAuth 2.0 authorization server with Active Director
API Management uses the [performance traffic routing method](../traffic-manager/traffic-manager-routing-methods.md#performance) in deployments to multiple geographic locations. Incoming traffic is routed to the closest API gateway. If one region goes offline, incoming traffic is automatically routed to the next closest gateway. Learn more about routing methods in [Traffic Manager routing methods](../traffic-manager/traffic-manager-routing-methods.md). ### Can I use an Azure Resource Manager template to create an API Management service instance?
-Yes. See the [Azure API Management Service](https://azure.microsoft.com/resources/templates/101-azure-api-management-create/) quickstart templates.
+Yes. See the [Azure API Management Service](https://azure.microsoft.com/resources/templates/azure-api-management-create/) quickstart templates.
### Can I use a self-signed TLS/SSL certificate for a back end? Yes. This can be done through PowerShell or by directly submitting to the API. This will disable certificate chain validation and will allow you to use self-signed or privately-signed certificates when communicating from API Management to the back end services.
api-management Api Management Howto Ca Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-ca-certificates.md
description: Learn how to add a custom CA certificate in Azure API Management. Y
documentationcenter: '' - -- Previously updated : 08/20/2018+ Last updated : 06/01/2021
Azure API Management allows installing CA certificates on the machine inside the trusted root and intermediate certificate stores. This functionality should be used if your services require a custom CA certificate.
-The article shows how to manage CA certificates of an Azure API Management service instance in the Azure portal.
+The article shows how to manage CA certificates of an Azure API Management service instance in the Azure portal. For example, if you use self-signed client certificates, you can upload custom trusted root certificates to API Management.
+
+CA certificates uploaded to API Management can only be used for certificate validation by the managed API Management gateway. If you use the [self-hosted gateway](self-hosted-gateway-overview.md), learn how to [create a custom CA for self-hosted gateway](#create-custom-ca-for-self-hosted-gateway), later in this article.
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
The article shows how to manage CA certificates of an Azure API Management servi
## <a name="step1"> </a>Upload a CA certificate
-![Add CA certificates](media/api-management-howto-ca-certificates/00.png)
Follow the steps below to upload a new CA certificate. If you have not created an API Management service instance yet, see the tutorial [Create an API Management service instance](get-started-create-service-instance.md). 1. Navigate to your Azure API Management service instance in the Azure portal.
-2. Select **CA certificates** from the menu.
+1. In the menu, under **Security**, select **Certificates > CA certificates > + Add**.
-3. Click the **+ Add** button.
+1. Browse for the certificate .cer file and decide on the certificate store. Only the public key is needed, so the password is optional.
- ![Screenshot that shows the + Add button for adding a CA certificate.](media/api-management-howto-ca-certificates/01.png)
+ :::image type="content" source="media/api-management-howto-ca-certificates/02.png" alt-text="Add CA certificate in the Azure portal":::
-4. Browse for the certificate and decide on the certificate store. Only the public key is needed, so the password is not required.
+1. Select **Save**. This operation may take a few minutes.
- ![Screenshot that shows how to browse for the certificate.](media/api-management-howto-ca-certificates/02.png)
+> [!NOTE]
+> You can also upload a CA certificate using the `New-AzApiManagementSystemCertificate` PowerShell command.
-5. Click **Save**. This operation may take a few minutes.
+## <a name="step1a"> </a>Delete a CA certificate
- ![Screenshot that shows how to save the certificate.](media/api-management-howto-ca-certificates/03.png)
+Select the certificate, and select **Delete** in the context menu (**...**).
-> [!NOTE]
-> You can upload a CA certificate using the `New-AzApiManagementSystemCertificate` Powershell command.
+## Create custom CA for self-hosted gateway
-## <a name="step1a"> </a>Delete a client certificate
+If you use a [self-hosted gateway](self-hosted-gateway-overview.md), validation of server and client certificates using CA root certificates uploaded to API Management service is not supported. To establish trust, configure a specific client certificate so that it's trusted by the gateway as a custom certificate authority.
-To delete a certificate, click context menu **...** and select **Delete** beside the certificate.
+Use the [Gateway Certificate Authority](/rest/api/apimanagement/2021-01-01-preview/gateway-certificate-authority) REST APIs to create and manage custom CAs for a self-hosted gateway. To create a custom CA:
-![Delete CA certificates](media/api-management-howto-ca-certificates/04.png)
+1. [Add a certificate](api-management-howto-mutual-certificates.md) .pfx file to your API Management instance.
+1. Use the [Gateway Certificate Authority - Create Or Update](/rest/api/apimanagement/2021-01-01-preview/gateway-certificate-authority/create-or-update) REST API to associate the certificate with the self-managed gateway.
[Upload a CA certificate]: #step1 [Delete a CA certificate]: #step1a
api-management Api Management Howto Mutual Certificates For Clients https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-mutual-certificates-for-clients.md
na Previously updated : 01/13/2020 Last updated : 06/01/2021 # How to secure APIs using client certificate authentication in API Management
-API Management provides the capability to secure access to APIs (i.e., client to API Management) using client certificates. You can validate incoming certificate and check certificate properties against desired values using policy expressions.
+API Management provides the capability to secure access to APIs (i.e., client to API Management) using client certificates. You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.
For information about securing access to the back-end service of an API using client certificates (i.e., API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md)
For information about securing access to the back-end service of an API using cl
![Request client certificate](./media/api-management-howto-mutual-certificates-for-clients/request-client-certificate.png)
-## Checking the issuer and subject
+## Policy to validate client certificates
+
+Use the [validate-client-certificate](api-management-access-restriction-policies.md#validate-client-certificate) policy to validate one or more attributes of a client certificate used to access APIs hosted in your API Management instance.
+
+Configure the policy to validate one or more attributes including certificate issuer, subject, thumbprint, whether the certificate is validated against online revocation list, and others.
+
+For more information, see [API Management access restriction policies](api-management-access-restriction-policies.md).
+
+## Certificate validation with context variables
+
+You can also create policy expressions with the [`context` variable](api-management-policy-expressions.md#ContextVariables) to check client certificates. Examples in the following sections show expressions using the `context.Request.Certificate` property and other `context` properties.
+
+> [!IMPORTANT]
+> Starting May 2021, the `context.Request.Certificate` property only requests the certificate when the API Management instance's [`hostnameConfiguration`](/rest/api/apimanagement/2019-12-01/apimanagementservice/createorupdate#hostnameconfiguration) sets the `negotiateClientCertificate` property to True. By default, `negotiateClientCertificate` is set to False.
+
+### Checking the issuer and subject
Below policies can be configured to check the issuer and subject of a client certificate:
Below policies can be configured to check the issuer and subject of a client cer
> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`. > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
-## Checking the thumbprint
+### Checking the thumbprint
Below policies can be configured to check the thumbprint of a client certificate:
Below policies can be configured to check the thumbprint of a client certificate
> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`. > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
-## Checking a thumbprint against certificates uploaded to API Management
+### Checking a thumbprint against certificates uploaded to API Management
The following example shows how to check the thumbprint of a client certificate against certificates uploaded to API Management:
The following example shows how to check the thumbprint of a client certificate
> Client certificate deadlock issue described in this [article](https://techcommunity.microsoft.com/t5/Networking-Blog/HTTPS-Client-Certificate-Request-freezes-when-the-Server-is/ba-p/339672) can manifest itself in several ways, e.g. requests freeze, requests result in `403 Forbidden` status code after timing out, `context.Request.Certificate` is `null`. This problem usually affects `POST` and `PUT` requests with content length of approximately 60KB or larger. > To prevent this issue from occurring turn on "Negotiate client certificate" setting for desired hostnames on the "Custom domains" blade as shown in the first image of this document. This feature is not available in the Consumption tier.
-## Certificate validation in self-hosted gateway
-
-The default API Management [self-hosted gateway](self-hosted-gateway-overview.md) image doesn't support validating server and client certificates using [CA root certificates](api-management-howto-ca-certificates.md) uploaded to an API Management instance. Clients presenting a custom certificate to the self-hosted gateway may experience slow responses, because certificate revocation list (CRL) validation can take a long time to time out on the gateway.
-
-As a workaround when running the gateway, you may configure the PKI IP address to point to the localhost address (127.0.0.1) instead of the API Management instance. This causes the CRL validation to fail quickly when the gateway attempts to validate the client certificate. To configure the gateway, add a DNS entry for the API Management instance to resolve to the localhost in the `/etc/hosts` file in the container. You can add this entry during gateway deployment:
-
-* For Docker deployment - add the `--add-host <hostname>:127.0.0.1` parameter to the `docker run` command. For more information, see [Add entries to container hosts file](https://docs.docker.com/engine/reference/commandline/run/#add-entries-to-container-hosts-fileadd-host)
-
-* For Kubernetes deployment - Add a `hostAliases` specification to the `myGateway.yaml` configuration file. For more information, see [Adding entries to Pod /etc/hosts with Host Aliases](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/).
---- ## Next steps - [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md)
api-management Devops Api Development Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/devops-api-development-templates.md
In this example, there are two deployment environments: *Development* and *Produ
* API developers have access to the Development instance and can use it for developing and testing their APIs. * A designated team called the *API publishers* manages the Production instance.
-The key in this proposed approach is to keep all API Management configurations in [Azure Resource Manager templates](../azure-resource-manager/templates/template-syntax.md). The organization should keep these templates in a source control system such as Git. As illustrated in the image, a Publisher repository contains all configurations of the Production API Management instance in a collection of templates:
+The key in this proposed approach is to keep all API Management configurations in [Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). The organization should keep these templates in a source control system such as Git. As illustrated in the image, a Publisher repository contains all configurations of the Production API Management instance in a collection of templates:
|Template |Description | |||
api-management Quickstart Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/quickstart-arm-template.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-azure-api-management-create/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azure-api-management-create/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.apimanagement/azure-api-management-create/azuredeploy.json":::
api-management Self Hosted Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/self-hosted-gateway-overview.md
Title: Self-hosted gateway overview | Microsoft Docs
+ Title: Self-hosted gateway overview | Azure API Management
description: Learn how self-hosted gateway feature of Azure API Management helps organizations manage APIs in hybrid and multicloud environments. documentationcenter: '' -
The following functionality found in the managed gateways is **not available** i
- Azure Monitor logs - Upstream (backend side) TLS version and cipher management-- Validation of server and client certificates using [CA root certificates](api-management-howto-ca-certificates.md) uploaded to API Management service. For more information, see [Certificate validation in self-hosted gateway](api-management-howto-mutual-certificates-for-clients.md#certificate-validation-in-self-hosted-gateway).
+- Validation of server and client certificates using [CA root certificates](api-management-howto-ca-certificates.md) uploaded to API Management service. You can configure [custom certificate authorities](api-management-howto-ca-certificates.md#create-custom-ca-for-self-hosted-gateway) for your self-hosted gateways and [client certificate validation](api-management-access-restriction-policies.md#validate-client-certificate) policies to enforce them.
- Integration with the [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) - TLS session resumption - Client certificate renegotiation. This means that for [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) to work API consumers must present their certificates as part of the initial TLS handshake. To ensure that, enable the negotiate client certificate setting when configuring a self-hosted gateway custom hostname.
app-service App Service Sql Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-sql-github-actions.md
# Tutorial: Use GitHub Actions to deploy to App Service for Containers and connect to a database
-This tutorial walks you through setting up a GitHub Actions workflow to deploy a containerized ASP.NET Core application with an [Azure SQL Database](../azure-sql/database/sql-database-paas-overview.md) backend. When you're finished, you have an ASP.NET app running in Azure and connected to SQL Database. You'll first create Azure resources with an [ARM template](/azure/azure-resource-manager/templates/overview) GitHub Actions workflow.
+This tutorial walks you through setting up a GitHub Actions workflow to deploy a containerized ASP.NET Core application with an [Azure SQL Database](../azure-sql/database/sql-database-paas-overview.md) backend. When you're finished, you have an ASP.NET app running in Azure and connected to SQL Database. You'll first create Azure resources with an [ARM template](../azure-resource-manager/templates/overview.md) GitHub Actions workflow.
In this tutorial, you learn how to:
Create a new secret in your repository for `SQL_SERVER_ADMIN_PASSWORD`. This sec
## Create Azure resources
-The create Azure resources workflow runs an [ARM template](/azure/azure-resource-manager/templates/overview) to deploy resources to Azure. The workflow:
+The create Azure resources workflow runs an [ARM template](../azure-resource-manager/templates/overview.md) to deploy resources to Azure. The workflow:
- Checks out source code with the [Checkout action](https://github.com/marketplace/actions/checkout). - Logs into Azure with the [Azure Login action](https://github.com/marketplace/actions/azure-login) and gathers environment and Azure resource information.
To run the create Azure resources workflow:
## Build, push, and deploy your image
-The build, push, and deploy workflow builds a container with the latest app changes, pushes the container to [Azure Container Registry](/azure/container-registry/) and, updates the web application staging slot to point to the latest container pushed. The workflow containers a build and deploy job:
+The build, push, and deploy workflow builds a container with the latest app changes, pushes the container to [Azure Container Registry](../container-registry/index.yml) and, updates the web application staging slot to point to the latest container pushed. The workflow containers a build and deploy job:
- The build job checks out source code with the [Checkout action](https://github.com/marketplace/actions/checkout). The job then uses the [Docker login action](https://github.com/marketplace/actions/docker-login) and a custom script to authenticate with Azure Container Registry, build a container image, and deploy it to Azure Container Registry. - The deployment job logs into Azure with the [Azure Login action](https://github.com/marketplace/actions/azure-login) and gathers environment and Azure resource information. The job then updates Web App Settings with the [Azure App Service Settings action](https://github.com/marketplace/actions/azure-app-service-settings) and deploys to an App Service staging slot with the [Azure Web Deploy action](https://github.com/marketplace/actions/azure-webapp). Last, the job runs a custom script to update the SQL database and swaps staging slot to production.
To run the build, push, and deploy workflow:
## Next steps > [!div class="nextstepaction"]
-> [Learn about Azure and GitHub integration](/azure/developer/github/)
+> [Learn about Azure and GitHub integration](/azure/developer/github/)
app-service Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-certificate.md
In the **Key Vault Status** page, click **Key Vault Repository** to create a new
Once you've selected the vault, close the **Key Vault Repository** page. The **Step 1: Store** option should show a green check mark for success. Keep the page open for the next step.
+> [!NOTE]
+> Currently, App Service Certificate only supports Key Vault access policy but not RBAC model.
+>
+ ### Verify domain ownership From the same **Certificate Configuration** page you used in the last step, click **Step 2: Verify**.
By default, the App Service resource provider doesnΓÇÖt have access to the Key V
`abfa0a7c-a6b6-4736-8310-5855508787cd` is the resource provider service principal name for App Service, and it's the same for all Azure subscriptions. For Azure Government cloud environment, use `6a02c803-dafd-4136-b4c3-5a6f318b4714` instead as the resource provider service principal name.
+> [!NOTE]
+> Currently, Key Vault Certificate only supports Key Vault access policy but not RBAC model.
+>
+ ### Import a certificate from your vault to your app In the <a href="https://portal.azure.com" target="_blank">Azure portal</a>, from the left menu, select **App Services** > **\<app-name>**.
app-service Deploy Complex Application Predictably https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-complex-application-predictably.md
In the tutorial, you will deploy an application that includes:
In this tutorial, you will use the following tools. Since itΓÇÖs not comprehensive discussion on tools, IΓÇÖm going to stick to the end-to-end scenario and just give you a brief intro to each, and where you can find more information on it. ### Azure Resource Manager templates (JSON)
-Every time you create an app in Azure App Service, for example, Azure Resource Manager uses a JSON template to create the entire resource group with the component resources. A complex template from the [Azure Marketplace](../marketplace/index.yml) can include the database, storage accounts, the App Service plan, the app itself, alert rules, app settings, autoscale settings, and more, and all these templates are available to you through PowerShell. For more information on the Azure Resource Manager templates, see [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/template-syntax.md)
+Every time you create an app in Azure App Service, for example, Azure Resource Manager uses a JSON template to create the entire resource group with the component resources. A complex template from the [Azure Marketplace](../marketplace/index.yml) can include the database, storage accounts, the App Service plan, the app itself, alert rules, app settings, autoscale settings, and more, and all these templates are available to you through PowerShell. For more information on the Azure Resource Manager templates, see [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/syntax.md)
### Azure SDK 2.6 for Visual Studio The newest SDK contains improvements to the Resource Manager template support in the JSON editor. You can use this to quickly create a resource group template from scratch or open an existing JSON template (such as a downloaded gallery template) for modification, populate the parameters file, and even deploy the resource group directly from an Azure Resource Group solution.
In DevOps, repeatability and predictability are keys to any successful deploymen
<a name="resources"></a> ## More resources
-* [Azure Resource Manager Template Language](../azure-resource-manager/templates/template-syntax.md)
-* [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/template-syntax.md)
+* [Azure Resource Manager Template Language](../azure-resource-manager/templates/syntax.md)
+* [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/syntax.md)
* [Azure Resource Manager Template Functions](../azure-resource-manager/templates/template-functions.md) * [Deploy an application with Azure Resource Manager template](../azure-resource-manager/templates/deploy-powershell.md) * [Using Azure PowerShell with Azure Resource Manager](../azure-resource-manager/management/manage-resources-powershell.md)
app-service Manage Create Arc Environment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-create-arc-environment.md
If you don't have an Azure account, [sign up today](https://azure.microsoft.com/
<!-- ## Prerequisites - Create a Kubernetes cluster in a supported Kubernetes distribution and connect it to Azure Arc in a supported region. See [Public preview limitations](overview-arc-integration.md#public-preview-limitations).-- [Install Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli), or use the [Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/overview).
+- [Install Azure CLI](/cli/azure/install-azure-cli), or use the [Azure Cloud Shell](../cloud-shell/overview.md).
- [Install kubectl](https://kubernetes.io/docs/tasks/tools/). It's also preinstalled in the Azure Cloud Shell. ## Obtain cluster information
az extension add --yes --source "https://aka.ms/appsvc/appservice_kube-latest-py
## Create a connected cluster > [!NOTE]
-> This tutorial uses [Azure Kubernetes Service (AKS)](/azure/aks/) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps below will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) for general instructions on creating an Azure Arc enabled Kubernetes cluster.
+> This tutorial uses [Azure Kubernetes Service (AKS)](../aks/index.yml) to provide concrete instructions for setting up an environment from scratch. However, for a production workload, you will likely not want to enable Azure Arc on an AKS cluster as it is already managed in Azure. The steps below will help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) for general instructions on creating an Azure Arc enabled Kubernetes cluster.
1. Create a cluster in Azure Kubernetes Service with a public IP address. Replace `<group-name>` with the resource group name you want.
Before you can start creating apps on the custom location, you need an [App Serv
- [Quickstart: Create a web app on Azure Arc](quickstart-arc.md) - [Create your first function on Azure Arc](../azure-functions/create-first-function-arc-cli.md)-- [Create your first logic app on Azure Arc](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md)
+- [Create your first logic app on Azure Arc](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md)
app-service Networking Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking-features.md
Line-of-business (LOB) applications are internal applications that aren't normal
If neither of these needs apply, you're better off using private endpoints. With private endpoints available in App Service, you can expose your apps on private addresses in your virtual network. The private endpoint you place in your virtual network can be reached across ExpressRoute and VPN connections.
-Configuring private endpoints will expose your apps on a private address, but you'll need to configure DNS to reach that address from on-premises. To make this configuration work, you'll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers. Azure DNS private zones don't support zone forwarding, but you can support zone forwarding by using a DNS server for that purpose. The [DNS Forwarder](https://azure.microsoft.com/resources/templates/301-dns-forwarder/) template makes it easier to forward your Azure DNS private zone to your on-premises DNS servers.
+Configuring private endpoints will expose your apps on a private address, but you'll need to configure DNS to reach that address from on-premises. To make this configuration work, you'll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers. Azure DNS private zones don't support zone forwarding, but you can support zone forwarding by using a DNS server for that purpose. The [DNS Forwarder](https://azure.microsoft.com/resources/templates/dns-forwarder/) template makes it easier to forward your Azure DNS private zone to your on-premises DNS servers.
## App Service ports
app-service Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking/private-endpoint.md
We are improving Private Link feature and Private Endpoint regularly, check [thi
[howtoguide4]: ../scripts/template-deploy-private-endpoint.md [howtoguide5]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-privateendpoint-vnet-injection [howtoguide6]: ../scripts/terraform-secure-backend-frontend.md
-[TiP]: https://docs.microsoft.com/azure/app-service/deploy-staging-slots#route-traffic
+[TiP]: ../deploy-staging-slots.md#route-traffic
app-service Overview Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-authentication-authorization.md
For [Azure Functions](../azure-functions/functions-overview.md), `ClaimsPrincipa
For more information, see [Access user claims](app-service-authentication-how-to.md#access-user-claims).
-For .NET Core, [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) supports populating the current user with the Authentication/Authorization feature. To learn more, you can read about it on the [Microsoft.Identity.Web wiki](https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb), or see it demonstrated in [this tutorial for a web app accessing Microsoft Graph](/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=command-line#install-client-library-packages).
+For .NET Core, [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) supports populating the current user with the Authentication/Authorization feature. To learn more, you can read about it on the [Microsoft.Identity.Web wiki](https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb), or see it demonstrated in [this tutorial for a web app accessing Microsoft Graph](./scenario-secure-app-access-microsoft-graph-as-user.md?tabs=command-line#install-client-library-packages).
#### Token store
Samples:
- [Tutorial: Add authentication to your web app running on Azure App Service](scenario-secure-app-authentication-app-service.md) - [Tutorial: Authenticate and authorize users end-to-end in Azure App Service (Windows or Linux)](tutorial-auth-aad.md) - [.NET Core integration of Azure AppService EasyAuth (3rd party)](https://github.com/MaximRouiller/MaximeRouiller.Azure.AppService.EasyAuth)-- [Getting Azure App Service authentication working with .NET Core (3rd party)](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication)
+- [Getting Azure App Service authentication working with .NET Core (3rd party)](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication)
app-service Quickstart Arm Template Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arm-template-uiex.md
Get started with [Azure App Service](overview.md) by deploying a app to the clou
## 2. Review the template ::: zone pivot="platform-windows"
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-app-service-docs-windows). It deploys an App Service plan and an App Service app on Windows.
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/app-service-docs-windows). It deploys an App Service plan and an App Service app on Windows.
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/app-service-docs-windows/azuredeploy.json":::
The following table details defaults parameters and their descriptions:
</details> ::: zone-end ::: zone pivot="platform-linux"
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-app-service-docs-linux). It deploys an App Service plan and an App Service app on Windows.
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/app-service-docs-linux). It deploys an App Service plan and an App Service app on Windows.
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/app-service-docs-linux/azuredeploy.json":::
app-service Quickstart Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arm-template.md
Use the following button to deploy on **Windows**:
## Review the template ::: zone pivot="platform-windows"
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-app-service-docs-windows). It deploys an App Service plan and an App Service app on Windows. It's compatible with .NET Core, .NET Framework, PHP, Node.js, and Static HTML apps. For Java, see [Create Java app](./quickstart-java.md).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/app-service-docs-windows). It deploys an App Service plan and an App Service app on Windows. It's compatible with .NET Core, .NET Framework, PHP, Node.js, and Static HTML apps. For Java, see [Create Java app](./quickstart-java.md).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/app-service-docs-windows/azuredeploy.json":::
This template contains several parameters that are predefined for your convenien
| repoUrl | string | " " | External Git repo (optional) | ::: zone-end ::: zone pivot="platform-linux"
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-app-service-docs-linux). It deploys an App Service plan and an App Service app on Linux. It's compatible with all supported programming languages on App Service.
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/app-service-docs-linux). It deploys an App Service plan and an App Service app on Linux. It's compatible with all supported programming languages on App Service.
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/app-service-docs-linux/azuredeploy.json":::
Run the code below to deploy a .NET framework app on Windows.
az group create --name myResourceGroup --location "southcentralus" && az deployment group create --resource-group myResourceGroup \ --parameters language=".net" helloWorld="true" webAppName="<app-name>" \template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsofot.web/app-service-docs-windows/azuredeploy.json"
+--template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.web/app-service-docs-windows/azuredeploy.json"
::: zone-end ::: zone pivot="platform-linux" Run the code below to create a Python app on Linux.
automation Automation Dsc Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-dsc-onboarding.md
required for your use case. Optionally, you can enter a node configuration to as
### Enable a VM using Azure Resource Manager templates
-You can install and enable a VM for State Configuration using Azure Resource Manager templates. See [Server managed by Desired State Configuration service](https://azure.microsoft.com/resources/templates/101-automation-configuration/) for an example template that enables an existing VM for State Configuration. If you are managing a virtual machine scale set, see the example template in [Virtual machine scale set configuration managed by Azure Automation](https://azure.microsoft.com/resources/templates/201-vmss-automation-dsc/).
+You can install and enable a VM for State Configuration using Azure Resource Manager templates. See [Server managed by Desired State Configuration service](https://azure.microsoft.com/resources/templates/automation-configuration/) for an example template that enables an existing VM for State Configuration. If you are managing a virtual machine scale set, see the example template in [Virtual machine scale set configuration managed by Azure Automation](https://azure.microsoft.com/resources/templates/201-vmss-automation-dsc/).
### Enable machines using PowerShell
automation Automation Hybrid Runbook Worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-hybrid-runbook-worker.md
Azure Automation Hybrid Runbook Worker can be used in Azure Government to suppor
### Update Management addresses for Hybrid Runbook Worker
-In addition to the standard addresses and ports required for the Hybrid Runbook Worker, Update Management has other network configuration requirements described under the [network planning](./update-management/overview.md#ports) section.
+In addition to the standard addresses and ports required for the Hybrid Runbook Worker, Update Management has other network configuration requirements described under the [network planning](./update-management/plan-deployment.md#ports) section.
## Azure Automation State Configuration on a Hybrid Runbook Worker
automation Automation Linux Hrw Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-linux-hrw-install.md
The Hybrid Runbook Worker feature supports the following distributions. All oper
* SUSE Linux Enterprise Server 12 and 15 (SUSE did not release versions numbered 13 or 14) > [!IMPORTANT]
-> Before enabling the Update Management feature, which depends on the system Hybrid Runbook Worker role, confirm the distributions it supports [here](update-management/overview.md#supported-operating-systems).
+> Before enabling the Update Management feature, which depends on the system Hybrid Runbook Worker role, confirm the distributions it supports [here](update-management/operating-system-requirements.md).
### Minimum requirements
automation Automation Webhooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-webhooks.md
This sample template creates a test environment and returns the URI for the webh
} }, "_artifactsLocation": {
- "defaultValue": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-automation/",
+ "defaultValue": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/",
"type": "String", "metadata": { "description": "URI to artifacts location"
automation Update Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-management.md
Machines do appear in Azure Resource Graph query results, but still don't show u
4. Validate that the hybrid worker is present for that machine.
-5. If the machine is not set up as a system Hybrid Runbook Worker, review the methods to enable the machine under the [Enable Update Management](../update-management/overview.md#enable-update-management) section of the Update Management Overview article. The method to enable is based on the environment the machine is running in.
+5. If the machine is not set up as a system Hybrid Runbook Worker, review the methods to enable using one of the following methods:
+
+ - From your [Automation account](../update-management/enable-from-automation-account.md) for one or more Azure and non-Azure machines, including Arc enabled servers.
+
+ - Using the **Enable-AutomationSolution** [runbook](../update-management/enable-from-runbook.md) to automate onboarding Azure VMs.
+
+ - For a [selected Azure VM](../update-management/enable-from-vm.md) from the **Virtual machines** page in the Azure portal. This scenario is available for Linux and Windows VMs.
+
+ - For [multiple Azure VMs](../update-management/enable-from-portal.md) by selecting them from the **Virtual machines** page in the Azure portal.
+
+ The method to enable is based on the environment the machine is running in.
6. Repeat the steps above for all machines that have not been displaying in the preview.
Update
#### Communication with Automation account blocked
-Go to [Network planning](../update-management/overview.md#ports) to learn about which addresses and ports must be allowed for Update Management to work.
+Go to [Network planning](../update-management/plan-deployment.md#ports) to learn about which addresses and ports must be allowed for Update Management to work.
#### Duplicate computer name
You can retrieve more details programmatically by using the REST API. See [Softw
When applicable, use [dynamic groups](../update-management/configure-groups.md) for your update deployments. In addition, you can take the following steps.
-1. Verify that your machine or server meets the [requirements](../update-management/overview.md#system-requirements).
+1. Verify that your machine or server meets the [requirements](../update-management/operating-system-requirements.md).
2. Verify connectivity to the Hybrid Runbook Worker using the Hybrid Runbook Worker agent troubleshooter. To learn more about the troubleshooter, see [Troubleshoot update agent issues](update-agent-issues.md). ## <a name="updates-nodeployment"></a>Scenario: Updates are installed without a deployment
The default maintenance window for updates is 120 minutes. You can increase the
To understand why this occurred during an update run after it starts successfully, [check the job output](../update-management/deploy-updates.md#view-results-of-a-completed-update-deployment) from the affected machine in the run. You might find specific error messages from your machines that you can research and take action on.
-You can retrieve more details programmatically by using the REST API. See [Software Update Configuration Machine Runs](https://docs.microsoft.com/rest/api/automation/softwareupdateconfigurationmachineruns) for information on retrieving either a list of update configuration machine runs, or a single software update configuration machine run by ID.
+You can retrieve more details programmatically by using the REST API. See [Software Update Configuration Machine Runs](/rest/api/automation/softwareupdateconfigurationmachineruns) for information on retrieving either a list of update configuration machine runs, or a single software update configuration machine run by ID.
Edit any failing scheduled update deployments, and increase the maintenance window.
If you see an HRESULT, double-click the exception displayed in red to see the en
|Exception |Resolution or action | ||| |`Exception from HRESULT: 0x……C` | Search the relevant error code in [Windows update error code list](https://support.microsoft.com/help/938205/windows-update-error-code-list) to find additional details about the cause of the exception. |
-|`0x8024402C`</br>`0x8024401C`</br>`0x8024402F` | These indicate network connectivity issues. Make sure your machine has network connectivity to Update Management. See the [network planning](../update-management/overview.md#ports) section for a list of required ports and addresses. |
+|`0x8024402C`</br>`0x8024401C`</br>`0x8024402F` | These indicate network connectivity issues. Make sure your machine has network connectivity to Update Management. See the [network planning](../update-management/plan-deployment.md#ports) section for a list of required ports and addresses. |
|`0x8024001E`| The update operation didn't complete because the service or system was shutting down.| |`0x8024002E`| Windows Update service is disabled.| |`0x8024402C` | If you're using a WSUS server, make sure the registry values for `WUServer` and `WUStatusServer` under the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` registry key specify the correct WSUS server. |
Updates are often superseded by other updates. For more information, see [Update
### Installing updates by classification on Linux
-Deploying updates to Linux by classification ("Critical and security updates") has important caveats, especially for CentOS. These limitations are documented on the [Update Management overview page](../update-management/overview.md#linux).
+Deploying updates to Linux by classification ("Critical and security updates") has important caveats, especially for CentOS. These limitations are documented on the [Update Management overview page](../update-management/overview.md#update-classifications).
### KB2267602 is consistently missing
automation Operating System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/operating-system-requirements.md
+
+ Title: Azure Automation Update Management Supported Clients
+description: This article describes the supported Windows and Linux operating systems with Azure Automation Update Management.
++ Last updated : 06/07/2021+++
+# Operating systems supported by Update Management
+
+This article details the Windows and Linux operating systems supported and system requirements for machines or servers managed by Update Management.
+
+## Supported operating systems
+
+The following table lists the supported operating systems for update assessments and patching. Patching requires a system Hybrid Runbook Worker, which is automatically installed when you enable the virtual machine or server for management by Update Management. For information on Hybrid Runbook Worker system requirements, see [Deploy a Windows Hybrid Runbook Worker](../automation-windows-hrw-install.md#prerequisites) and [Deploy a Linux Hybrid Runbook Worker](../automation-linux-hrw-install.md#prerequisites).
+
+> [!NOTE]
+> Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings).
+
+|Operating system |Notes |
+|||
+|Windows Server 2019 (Datacenter/Standard including Server Core)<br><br>Windows Server 2016 (Datacenter/Standard excluding Server Core)<br><br>Windows Server 2012 R2(Datacenter/Standard)<br><br>Windows Server 2012 | |
+|Windows Server 2008 R2 (RTM and SP1 Standard)| Update Management supports assessments and patching for this operating system. The [Hybrid Runbook Worker](../automation-windows-hrw-install.md) is supported for Windows Server 2008 R2. |
+|CentOS 6, 7, and 8 (x64) | Linux agents require access to an update repository. Classification-based patching requires `yum` to return security data that CentOS doesn't have in its RTM releases. For more information on classification-based patching on CentOS, see [Update classifications on Linux](view-update-assessments.md#linux). |
+|Red Hat Enterprise 6, 7, and 8 (x64) | Linux agents require access to an update repository. |
+|SUSE Linux Enterprise Server 12, 15, and 15.1 (x64) | Linux agents require access to an update repository. |
+|Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 LTS (x64) |Linux agents require access to an update repository. |
+
+> [!NOTE]
+> Update Management does not support safely automating update management across all instances in an Azure virtual machine scale set. [Automatic OS image upgrades](../../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) is the recommended method for managing OS image upgrades on your scale set.
+
+## Unsupported operating systems
+
+The following table lists operating systems not supported by Update Management:
+
+|Operating system |Notes |
+|||
+|Windows client | Client operating systems (such as Windows 7 and Windows 10) aren't supported.<br> For Azure Windows Virtual Desktop (WVD), the recommended method<br> to manage updates is [Microsoft Endpoint Configuration Manager](../../virtual-desktop/configure-automatic-updates.md) for Windows 10 client machine patch management. |
+|Windows Server 2016 Nano Server | Not supported. |
+|Azure Kubernetes Service Nodes | Not supported. Use the patching process described in [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](../../aks/node-updates-kured.md)|
+
+## System requirements
+
+The following information describes operating system-specific requirements. For additional guidance, see [Network planning](plan-deployment.md#ports). To understand requirements for TLS 1.2, see [TLS 1.2 enforcement for Azure Automation](../automation-managing-data.md#tls-12-enforcement-for-azure-automation).
+
+### Windows
+
+Software Requirements:
+
+- .NET Framework 4.6 or later is required. ([Download the .NET Framework](/dotnet/framework/install/guide-for-developers).
+- Windows PowerShell 5.1 is required ([Download Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616).)
+- The Update Management feature depends on the system Hybrid Runbook Worker role, and you should confirm its [system requirements](../automation-windows-hrw-install.md#prerequisites).
+
+Windows Update agents must be configured to communicate with a Windows Server Update Services (WSUS) server, or they require access to Microsoft Update. For hybrid machines, we recommend installing the Log Analytics agent for Windows by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Windows Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with VM insights, instead use the [Enable Enable VM insights](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
+
+You can use Update Management with Microsoft Endpoint Configuration Manager. To learn more about integration scenarios, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md). The [Log Analytics agent for Windows](../../azure-monitor/agents/agent-windows.md) is required for Windows servers managed by sites in your Configuration Manager environment.
+
+By default, Windows VMs that are deployed from Azure Marketplace are set to receive automatic updates from Windows Update Service. This behavior doesn't change when you add Windows VMs to your workspace. If you don't actively manage updates by using Update Management, the default behavior (to automatically apply updates) applies.
+
+> [!NOTE]
+> You can modify Group Policy so that machine reboots can be performed only by the user, not by the system. Managed machines can get stuck if Update Management doesn't have rights to reboot the machine without manual interaction from the user. For more information, see [Configure Group Policy settings for Automatic Updates](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
+
+### Linux
+
+Software Requirements:
+
+- The machine requires access to an update repository, either private or public.
+- TLS 1.1 or TLS 1.2 is required to interact with Update Management.
+- The Update Management feature depends on the system Hybrid Runbook Worker role, and you should confirm its [system requirements](../automation-linux-hrw-install.md#prerequisites). Because Update Management uses Automation runbooks to initiate assessment and update of your machines, review the [version of Python required](../automation-linux-hrw-install.md#supported-runbook-types) for your supported Linux distro.
+
+> [!NOTE]
+> Update assessment of Linux machines is only supported in certain regions. See the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings).
+
+For hybrid machines, we recommend installing the Log Analytics agent for Linux by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Linux Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
+
+## Next steps
+
+Before you enable and use Update Management, review [Plan your Update Management deployment](plan-deployment.md).
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/overview.md
Title: Azure Automation Update Management overview
description: This article provides an overview of the Update Management feature that implements updates for your Windows and Linux machines. Previously updated : 05/04/2021 Last updated : 06/07/2021 # Update Management overview
-You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux virtual machines in Azure, in on-premises environments, and in other cloud environments. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers.
+You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux virtual machines in Azure, physical or VMs in on-premises environments, and in other cloud environments. You can quickly assess the status of available updates and manage the process of installing required updates for your machines reporting to Update Management.
-As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Azure Lighthouse allows you to perform operations at scale across several Azure Active Directory (Azure AD) tenants at once, making management tasks like Update Management more efficient across those tenants you're responsible for.
+As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Update Management can be used to assess and schedule update deployments to machines in multiple subscriptions in the same Azure Active Directory (Azure AD) tenant, or across tenants using Azure Lighthouse.
-> [!NOTE]
-> You can't use a machine configured with Update Management to run custom scripts from Azure Automation. This machine can only run the Microsoft-signed update script.
+Microsoft offers other capabilities to help you manage updates for your Azure VMs or Azure virtual machine scale sets that you should consider as part of your overall update management strategy.
-> [!NOTE]
-> At this time, enabling Update Management directly from an Arc enabled server is not supported. See [Enable Update Management from your Automation account](../../automation/update-management/enable-from-automation-account.md) to understand requirements and how to enable for your server.
+- If you are interested in automatically assessing and updating your Azure virtual machines to maintain security compliance with *Critical* and *Security* updates released each month, review [Automatic VM guest patching](../../virtual-machines/automatic-vm-guest-patching.md) (preview). This is an alternative update management solution for your Azure VMs to auto-update them during off-peak hours, including VMs within an availability set, compared to managing update deployments to those VMs from Update Management in Azure Automation.
-To download and install available *Critical* and *Security* patches automatically on your Azure VM, review [Automatic VM guest patching](../../virtual-machines/automatic-vm-guest-patching.md) for Windows VMs.
+- If you manage Azure virtual machine scale sets, review how to perform [automatic OS image upgrades](../../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) to safely and automatically upgrade the OS disk for all instances in the scale set.
Before deploying Update Management and enabling your machines for management, make sure that you understand the information in the following sections. ## About Update Management
-Machines that are managed by Update Management rely on the following to perform assessment and to deploy updates:
-
-* [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) for Windows or Linux
-* PowerShell Desired State Configuration (DSC) for Linux
-* Automation Hybrid Runbook Worker (automatically installed when you enable Update Management on the machine)
-* Microsoft Update or [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) (WSUS) for Windows machines
-* Either a private or public update repository for Linux machines
-
-The following diagram illustrates how Update Management assesses and applies security updates to all connected Windows Server and Linux servers in a workspace:
+The following diagram illustrates how Update Management assesses and applies security updates to all connected Windows Server and Linux servers.
![Update Management workflow](./media/overview/update-mgmt-updateworkflow.png)
-Update Management can be used to natively deploy to machines in multiple subscriptions in the same tenant, or across tenants using [Azure Lighthouse](../../lighthouse/overview.md).
+Update Management integrates with Azure Monitor Logs to store update assessments and update deployment results as log data, from assigned Azure and non-Azure machines. To collect this data, the Automation Account and Log Analytics workspace are linked together, and the Log Analytics agent for Windows and Linux is required on the machine and configured to report to this workspace. Update Management supports collecting information about system updates from agents in a System Center Operations Manager management group connected to the workspace. Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.
-After a package is released, it takes 2 to 3 hours for the patch to show up for Linux machines for assessment. For Windows machines, it takes 12 to 15 hours for the patch to show up for assessment after it's been released. When a machine completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor logs. On a Windows machine, the compliance scan is run every 12 hours by default. For a Linux machine, the compliance scan is performed every hour by default. If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes.
+The following table summarizes the supported connected sources with Update Management.
-In addition to the scan schedule, the scan for update compliance is started within 15 minutes of the Log Analytics agent being restarted, before update installation, and after update installation.
+| Connected source | Supported | Description |
+| | | |
+| Windows |Yes |Update Management collects information about system updates from Windows machines with the Log Analytics agent and installation of required updates. |
+| Linux |Yes |Update Management collects information about system updates from Linux machines with the Log Analytics agent and installation of required updates on supported distributions. |
+| Operations Manager management group |Yes |Update Management collects information about software updates from agents in a connected management group.<br/><br/>A direct connection from the Operations Manager agent to Azure Monitor logs isn't required. Log data is forwarded from the management group to the Log Analytics workspace. |
-Update Management reports how up to date the machine is based on what source you're configured to sync with. If the Windows machine is configured to report to [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) (WSUS), depending on when WSUS last synced with Microsoft Update, the results might differ from what Microsoft Update shows. This behavior is the same for Linux machines that are configured to report to a local repo instead of to a public repo.
+The machines assigned to Update Management report how up to date they are based on what source they are configured to synchronize with. Windows machines can be configured to report to Windows Server Update Services or Microsoft Update, and Linux machines can be configured to report to a local or public repo. You can also use Update Management with Microsoft Endpoint Configuration Manager, and to learn more see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md).
-> [!NOTE]
-> To properly report to the service, Update Management requires certain URLs and ports to be enabled. To learn more about these requirements, see [Network configuration](../automation-hybrid-runbook-worker.md#network-planning).
+If the Windows Update Agent (WUA) on the Windows machine is configured to report to WSUS, depending on when WSUS last synchronized with Microsoft Update, the results might differ from what Microsoft Update shows. This behavior is the same for Linux machines that are configured to report to a local repo instead of a public repo. On a Windows machine, the compliance scan is run every 12 hours by default. For a Linux machine, the compliance scan is performed every hour by default. If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes. When a machine completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor Logs.
-You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. Updates classified as optional aren't included in the deployment scope for Windows machines. Only required updates are included in the deployment scope.
+You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. Updates classified as *Optional* aren't included in the deployment scope for Windows machines. Only required updates are included in the deployment scope.
-The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/logs/computer-groups.md) that's based on log searches of a specific set of machines (or on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](../../azure-monitor/insights/solution-targeting.md), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
+The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/logs/computer-groups.md) that's based on log searches of a specific set of machines (or based on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](../../azure-monitor/insights/solution-targeting.md), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. This period is called the maintenance window. A 20-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. If patching takes longer than expected and there's less than 20 minutes in the maintenance window, a reboot won't occur.
-Updates are installed by runbooks in Azure Automation. You can't view these runbooks, and they don't require any configuration. When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included machines. The master runbook starts a child runbook on each agent to install the required updates.
+After an update package is scheduled for deployment, it takes 2 to 3 hours for the update to show up for Linux machines for assessment. For Windows machines, it takes 12 to 15 hours for the update to show up for assessment after it's been released. Before and after update installation, a scan for update compliance is performed and the log data results is forwarded to the workspace.
-At the date and time specified in the update deployment, the target machines execute the deployment in parallel. Before installation, a scan is run to verify that the updates are still required. For WSUS client machines, if the updates aren't approved in WSUS, update deployment fails.
+Updates are installed by runbooks in Azure Automation. You can't view these runbooks, and they don't require any configuration. When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included machines. The master runbook starts a child runbook on each agent that initiates the installation of the required updates with the Windows Update agent on Windows, or the applicable command on supported Linux distro.
-Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.
+At the date and time specified in the update deployment, the target machines execute the deployment in parallel. Before installation, a scan is run to verify that the updates are still required. For WSUS client machines, if the updates aren't approved in WSUS, update deployment fails.
## Limits For limits that apply to Update Management, see [Azure Automation service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#update-management).
-## Clients
-
-### Supported operating systems
-
-The following table lists the supported operating systems for update assessments and patching. Patching requires a system Hybrid Runbook Worker, which is automatically installed when you enable the virtual machine or server for management by Update Management. For information on Hybrid Runbook Worker system requirements, see [Deploy a Windows Hybrid Runbook Worker](../automation-windows-hrw-install.md) and a [Deploy a Linux Hybrid Runbook Worker](../automation-linux-hrw-install.md).
-
-> [!NOTE]
-> Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings).
-
-|Operating system |Notes |
-|||
-|Windows Server 2019 (Datacenter/Standard including Server Core)<br><br>Windows Server 2016 (Datacenter/Standard excluding Server Core)<br><br>Windows Server 2012 R2(Datacenter/Standard)<br><br>Windows Server 2012 | |
-|Windows Server 2008 R2 (RTM and SP1 Standard)| Update Management supports assessments and patching for this operating system. The [Hybrid Runbook Worker](../automation-windows-hrw-install.md) is supported for Windows Server 2008 R2. |
-|CentOS 6, 7, and 8 (x64) | Linux agents require access to an update repository. Classification-based patching requires `yum` to return security data that CentOS doesn't have in its RTM releases. For more information on classification-based patching on CentOS, see [Update classifications on Linux](view-update-assessments.md#linux). |
-|Red Hat Enterprise 6, 7, and 8 (x64) | Linux agents require access to an update repository. |
-|SUSE Linux Enterprise Server 12, 15, and 15.1 (x64) | Linux agents require access to an update repository. For SUSE 15.x, Python 3 is required on the machine. |
-|Ubuntu 14.04 LTS, 16.04 LTS, and 18.04 LTS (x64) |Linux agents require access to an update repository. |
-
-> [!NOTE]
-> Update Management does not support safely automating update management across all instances in an Azure virtual machine scale set. [Automatic OS image upgrades](../../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) is the recommended method for managing OS image upgrades on your scale set.
-
-### Unsupported operating systems
-
-The following table lists operating systems not supported by Update Management:
-
-|Operating system |Notes |
-|||
-|Windows client | Client operating systems (such as Windows 7 and Windows 10) aren't supported.<br> For Azure Windows Virtual Desktop (WVD), the recommended method<br> to manage updates is [Microsoft Endpoint Configuration Manager](../../virtual-desktop/configure-automatic-updates.md) for Windows 10 client machine patch management. |
-|Windows Server 2016 Nano Server | Not supported. |
-|Azure Kubernetes Service Nodes | Not supported. Use the patching process described in [Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS)](../../aks/node-updates-kured.md)|
-
-### System requirements
-
-The following information describes operating system-specific requirements. For additional guidance, see [Network planning](#ports). To understand requirements for TLS 1.2, see [TLS 1.2 enforcement for Azure Automation](../automation-managing-data.md#tls-12-enforcement-for-azure-automation).
-
-#### Windows
-
-Software Requirements:
--- .NET Framework 4.6 or later is required. ([Download the .NET Framework](/dotnet/framework/install/guide-for-developers).-- Windows PowerShell 5.1 is required ([Download Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616).)-
-Windows agents must be configured to communicate with a WSUS server, or they require access to Microsoft Update. For hybrid machines, we recommend installing the Log Analytics agent for Windows by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Windows Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
-
-You can use Update Management with Microsoft Endpoint Configuration Manager. To learn more about integration scenarios, see [Integrate Update Management with Windows Endpoint Configuration Manager](mecmintegration.md). The [Log Analytics agent for Windows](../../azure-monitor/agents/agent-windows.md) is required for Windows servers managed by sites in your Configuration Manager environment.
-
-By default, Windows VMs that are deployed from Azure Marketplace are set to receive automatic updates from Windows Update Service. This behavior doesn't change when you add Windows VMs to your workspace. If you don't actively manage updates by using Update Management, the default behavior (to automatically apply updates) applies.
-
-> [!NOTE]
-> You can modify Group Policy so that machine reboots can be performed only by the user, not by the system. Managed machines can get stuck if Update Management doesn't have rights to reboot the machine without manual interaction from the user. For more information, see [Configure Group Policy settings for Automatic Updates](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
-
-#### Linux
-
-Software Requirements:
--- The machine requires access to an update repository, either private or public.-- TLS 1.1 or TLS 1.2 is required to interact with Update Management.-- Python 2.x installed.-
-> [!NOTE]
-> Update assessment of Linux machines is only supported in certain regions. See the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings).
-
-For hybrid machines, we recommend installing the Log Analytics agent for Linux by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Linux Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
-
-VMs created from the on-demand Red Hat Enterprise Linux (RHEL) images that are available in Azure Marketplace are registered to access the [Red Hat Update Infrastructure (RHUI)](../../virtual-machines/workloads/redhat/redhat-rhui.md) that's deployed in Azure. Any other Linux distribution must be updated from the distribution's online file repository by using methods supported by the distribution.
- ## Permissions To create and manage update deployments, you need specific permissions. To learn about these permissions, see [Role-based access - Update Management](../automation-role-based-access-control.md#update-management-permissions).
You can add the Windows machine to a user Hybrid Runbook Worker group in your Au
### Management packs
-If your Operations Manager management group is [connected to a Log Analytics workspace](../../azure-monitor/agents/om-agents.md), the following management packs are installed in Operations Manager. These management packs are also installed for Update Management on directly connected Windows machines. You don't need to configure or manage these management packs.
+The following management packs are installed on the machines managed by Update Management. If your Operations Manager management group is [connected to a Log Analytics workspace](../../azure-monitor/agents/om-agents.md), the management packs are installed in the Operations Manager management group. You don't need to configure or manage these management packs.
* Microsoft System Center Advisor Update Assessment Intelligence Pack (Microsoft.IntelligencePacks.UpdateAssessment) * Microsoft.IntelligencePack.UpdateAssessment.Configuration (Microsoft.IntelligencePack.UpdateAssessment.Configuration) * Update Deployment MP > [!NOTE]
-> If you have an Operations Manager 1807 or 2019 management group connected to a Log Analytics workspace with agents configured in the management group to collect log data, you need to override the parameter `IsAutoRegistrationEnabled` and set it to True in the **Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init** rule.
+> If you have an Operations Manager 1807 or 2019 management group connected to a Log Analytics workspace with agents configured in the management group to collect log data, you need to override the parameter `IsAutoRegistrationEnabled` and set it to `True` in the **Microsoft.IntelligencePacks.AzureAutomation.HybridAgent.Init** rule.
For more information about updates to management packs, see [Connect Operations Manager to Azure Monitor logs](../../azure-monitor/agents/om-agents.md). > [!NOTE] > For Update Management to fully manage machines with the Log Analytics agent, you must update to the Log Analytics agent for Windows or the Log Analytics agent for Linux. To learn how to update the agent, see [How to upgrade an Operations Manager agent](/system-center/scom/deploy-upgrade-agents). In environments that use Operations Manager, you must be running System Center Operations Manager 2012 R2 UR 14 or later.
-## Data collection
-
-### Supported sources
-
-The following table describes the connected sources that Update Management supports:
-
-| Connected source | Supported | Description |
-| | | |
-| Windows agents |Yes |Update Management collects information about system updates from Windows agents and then starts installation of required updates. |
-| Linux agents |Yes |Update Management collects information about system updates from Linux agents and then starts installation of required updates on supported distributions. |
-| Operations Manager management group |Yes |Update Management collects information about system updates from agents in a connected management group.<br/><br/>A direct connection from the Operations Manager agent to Azure Monitor logs isn't required. Data is forwarded from the management group to the Log Analytics workspace. |
-
-### Collection frequency
+## Data collection frequency
Update Management scans managed machines for data using the following rules. It can take between 30 minutes and 6 hours for the dashboard to display updated data from managed machines.
Update Management scans managed machines for data using the following rules. It
The average data usage by Azure Monitor logs for a machine using Update Management is approximately 25 MB per month. This value is only an approximation and is subject to change, depending on your environment. We recommend that you monitor your environment to keep track of your exact usage. For more information about analyzing Azure Monitor Logs data usage, see [Manage usage and cost](../../azure-monitor/logs/manage-cost-storage.md).
-## <a name="ports"></a>Network planning
-
-Check [Azure Automation Network Configuration](../automation-network-configuration.md#hybrid-runbook-worker-and-state-configuration) for detailed information on the ports, URLs, and other networking details required for Update Management.
-
-For Windows machines, you must also allow traffic to any endpoints required by Windows Update. You can find an updated list of required endpoints in [Issues related to HTTP/Proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy). If you have a local [Windows Update server](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment), you must also allow traffic to the server specified in your [WSUS key](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
-
-For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../../virtual-machines/workloads/redhat/redhat-rhui.md#the-ips-for-the-rhui-content-delivery-servers) for required endpoints. For other Linux distributions, see your provider documentation.
-
-For more information about ports required for the Hybrid Runbook Worker, see [Update Management addresses for Hybrid Runbook Worker](../automation-hybrid-runbook-worker.md#update-management-addresses-for-hybrid-runbook-worker).
-
-If your IT security policies do not allow machines on the network to connect to the internet, you can set up a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.
- ## Update classifications The following table defines the classifications that Update Management supports for Windows updates.
The next table defines the supported classifications for Linux updates.
|Critical and security updates | Updates for a specific problem or a product-specific, security-related issue. | |Other updates | All other updates that aren't critical in nature or that aren't security updates. |
->[!NOTE]
->Update classification for Linux machines is only available when used in supported Azure public cloud regions. There is no classification of Linux updates when using Update Management in the following national cloud regions:
+> [!NOTE]
+> Update classification for Linux machines is only available when used in supported Azure public cloud regions. There is no classification of Linux updates when using Update Management in the following national cloud regions:
> >* Azure US Government >* 21Vianet in China
There's currently no supported method to enable native classification-data avail
To classify updates on Red Hat Enterprise version 6, you need to install the yum-security plugin. On Red Hat Enterprise Linux 7, the plugin is already a part of yum itself and there's no need to install anything. For more information, see the following Red Hat [knowledge article](https://access.redhat.com/solutions/10021).
-When you schedule an update to run on a Linux machine, that for example is configured to install only updates matching the **Security** classification, the updates installed might be different from, or are a subset of the updates matching this classification. When an assessment of OS updates pending for your Linux machine is performed, [Open Vulnerability and Assessment Language](https://oval.mitre.org/) (OVAL) files provided by the Linux distro vendor is used by Update Management for classification.
+When you schedule an update to run on a Linux machine, that for example is configured to install only updates matching the **Security** classification, the updates installed might be different from, or are a subset of, the updates matching this classification. When an assessment of OS updates pending for your Linux machine is performed, [Open Vulnerability and Assessment Language](https://oval.mitre.org/) (OVAL) files provided by the Linux distro vendor is used by Update Management for classification.
-Categorization is done for Linux updates as **Security** or **Others** based on the OVAL files, which includes updates addressing security issues or vulnerabilities. But when the update schedule is run, it executes on the Linux machine using the appropriate package manager like YUM, APT or ZYPPER to install them. The package manager for the Linux distro may have a different mechanism to classify updates, where the results may differ from the ones obtained from OVAL files by Update Management. To manually check the machine and understand which updates are security relevant by your package manager, see [Troubleshoot Linux update deployment](../troubleshoot/update-management.md#updates-linux-installed-different).
+Categorization is done for Linux updates as **Security** or **Others** based on the OVAL files, which includes updates addressing security issues or vulnerabilities. But when the update schedule is run, it executes on the Linux machine using the appropriate package manager like YUM, APT, or ZYPPER to install them. The package manager for the Linux distro may have a different mechanism to classify updates, where the results may differ from the ones obtained from OVAL files by Update Management. To manually check the machine and understand which updates are security relevant by your package manager, see [Troubleshoot Linux update deployment](../troubleshoot/update-management.md#updates-linux-installed-different).
## Integrate Update Management with Configuration Manager
Customers who have invested in Microsoft Endpoint Configuration Manager for mana
Update Management relies on the locally configured update repository to update supported Windows systems, either WSUS or Windows Update. Tools such as [System Center Updates Publisher](/configmgr/sum/tools/updates-publisher) allow you to import and publish custom updates with WSUS. This scenario allows Update Management to update machines that use Configuration Manager as their update repository with third-party software. To learn how to configure Updates Publisher, see [Install Updates Publisher](/configmgr/sum/tools/install-updates-publisher).
-## Enable Update Management
-
-Here are the ways that you can enable Update Management and select machines to be managed:
--- Using an Azure [Resource Manager template](enable-from-template.md) to deploy Update Management to a new or existing Automation account and Azure Monitor Log Analytics workspace in your subscription. It does not configure the scope of machines that should be managed, this is performed as a separate step after using the template.--- From your [Automation account](enable-from-automation-account.md) for one or more Azure and non-Azure machines, including Arc enabled servers.--- Using the **Enable-AutomationSolution** [runbook](enable-from-runbook.md) method.--- For a [selected Azure VM](enable-from-vm.md) from the **Virtual machines** page in the Azure portal. This scenario is available for Linux and Windows VMs.--- For [multiple Azure VMs](enable-from-portal.md) by selecting them from the **Virtual machines** page in the Azure portal.-
-> [!NOTE]
-> Update Management requires linking a Log Analytics workspace to your Automation account. For a definitive list of supported regions, see [Azure Workspace mappings](../how-to/region-mappings.md). The region mappings don't affect the ability to manage VMs in a separate region from your Automation account.
- ## Next steps
-* For details of working with Update Management, see [Manage updates for your VMs](manage-updates-for-vm.md).
+* Before enabling and using Update Management, review [Plan your Update Management deployment](plan-deployment.md).
* Review commonly asked questions about Update Management in the [Azure Automation frequently asked questions](../automation-faq.md).
automation Plan Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/plan-deployment.md
+
+ Title: Azure Automation Update Management Deployment Plan
+description: This article describes the considerations and decisions to be made to prepare deployment of Azure Automation Update Management.
++ Last updated : 06/07/2021+++
+# Plan your Update Management deployment
+
+## Step 1 - Automation account
+
+Update Management is an Azure Automation feature, and therefore requires an Automation account. You can use an existing Automation account in your subscription, or create a new account dedicated only for Update Management and no other Automation features.
+
+## Step 2 - Azure Monitor Logs
+
+Update Management depends on a Log Analytics workspace in Azure Monitor to store assessment and update status log data collected from managed machines. Integration with Log Analytics also enables detailed analysis and alerting in Azure Monitor. You can use an existing workspace in your subscription, or create a new one dedicated only for Update Management.
+
+If you are new to Azure Monitor Logs and the Log Analytics workspace, you should review the [Design a Log Analytics workspace](../../azure-monitor/logs/design-logs-deployment.md) deployment guide.
+
+## Step 3 - Supported operating systems
+
+Update Management supports specific versions of the Windows Server and Linux operating systems. Before you enable Update Management, confirm that the target machines meet the [operating system requirements](operating-system-requirements.md).
+
+## Step 4 - Log Analytics agent
+
+The [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) for Windows and Linux is required to support Update Management. The agent is used for both data collection, and the Automation system Hybrid Runbook Worker role to support Update Management runbooks used to manage the assessment and update deployments on the machine.
+
+On Azure VMs, if the Log Analytics agent isn't already installed, when you enable Update Management for the VM it is automatically installed using the Log Analytics VM extension for [Windows](../../virtual-machines/extensions/oms-windows.md) or [Linux](../../virtual-machines/extensions/oms-linux.md). The agent is configured to report to the Log Analytics workspace linked to the Automation account Update Management is enabled in.
+
+Non-Azure VMs or servers need to have the Log Analytics agent for Windows or Linux installed and reporting to the linked workspace. We recommend installing the Log Analytics agent for Windows or Linux by first connecting your machine to [Azure Arc enabled servers](../../azure-arc/servers/overview.md), and then use Azure Policy to assign the [Deploy Log Analytics agent to Linux or Windows Azure Arc machines](../../governance/policy/samples/built-in-policies.md#monitoring) built-in policy. Alternatively, if you plan to monitor the machines with [VM insights](../../azure-monitor/vm/vminsights-overview.md), instead use the [Enable Azure Monitor for VMs](../../governance/policy/samples/built-in-initiatives.md#monitoring) initiative.
+
+If you're enabling a machine that's currently managed by Operations Manager, a new agent isn't required. The workspace information is added to the agents configuration when you connect the management group to the Log Analytics workspace.
+
+Having a machine registered for Update Management in more than one Log Analytics workspace (also referred to as multihoming) isn't supported.
+
+## <a name="ports"></a> Step 5 - Network planning
+
+To prepare your network to support Update Management, you may need to configure some infrastructure components. For example, open firewall ports to pass the communications used by Update Management and Azure Monitor.
+
+Review [Azure Automation Network Configuration](../automation-network-configuration.md) for detailed information on the ports, URLs, and other networking details required for Update Management, including the Hybrid Runbook Worker role. To connect to the Automation service from your Azure VMs securely and privately, review [Use Azure Private Link](../how-to/private-link-security.md).
+
+For Windows machines, you must also allow traffic to any endpoints required by Windows Update agent. You can find an updated list of required endpoints in [Issues related to HTTP/Proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy). If you have a local [Windows Server Update Services](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment) (WSUS) deployment, you must also allow traffic to the server specified in your [WSUS key](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).
+
+For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](../../virtual-machines/workloads/redhat/redhat-rhui.md#the-ips-for-the-rhui-content-delivery-servers) for required endpoints. For other Linux distributions, see your provider documentation.
+
+If your IT security policies do not allow machines on the network to connect to the internet, you can set up a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) and then configure the machine to connect through the gateway to Azure Automation and Azure Monitor.
+
+## Step 6 - Permissions
+
+To create and manage update deployments, you need specific permissions. To learn about these permissions, see [Role-based access - Update Management](../automation-role-based-access-control.md#update-management-permissions).
+
+## Step 7 - Windows Update client
+
+Azure Automation Update Management relies on the Windows Update client to download and install Windows updates. There are specific group policy settings that are used by Windows Update Agent (WUA) on machines to connect to Windows Server Update Services (WSUS) or Microsoft Update. These group policy settings are also used to successfully scan for software update compliance, and to automatically update the software updates. To review our recommendations, see [Configure Windows Update settings for Update Management](configure-wuagent.md).
+
+## Step 8 - Linux repository
+
+VMs created from the on-demand Red Hat Enterprise Linux (RHEL) images available in Azure Marketplace are registered to access the Red Hat Update Infrastructure (RHUI) that's deployed in Azure. Any other Linux distribution must be updated from the distribution's online file repository by using methods supported by that distribution.
+
+To classify updates on Red Hat Enterprise version 6, you need to install the yum-security plugin. On Red Hat Enterprise Linux 7, the plugin is already a part of yum itself and there's no need to install anything. For more information, see the following Red Hat [knowledge article](https://access.redhat.com/solutions/10021).
+
+## Step 9 - Plan deployment targets
+
+Update Management allows you to target updates to a dynamic group representing Azure or non-Azure machines, so you can ensure that specific machines always get the right updates at the most convenient times. A dynamic group is resolved at deployment time and is based on the following criteria:
+
+* Subscription
+* Resource groups
+* Locations
+* Tags
+
+For non-Azure machines, a dynamic group uses saved searches, also called [computer groups](../../azure-monitor/logs/computer-groups.md). Update deployments scoped to a group of machines is only visible from the Automation account in the Update Management **Deployment schedules** option, not from a specific Azure VM.
+
+Alternatively, updates can be managed only for a selected Azure VM. Update deployments scoped to the specific machine are visible from both the machine and from the Automation account in Update Management **Deployment schedules** option.
+
+## Next steps
+
+Enable Update Management and select machines to be managed using one of the following methods:
+
+- Using an Azure [Resource Manager template](enable-from-template.md) to deploy Update Management to a new or existing Automation account and Azure Monitor Log Analytics workspace in your subscription. It does not configure the scope of machines that should be managed, this is performed as a separate step after using the template.
+
+- From your [Automation account](enable-from-automation-account.md) for one or more Azure and non-Azure machines, including Arc enabled servers.
+
+- Using the **Enable-AutomationSolution** [runbook](enable-from-runbook.md) to automate onboarding Azure VMs.
+
+- For a [selected Azure VM](enable-from-vm.md) from the **Virtual machines** page in the Azure portal. This scenario is available for Linux and Windows VMs.
+
+- For [multiple Azure VMs](enable-from-portal.md) by selecting them from the **Virtual machines** page in the Azure portal.
automation Remove Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/remove-vms.md
Title: Remove VMs from Azure Automation Update Management
description: This article tells how to remove machines managed with Update Management. Previously updated : 05/26/2021 Last updated : 06/03/2021 # Remove VMs from Update Management
automation Scope Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/scope-configuration.md
Title: Limit Azure Automation Update Management deployment scope description: This article tells how to use scope configurations to limit the scope of an Update Management deployment. Previously updated : 05/27/2021 Last updated : 06/03/2021
automation Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/whats-new.md
Title: What's new in Azure Automation
description: Significant updates to Azure Automation updated each month. -- Previously updated : 04/09/2021 Last updated : 05/19/2021
See [Use a webhook from an ARM template](./automation-webhooks.md#use-a-webhook-
**Type:** New feature
-See the [full list](./update-management/overview.md#supported-operating-systems) of supported Linux operating systems for more details.
+See the [full list](./update-management/operating-system-requirements.md) of supported Linux operating systems for more details.
### In-region data residency support for Brazil South and South East Asia
Automation Hybrid Runbook Worker supports the Windows Server 2008 R2 operating s
**Type:** New feature
-Update Management supports assessing and patching the Windows Server 2008 R2 operating system. See [Supported operating systems](update-management/overview.md#clients) for updates to the documentation to reflect these changes.
+Update Management supports assessing and patching the Windows Server 2008 R2 operating system. See [Supported operating systems](update-management/operating-system-requirements.md) for updates to the documentation to reflect these changes.
### Automation diagnostic logs schema update
azure-app-configuration Quickstart Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-resource-manager.md
This quickstart describes how to :
If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-app-configuration-store-kv%2Fazuredeploy.json)
+[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.appconfiguration%2Fapp-configuration-store-kv%2Fazuredeploy.json)
## Prerequisites
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-app-configuration-store-kv/). It creates a new App Configuration store with two key-values inside. It then uses the `reference` function to output the values of the two key-value resources. Reading the key's value in this way allows it to be used in other places in the template.
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/app-configuration-store-kv/). It creates a new App Configuration store with two key-values inside. It then uses the `reference` function to output the values of the two key-value resources. Reading the key's value in this way allows it to be used in other places in the template.
The quickstart uses the `copy` element to create multiple instances of key-value resource. To learn more about the `copy` element, see [Resource iteration in ARM templates](../azure-resource-manager/templates/copy-resources.md).
Two Azure resources are defined in the template:
Select the following image to sign in to Azure and open a template. The template creates an App Configuration store with two key-values inside.
-[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-app-configuration-store-kv%2Fazuredeploy.json)
+[![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.appconfiguration%2Fapp-configuration-store-kv%2Fazuredeploy.json)
You can also deploy the template by using the following PowerShell cmdlet. The key-values will be in the output of PowerShell console. ```azurepowershell-interactive $projectName = Read-Host -Prompt "Enter a project name that is used for generating resource names" $location = Read-Host -Prompt "Enter the location (i.e. centralus)"
-$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-app-configuration-store-kv/azuredeploy.json"
+$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.appconfiguration/app-configuration-store-kv/azuredeploy.json"
$resourceGroupName = "${projectName}rg"
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/overview.md
With Azure Arc enabled Kubernetes, you can attach and configure Kubernetes clusters located either inside or outside Azure. When you connect a Kubernetes cluster to Azure Arc, it will: * Appear in the Azure portal with an Azure Resource Manager ID and a managed identity.
-* Are placed in an Azure subscription and resource group.
+* Be placed in an Azure subscription and resource group.
* Receive tags just like any other Azure resource. To connect a Kubernetes cluster to Azure, the cluster administrator needs to deploy agents. These agents:
To connect a Kubernetes cluster to Azure, the cluster administrator needs to dep
* Collect Azure Arc logs and metrics. * Watch for configuration requests.
-Azure Arc enabled Kubernetes supports industry-standard SSL to secure data in transit. Also, data is stored encrypted at rest in an Azure Cosmos DB database to ensure data confidentiality.
+Azure Arc enabled Kubernetes supports industry-standard SSL to secure data in transit. Also, data at rest is stored encrypted in an Azure Cosmos DB database to ensure data confidentiality.
## Supported Kubernetes distributions
azure-arc Tutorial Arc Enabled Open Service Mesh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-arc-enabled-open-service-mesh.md
Set the environment variables:
```azurecli-interactive export VERSION=0.8.4
-export $CLUSTER_NAME=<arc-cluster-name>
-export $RESOURCE_GROUP=<resource-group-name>
+export CLUSTER_NAME=<arc-cluster-name>
+export RESOURCE_GROUP=<resource-group-name>
``` While Arc enabled Open Service Mesh is in preview, the `az k8s-extension create` command only accepts `pilot` for the `--release-train` flag. `--auto-upgrade-minor-version` is always set to `false` and a version must be provided. If you have an OpenShift cluster, use the steps in the [section](#install-a-specific-version-of-osm-on-openshift-cluster).
azure-cache-for-redis Cache Development Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-development-faq.md
Last updated 08/06/2020
This article provides answers to common questions about how to develop for Azure Cache for Redis. ## Common questions and answers+ This section covers the following FAQs: * [How can I get started with Azure Cache for Redis?](#how-can-i-get-started-with-azure-cache-for-redis)
This section covers the following FAQs:
* [What are Redis databases?](#what-are-redis-databases) ### How can I get started with Azure Cache for Redis?+ There are several ways you can get started with Azure Cache for Redis. * You can check out one of our tutorials available for [.NET](cache-dotnet-how-to-use-azure-redis-cache.md), [ASP.NET](cache-web-app-howto.md), [Java](cache-java-get-started.md), [Node.js](cache-nodejs-get-started.md), and [Python](cache-python-get-started.md). * You can watch [How to Build High-Performance Apps Using Microsoft Azure Cache for Redis](https://azure.microsoft.com/documentation/videos/how-to-build-high-performance-apps-using-microsoft-azure-cache/).
-* You can check out the client documentation for the clients that match the development language of your project to see how to use Redis. There are many Redis clients that can be used with Azure Cache for Redis. For a list of Redis clients, see [https://redis.io/clients](https://redis.io/clients).
+* You can check out the client documentation for the example clients that match the development language you use in your project. There are many Redis clients that can be used with Azure Cache for Redis. For a list of Redis clients, see [https://redis.io/clients](https://redis.io/clients).
If you don't already have an Azure account, you can:
If you don't already have an Azure account, you can:
* [Activate Visual Studio subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/?WT.mc_id=redis_cache_hero). Your MSDN subscription gives you credits every month that you can use for paid Azure services. ### What do the StackExchange.Redis configuration options do?+ StackExchange.Redis has many options. This section talks about some of the common settings. For more detailed information about StackExchange.Redis options, see [StackExchange.Redis configuration](https://stackexchange.github.io/StackExchange.Redis/Configuration). | ConfigurationOptions | Description | Recommendation | | | | |
-| AbortOnConnectFail |When set to true, the connection will not reconnect after a network failure. |Set to false and let StackExchange.Redis reconnect automatically. |
+| AbortOnConnectFail |When set to true, the connection can't reconnect after a network failure. |Set to false and let StackExchange.Redis reconnect automatically. |
| ConnectRetry |The number of times to repeat connection attempts during initial connect. |See the following notes for guidance. | | ConnectTimeout |Timeout in ms for connect operations. |See the following notes for guidance. | Usually the default values of the client are sufficient. You can fine-tune the options based on your workload. * **Retries**
- * For ConnectRetry and ConnectTimeout, the general guidance is to fail fast and retry again. This guidance is based on your workload and how much time on average it takes for your client to issue a Redis command and receive a response.
+ * For ConnectRetry and ConnectTimeout, the general guidance is to fail fast and retry again. This guidance is based on your workload and how much timeon averageit takes for your client to issue a Redis command and receive a response.
* Let StackExchange.Redis automatically reconnect instead of checking connection status and reconnecting yourself. **Avoid using the ConnectionMultiplexer.IsConnected property**.
- * Snowballing - sometimes you may run into an issue where you are retrying and the retries snowball and never recovers. If snowballing occurs, you should consider using an exponential backoff retry algorithm as described in [Retry general guidance](/azure/architecture/best-practices/transient-faults) published by the Microsoft Patterns & Practices group.
+ * Snowballing - you might run into an issue where you're retrying and the retries snowball and never recover. If snowballing occurs, consider using an exponential backoff retry algorithm as described in [Retry general guidance](/azure/architecture/best-practices/transient-faults) published by the Microsoft Patterns & Practices group.
* **Timeout values**
- * Consider your workload and set the values accordingly. If you are storing large values, set the timeout to a higher value.
+ * Consider your workload and set the values to match. If you're storing large values, set the timeout to a higher value.
* Set `AbortOnConnectFail` to false and let StackExchange.Redis reconnect for you. * Use a single ConnectionMultiplexer instance for the application. You can use a LazyConnection to create a single instance that is returned by a Connection property, as shown in [Connect to the cache using the ConnectionMultiplexer class](cache-dotnet-how-to-use-azure-redis-cache.md#connect-to-the-cache). * Set the `ConnectionMultiplexer.ClientName` property to an app instance unique name for diagnostic purposes.
Usually the default values of the client are sufficient. You can fine-tune the o
* This guidance may lead to more streamlined latency per `ConnectionMultiplexer`. ### What Azure Cache for Redis clients can I use?
-One of the great things about Redis is that there are many clients supporting many different development languages. For a current list of clients, see [Redis clients](https://redis.io/clients). For tutorials that cover several different languages and clients, see [How to use Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md) and it's sibling articles in the table of contents.
+
+One of the great things about Redis is that there are many clients supporting many different development languages. For a current list of clients, see [Redis clients](https://redis.io/clients). For tutorials that cover several different languages and clients, see [How to use Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md).
[!INCLUDE [redis-cache-create](../../includes/redis-cache-access-keys.md)] ### Is there a local emulator for Azure Cache for Redis?
-There is no local emulator for Azure Cache for Redis, but you can run the MSOpenTech version of redis-server.exe from the [Redis command-line tools](https://github.com/MSOpenTech/redis/releases/) on your local machine and connect to it to get a similar experience to a local cache emulator, as shown in the following example:
+
+There's no local emulator for Azure Cache for Redis. You can run the MSOpenTech version of redis-server.exe from the [Redis command-line tools](https://github.com/MSOpenTech/redis/releases/) on your local machine. Then, connect to it to get a similar experience to a local cache emulator, as shown in the following example:
```csharp private static Lazy<ConnectionMultiplexer>
public static ConnectionMultiplexer Connection
} ```
-You can optionally configure a [redis.conf](https://redis.io/topics/config) file to more closely match the [default cache settings](cache-configure.md#default-redis-server-configuration) for your online Azure Cache for Redis if desired.
+You can optionally configure a [redis.conf](https://redis.io/topics/config) file to more closely match the [default cache settings](cache-configure.md#default-redis-server-configuration) for your online Azure Cache for Redis if you want.
### How can I run Redis commands?+ You can use any of the commands listed at [Redis commands](https://redis.io/commands#) except for the commands listed at [Redis commands not supported in Azure Cache for Redis](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis). You have several options to run Redis commands. * If you have a Standard or Premium cache, you can run Redis commands using the [Redis Console](cache-configure.md#redis-console). The Redis console provides a secure way to run Redis commands in the Azure portal.
-* You can also use the Redis command-line tools. To use them, perform the following steps:
+* You can also use the Redis command-line tools. To use them, do the following steps:
* Download the [Redis command-line tools](https://github.com/MSOpenTech/redis/releases/). * Connect to the cache using `redis-cli.exe`. Pass in the cache endpoint using the -h switch and the key using -a as shown in the following example: * `redis-cli -h <Azure Cache for Redis name>.redis.cache.windows.net -a <key>`
You can use any of the commands listed at [Redis commands](https://redis.io/comm
> ### Why doesn't Azure Cache for Redis have an MSDN class library reference?+ Microsoft Azure Cache for Redis is based on the popular open-source in-memory data store, Redis. It can be accessed by a wide variety of [Redis clients](https://redis.io/clients) for many programming languages. Each client has its own API that makes calls to the Azure Cache for Redis instance using [Redis commands](https://redis.io/commands).
-Because each client is different, there is not one centralized class reference on MSDN, and each client maintains its own reference documentation. In addition to the reference documentation, there are several tutorials showing how to get started with Azure Cache for Redis using different languages and cache clients. To access these tutorials, see [How to use Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md) and it's sibling articles in the table of contents.
+Because each client is different, you can't find one centralized class reference on MSDN. Each client maintains its own reference documentation. Besides the reference documentation, there are several tutorials showing how to get started with Azure Cache for Redis using different languages and cache clients. To access these tutorials, see [How to use Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md) and it's sibling articles in the table of contents.
### Can I use Azure Cache for Redis as a PHP session cache?+ Yes, to use Azure Cache for Redis as a PHP session cache, specify the connection string to your Azure Cache for Redis instance in `session.save_path`. > [!IMPORTANT]
For more information about using Azure Cache for Redis as a PHP session cache wi
### What are Redis databases?
-Redis Databases are just a logical separation of data within the same Redis instance. The cache memory is shared between all the databases and actual memory consumption of a given database depends on the keys/values stored in that database. For example, a C6 cache has 53 GB of memory, and a P5 has 120 GB. You can choose to put all 53 GB / 120 GB into one database or you can split it up between multiple databases.
+Redis Databases are just a logical separation of data within the same Redis instance. The cache memory is shared between all the databases and actual memory consumption of a given database depends on the keys/values stored in that database. For example, a C6 cache has 53 GB of memory, and a P5 has 120 GB. You can choose to put all 53 GB / 120 GB into one database or you can split it up between multiple databases.
> [!NOTE] > When using a Premium Azure Cache for Redis with clustering enabled, only database 0 is available. This limitation is an intrinsic Redis limitation and is not specific to Azure Cache for Redis. For more information, see [Do I need to make any changes to my client application to use clustering?](cache-how-to-premium-clustering.md#do-i-need-to-make-any-changes-to-my-client-application-to-use-clustering).
->
->
+>
+>
## Next steps
-Learn about other [Azure Cache for Redis FAQs](cache-faq.md).
+Learn about other [Azure Cache for Redis FAQs](cache-faq.md).
azure-cache-for-redis Cache Failover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-failover.md
Last updated 10/18/2019
# Failover and patching for Azure Cache for Redis
-To build resilient and successful client applications, it's critical to understand failover in the context of the Azure Cache for Redis service. A failover can be a part of planned management operations, or might be caused by unplanned hardware or network failures. A common use of cache failover comes when the management service patches the Azure Cache for Redis binaries. This article covers what a failover is, how it occurs during patching, and how to build a resilient client application.
+To build resilient and successful client applications, it's critical to understand failover in the Azure Cache for Redis service. A failover can be a part of planned management operations, or it might be caused by unplanned hardware or network failures. A common use of cache failover comes when the management service patches the Azure Cache for Redis binaries.
+
+In this article, you find this information:
+
+- What is a failover.
+- How failover occurs during patching.
+- How to build a resilient client application.
## What is a failover?
Let's start with an overview of failover for Azure Cache for Redis.
### A quick summary of cache architecture
-A cache is constructed of multiple virtual machines with separate, private IP addresses. Each virtual machine, also known as a node, is connected to a shared load balancer with a single virtual IP address. Each node runs the Redis server process and is accessible by means of the host name and the Redis ports. Each node is considered either a primary or a replica node. When a client application connects to a cache, its traffic goes through this load balancer and is automatically routed to the primary node.
+A cache is constructed of multiple virtual machines with separate, private IP addresses. Each virtual machine, also known as a node, is connected to a shared load balancer with a single virtual IP address. Each node runs the Redis server process and is accessible with using the host name and the Redis ports. Each node is considered either a primary or a replica node. When a client application connects to a cache, its traffic goes through this load balancer and is automatically routed to the primary node.
In a Basic cache, the single node is always a primary. In a Standard or Premium cache, there are two nodes: one is chosen as the primary and the other is the replica. Because Standard and Premium caches have multiple nodes, one node might be unavailable while the other continues to process requests. Clustered caches are made of many shards, each with distinct primary and replica nodes. One shard might be down while the others remain available.
In a Basic cache, the single node is always a primary. In a Standard or Premium
A failover occurs when a replica node promotes itself to become a primary node, and the old primary node closes existing connections. After the primary node comes back up, it notices the change in roles and demotes itself to become a replica. It then connects to the new primary and synchronizes data. A failover might be planned or unplanned.
-A *planned failover* takes place during system updates, such as Redis patching or OS upgrades, and management operations, such as scaling and rebooting. Because the nodes receive advance notice of the update, they can cooperatively swap roles and quickly update the load balancer of the change. A planned failover typically finishes in less than 1 second.
+A *planned failover* takes place during two different times:
+
+- System updates, such as Redis patching or OS upgrades.
+- Management operations, such as scaling and rebooting.
+
+Because the nodes receive advance notice of the update, they can cooperatively swap roles and quickly update the load balancer of the change. A planned failover typically finishes in less than 1 second.
-An *unplanned failover* might happen because of hardware failure, network failure, or other unexpected outages to the primary node. The replica node promotes itself to primary, but the process takes longer. A replica node must first detect that its primary node is not available before it can initiate the failover process. The replica node must also verify that this unplanned failure is not transient or local, to avoid an unnecessary failover. This delay in detection means that an unplanned failover typically finishes within 10 to 15 seconds.
+An *unplanned failover* might happen because of hardware failure, network failure, or other unexpected outages to the primary node. The replica node promotes itself to primary, but the process takes longer. A replica node must first detect its primary node isn't available before it can start the failover process. The replica node must also verify this unplanned failure isn't transient or local, to avoid an unnecessary failover. This delay in detection means an unplanned failover typically finishes within 10 to 15 seconds.
## How does patching occur?
The Azure Cache for Redis service regularly updates your cache with the latest p
1. The replica node connects to the primary node and synchronizes data. 1. When the data sync is complete, the patching process repeats for the remaining nodes.
-Because patching is a planned failover, the replica node quickly promotes itself to become a primary and begins servicing requests and new connections. Basic caches don't have a replica node and are unavailable until the update is complete. Each shard of a clustered cache is patched separately and won't close connections to another shard.
+Because patching is a planned failover, the replica node quickly promotes itself to become a primary. Then, the node begins servicing requests and new connections. Basic caches don't have a replica node and are unavailable until the update is complete. Each shard of a clustered cache is patched separately and won't close connections to another shard.
> [!IMPORTANT] > Nodes are patched one at a time to prevent data loss. Basic caches will have data loss. Clustered caches are patched one shard at a time.
Because full data synchronization happens before the process repeats, data loss
## Additional cache load
-Whenever a failover occurs, the Standard and Premium caches need to replicate data from one node to the other. This replication causes some load increase in both server memory and CPU. If the cache instance is already heavily loaded, client applications might experience increased latency. In extreme cases, client applications might receive time-out exceptions. To help mitigate the impact of this additional load, [configure](cache-configure.md#memory-policies) the cache's `maxmemory-reserved` setting.
+Whenever a failover occurs, the Standard and Premium caches need to replicate data from one node to the other. This replication causes some load increase in both server memory and CPU. If the cache instance is already heavily loaded, client applications might experience increased latency. In extreme cases, client applications might receive time-out exceptions. To help mitigate the effect of more load, [configure](cache-configure.md#memory-policies) the cache's `maxmemory-reserved` setting.
## How does a failover affect my client application?
-The number of errors seen by the client application depends on how many operations were pending on that connection at the time of the failover. Any connection that's routed through the node that closed its connections will see errors. Many client libraries can throw different types of errors when connections break, including time-out exceptions, connection exceptions, or socket exceptions. The number and type of exceptions depends on where in the code path the request is when the cache closes its connections. For instance, an operation that sends a request but hasn't received a response when the failover occurs might get a time-out exception. New requests on the closed connection object receive connection exceptions until the reconnection happens successfully.
+The number of errors seen by the client application depends on how many operations were pending, on that connection, at the time of the failover. Any connection that's routed through the node that closed its connections will see errors. Many client libraries can throw different types of errors when connections break, including time-out exceptions, connection exceptions, or socket exceptions. The number and type of exceptions depends on where in the code path the request is when the cache closes its connections. For instance, an operation that sends a request but hasn't received a response when the failover occurs might get a time-out exception. New requests on the closed connection object receive connection exceptions until the reconnection happens successfully.
Most client libraries attempt to reconnect to the cache if they're configured to do so. However, unforeseen bugs can occasionally place the library objects into an unrecoverable state. If errors persist for longer than a preconfigured amount of time, the connection object should be recreated. In Microsoft.NET and other object-oriented languages, recreating the connection without restarting the application can be accomplished by using [a Lazy\<T\> pattern](https://gist.github.com/JonCole/925630df72be1351b21440625ff2671f#reconnecting-with-lazyt-pattern).
To test a client application's resiliency, use a [reboot](cache-administration.m
### Can I be notified in advance of a planned maintenance?
-Azure Cache for Redis now publishes notifications on a publish/subscribe channel called [AzureRedisEvents](https://github.com/Azure/AzureCacheForRedis/blob/main/AzureRedisEvents.md) around 30 seconds before planned updates. These are runtime notifications, and they're built especially for applications that can use circuit breakers to bypass the cache or buffer commands, for example, during planned updates. It's not a mechanism that can notify you days or hours in advance.
+Azure Cache for Redis now publishes notifications on a publish/subscribe channel called [AzureRedisEvents](https://github.com/Azure/AzureCacheForRedis/blob/main/AzureRedisEvents.md) around 30 seconds before planned updates. The notifications are runtime notifications. They're built especially for applications that can use circuit breakers to bypass the cache or buffer commands, for example, during planned updates. It's not a mechanism that can notify you days or hours in advance.
### Client network-configuration changes
Certain client-side network-configuration changes can trigger "No connection ava
- Swapping a client application's virtual IP address between staging and production slots. - Scaling the size or number of instances of your application.
-Such changes can cause a connectivity issue that lasts less than one minute. Your client application will probably lose its connection to other external network resources in addition to the Azure Cache for Redis service.
+Such changes can cause a connectivity issue that lasts less than one minute. Your client application will probably lose its connection to other external network resources, but also to the Azure Cache for Redis service.
## Next steps
azure-cache-for-redis Cache Go Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-go-get-started.md
Last updated 01/08/2021
# Quickstart: Use Azure Cache for Redis with Go
-In this article, you will learn how to build a REST API in Go that will store and retrieve user information backed by a [HASH](https://redis.io/topics/data-types-intro#redis-hashes) data structure in [Azure Cache for Redis](./cache-overview.md).
+In this article, you learn how to build a REST API in Go that stores and retrieves user information backed by a [HASH](https://redis.io/topics/data-types-intro#redis-hashes) data structure in [Azure Cache for Redis](./cache-overview.md).
## Skip to the code on GitHub
If you want to skip straight to the code, see the [Go quickstart](https://github
- An HTTP client such [curl](https://curl.se/) ## Create an Azure Cache for Redis instance+ [!INCLUDE [redis-cache-create](../../includes/redis-cache-create.md)] [!INCLUDE [redis-cache-create](../../includes/redis-cache-access-keys.md)]
func main() {
... ```
-Then, we establish connection with Azure Cache for Redis. Note that [tls.Config](https://golang.org/pkg/crypto/tls/#Config) is being used - Azure Cache for Redis only accepts secure connections with [TLS 1.2 as the minimum required version](cache-remove-tls-10-11.md).
+Then, we establish connection with Azure Cache for Redis. We use [tls.Config](https://golang.org/pkg/crypto/tls/#Config)--Azure Cache for Redis only accepts secure connections with [TLS 1.2 as the minimum required version](cache-remove-tls-10-11.md).
```go ...
client := redis.NewClient(op)
ctx := context.Background() err := client.Ping(ctx).Err() if err != nil {
- log.Fatalf("failed to connect with redis instance at %s - %v", redisHost, err)
+ log.Fatalf("failed to connect with redis instance at %s - %v", redisHost, err)
} ... ```
-If the connection is successful, [HTTP handlers](https://golang.org/pkg/net/http/#HandleFunc) are configured to handle `POST` and `GET` operations and the HTTP server is started.
+If the connection is successful, [HTTP handlers](https://golang.org/pkg/net/http/#HandleFunc) are configured to handle `POST` and `GET` operations and the HTTP server is started.
-> [!NOTE]
+> [!NOTE]
> [gorilla mux library](https://github.com/gorilla/mux) is used for routing (although it's not strictly necessary and we could have gotten away by using the standard library for this sample application). >
router.HandleFunc("/users/{userid}", uh.getUser).Methods(http.MethodGet)
log.Fatal(http.ListenAndServe(":8080", router)) ```
-`userHandler` struct encapsulates a [redis.Client](https://pkg.go.dev/github.com/go-redis/redis/v8#Client), which is used by the `createUser`, `getUser` methods - code for these methods has not been included for the sake of brevity.
+`userHandler` struct encapsulates a [redis.Client](https://pkg.go.dev/github.com/go-redis/redis/v8#Client), which is used by the `createUser`, `getUser` methods - code for these methods isn't included for brevity.
- `createUser`: accepts a JSON payload (containing user information) and saves it as a `HASH` in Azure Cache for Redis. - `getUser`: fetches user info from `HASH` or returns an HTTP `404` response if not found. ```go type userHandler struct {
- client *redis.Client
+ client *redis.Client
} ...
Start by cloning the application from GitHub.
md "C:\git-samples" ```
-1. Open a git terminal window, such as git bash. Use the `cd` command to change into the new folder where you will be cloning the sample app.
+1. Open a git terminal window, such as git bash. Use the `cd` command to change to the new folder where you want to clone the sample app.
```bash cd "C:\git-samples"
Start by cloning the application from GitHub.
## Run the application
-The application accepts connectivity and credentials in the form of environment variables.
+The application accepts connectivity and credentials in the form of environment variables.
1. Fetch the **Host name** and **Access Keys** (available via Access Keys) for Azure Cache for Redis instance in the [Azure portal](https://portal.azure.com/)
The HTTP server will start on port `8080`.
``` You should get JSON response as such:
-
+ ```json { "email": "foo1@bar",
The HTTP server will start on port `8080`.
} ```
-1. If you try to fetch a user that does not exist, you will get an HTTP `404`. For example:
+1. If you try to fetch a user who doesn't exist, you get an HTTP `404`. For example:
```bash curl -i localhost:8080/users/100
The HTTP server will start on port `8080`.
If you're finished with the Azure resource group and resources you created in this quickstart, you can delete them to avoid charges. > [!IMPORTANT]
-> Deleting a resource group is irreversible, and the resource group and all the resources in it are permanently deleted. If you created your Azure Cache for Redis instance in an existing resource group that you want to keep, you can delete just the cache by selecting **Delete** from the cache **Overview** page.
+> Deleting a resource group is irreversible, and the resource group and all the resources in it are permanently deleted. If you created your Azure Cache for Redis instance in an existing resource group that you want to keep, you can delete just the cache by selecting **Delete** from the cache **Overview** page.
To delete the resource group and its Redis Cache for Azure instance: 1. From the [Azure portal](https://portal.azure.com), search for and select **Resource groups**.
-1. In the **Filter by name** text box, enter the name of the resource group that contains your cache instance, and then select it from the search results.
+1. In the **Filter by name** text box, enter the name of the resource group that contains your cache instance, and then select it from the search results.
1. On your resource group page, select **Delete resource group**. 1. Type the resource group name, and then select **Delete**.
-
+ ![Delete your resource group for Azure Cache for Redis](./media/cache-python-get-started/delete-your-resource-group-for-azure-cache-for-redis.png) ## Next steps
-In this quickstart, you learned how to get started using Go with Azure Cache for Redis. You configured and ran a simple REST API based application to create and get user information backed by a Redis `HASH` data structure.
+In this quickstart, you learned how to get started using Go with Azure Cache for Redis. You configured and ran a simple REST API-based application to create and get user information backed by a Redis `HASH` data structure.
> [!div class="nextstepaction"] > [Create a simple ASP.NET web app that uses an Azure Cache for Redis.](./cache-web-app-howto.md)
azure-cache-for-redis Cache How To Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-geo-replication.md
Yes, geo-replication of caches in VNETs is supported with caveats:
- If the VNETs are in the same region, you can connect them using [VNET peering](../virtual-network/virtual-network-peering-overview.md) or a [VPN Gateway VNET-to-VNET connection](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md). - If the VNETs are in different regions, geo-replication using VNET peering is supported, but a client VM in VNET 1 (region 1) will not be able to access the cache in VNET 2 (region 2) via it's DNS name because of a constraint with Basic internal load balancers. For more information about VNET peering constraints, see [Virtual Network - Peering - Requirements and constraints](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). The recommended solution is to use a VPN Gateway VNET-to-VNET connection.
-Using [this Azure template](https://azure.microsoft.com/resources/templates/201-redis-vnet-geo-replication/), you can quickly deploy two geo-replicated caches into a VNET connected with a VPN Gateway VNET-to-VNET connection.
+Using [this Azure template](https://azure.microsoft.com/resources/templates/redis-vnet-geo-replication/), you can quickly deploy two geo-replicated caches into a VNET connected with a VPN Gateway VNET-to-VNET connection.
### What is the replication schedule for Redis geo-replication?
azure-cache-for-redis Cache Redis Cache Arm Provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-redis-cache-arm-provision.md
If your environment meets the prerequisites and you're familiar with using ARM t
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-redis-cache/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/redis-cache/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.cache/redis-cache/azuredeploy.json":::
The following resources are defined in the template:
Resource Manager templates for the new [Premium tier](cache-overview.md#service-tiers) are also available.
-* [Create a Premium Azure Cache for Redis with clustering](https://azure.microsoft.com/resources/templates/201-redis-premium-cluster-diagnostics/)
-* [Create Premium Azure Cache for Redis with data persistence](https://azure.microsoft.com/resources/templates/201-redis-premium-persistence/)
-* [Create Premium Redis Cache deployed into a Virtual Network](https://azure.microsoft.com/resources/templates/201-redis-premium-vnet/)
+* [Create a Premium Azure Cache for Redis with clustering](https://azure.microsoft.com/resources/templates/redis-premium-cluster-diagnostics/)
+* [Create Premium Azure Cache for Redis with data persistence](https://azure.microsoft.com/resources/templates/redis-premium-persistence/)
+* [Create Premium Redis Cache deployed into a Virtual Network](https://azure.microsoft.com/resources/templates/redis-premium-vnet/)
To check for the latest templates, see [Azure Quickstart Templates](https://azure.microsoft.com/documentation/templates/) and search for _Azure Cache for Redis_.
azure-functions Functions Create First Function Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-first-function-resource-manager.md
After you've created your project locally, you create the resources required to
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-function-app-create-dynamic/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/function-app-create-dynamic/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/function-app-create-dynamic/azuredeploy.json":::
azure-government Secure Azure Computing Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/secure-azure-computing-architecture.md
U.S. Department of Defense (DoD) customers who deploy workloads to Azure have asked for guidance to set up secure virtual networks and configure the security tools and services that are stipulated by DoD standards and practice.
-The Defense Information System Agency (DISA) published the [Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD)](https://dl.dod.cyber.mil/wp-content/uploads/cloud/pdf/SCCA_FRD_v2-9.pdf) in 2017. SCCA describes the functional objectives for securing the Defense Information System NetworkΓÇÖs (DISN) and commercial cloud provider connection points. SCCA also describes how mission owners secure cloud applications at the connection boundary. Every DoD entity that connects to the commercial cloud must follow the guidelines set forth in the SCCA FRD.
+The Defense Information System Agency (DISA) published the [Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD)](https://rmf.org/wp-content/uploads/2018/05/SCCA_FRD_v2-9.pdf) in 2017. SCCA describes the functional objectives for securing the Defense Information System NetworkΓÇÖs (DISN) and commercial cloud provider connection points. SCCA also describes how mission owners secure cloud applications at the connection boundary. Every DoD entity that connects to the commercial cloud must follow the guidelines set forth in the SCCA FRD.
The SCCA has four components:
SCCA guidance and architectures are specific to DoD customers, but they also hel
### BCAP
-The purpose of the BCAP is to protect the DISN from attacks that originate in the cloud environment. BCAP performs intrusion detection and prevention. it also filters out unauthorized traffic. This component can be co-located with other components of the SCCA. We recommend that you deploy this component by using physical hardware. BCAP security requirements are listed in the following table.
+The purpose of the BCAP is to protect the DISN from attacks that originate in the cloud environment. BCAP performs intrusion detection and prevention. it also filters out unauthorized traffic. This component can be colocated with other components of the SCCA. We recommend that you deploy this component by using physical hardware. BCAP security requirements are listed in the following table.
#### BCAP security requirements
This individual is appointed by the authorizing official. The BCAP, VDSS, and VD
## SACA components and planning considerations
-The SACA reference architecture is designed to deploy the VDSS and VDMS components in Azure and to enable the TCCM. This architecture is modular. All of the pieces of VDSS and VDMS can live in a centralized hub. Some of the controls can be met in the mission-owner space or even on-premises. Microsoft recommends that you co-locate the VDSS and VDMS components into a central virtual network that all mission owners can connect through. The following diagram shows this architecture:
-
+The SACA reference architecture is designed to deploy the VDSS and VDMS components in Azure and to enable the TCCM. This architecture is modular. All the pieces of VDSS and VDMS can live in a centralized hub or in multiple virtual networks. Some of the controls can be met in the mission-owner space or even on-premises. The following diagram shows this architecture:
![Architecture diagram that shows the VDSS and VDMS components co-located into a central virtual network.](media/sacav2generic.png) When you plan your SCCA compliancy strategy and technical architecture, consider the following topics from the beginning because they affect every customer. The following issues have come up with DoD customers and tend to slow down planning and execution. #### Which BCAP will your organization use?+ - DISA BCAP: - DISA has two Gen 2 BCAPs that they currently operate and maintain, with three new Gen 3 BCAPs coming online soon. - DISAΓÇÖs BCAPs all have Azure ExpressRoute circuits to Azure, which can be used by Government and DoD customers for connectivity. - DISA has an enterprise-level Microsoft peering session for customers who want to subscribe to Microsoft software as a service (SaaS) tools, such as Microsoft 365. By using the DISA BCAP, you can enable connectivity and peering to your SACA instance. - We recommend that you use the DISA BCAP. This option is readily available, has built-in redundancy, and has customers that operate on it today in production. - Build your own BCAP:
- - This option requires you to lease space in a co-located data center and set up an ExpressRoute circuit to Azure.
+ - This option requires you to lease space in a colocated data center and set up an ExpressRoute circuit to Azure.
- This option requires additional approval from the DoD CIO. - Because of the additional approval and a physical build-out, this option takes the most time, and is difficult to attain. - DoD routable IP space:
When you plan your SCCA compliancy strategy and technical architecture, consider
- SACA is a modular architecture: - Use only the components you need for your environment. - Deploy network virtual appliances in a single tier or multi-tier.
- - Use integrated IPS or bring-your-own IPS.
+ - Use cloud-native IPS or bring-your-own IPS.
+
+#### Which automated solution will you use to deploy VDSS?
-#### Which network virtual appliance vendor will you use for VDSS?
-As mentioned earlier, you can build this SACA reference by using a variety of appliances and Azure services. Microsoft has automated solution templates to deploy the SACA architecture with Palo Alto Networks, F5, and Citrix. These solutions are covered in the following section.
+As mentioned earlier, you can build this SACA reference by using a variety of appliances and Azure services. Microsoft has automated solution templates to deploy the SACA architecture with native services or by partners like Palo Alto Networks, F5, and Citrix. These solutions are covered in the following section.
#### Which Azure services will you use?+ - There are Azure services that can meet requirements for log analytics, host-based protection, and IDS functionality. It's possible that some services arenΓÇÖt generally available in Microsoft Azure DoD regions. In this case, you might need to use third-party tools if these Azure services canΓÇÖt meet your requirements. Look at the tools you're comfortable with and the feasibility of using Azure native tooling. - We recommend that you use as many Azure native tools as possible. They're built with cloud security in mind and seamlessly integrate with the rest of the Azure platform. Use the Azure native tools in the following list to meet various requirements of SCCA:
As mentioned earlier, you can build this SACA reference by using a variety of ap
- [Azure Sentinel](../../sentinel/overview.md) - Sizing - A sizing exercise must be completed. Look at the number of concurrent connections you might have through the SACA instance and the network throughput requirements.
- - This step is critical. It helps to size the VMs, ExpresssRoute circuits, and identify the licenses that are required from the various vendors you use in your SACA deployment.
+ - This step is critical. It helps to size the VMs, ExpressRoute circuits, and identify the licenses that are required from the various vendors you use in your SACA deployment.
- A good cost analysis canΓÇÖt be done without this sizing exercise. Correct sizing also allows for best performance.
We recommend this architecture because it meets SCCA requirements. ItΓÇÖs highly
## Automated SACA deployment options
- As previously mentioned, Microsoft has partnered with vendors to create automated SACA infrastructure templates. These templates deploy the following Azure components:
+As previously mentioned, Microsoft has partnered with vendors to create automated SACA infrastructure templates. These templates deploy the following Azure components:
- SACA virtual network - VDMS subnet
- - This subnet is where VMs and services used for VDMS are deployed, including the jump box VMs.
- - Untrusted, trusted, and management subnets
- - These subnets are where virtual appliances are deployed.
+ - This subnet is where VMs and services used for VDMS are deployed, including the jump box VMs.
+ - Untrusted, trusted, management, or AzureFirewallSubnet subnets
+ - These subnets are where virtual appliances or Azure Firewall are deployed.
- Management jump box virtual machines - They're used for out-of-band management of the environment. - Network virtual appliances
+- Azure Bastion
+ - Bastion is used to securely connect to VMs over SSL
- Public IPs - They're used for the front end until ExpressRoute is brought online. These IPs translate to the back-end Azure private address space. - Route tables - Applied during automation, these route tables force tunnel all traffic through the virtual appliance via the internal load balancer. - Azure load balancers - Standard SKU
- - They're used to load balance traffic across the appliances.
+ - They're used to load-balance traffic across the third-party appliances.
- Network security groups - They're used to control which types of traffic can traverse to certain endpoints.
+### Azure SACA Deployment
+
+You can use the Mission Landing Zone deployment template to deploy into one or multiple subscriptions, depending on the requirements of your environment. It uses built-in Azure services that have no dependencies on third-party licenses. The template uses Azure Firewall and other security services to deploy an architecture that is SCCA-compliant.
+
+[ ![Diagram of the Mission Landing Zone SACA template.](media/mission-landing-zone.png) ](media/mission-landing-zone.png#lightbox)
+
+For the Azure documentation and deployment scripts, see [this GitHub link](https://github.com/Azure/missionlz).
++ ### Palo Alto Networks SACA deployment The Palo Alto Networks deployment template deploys one to many VM-Series appliances, as well as the VDMS staging and routing to enable a one-tier, VDSS-compliant architecture. This architecture meets the requirements of SCCA.
The Palo Alto Networks deployment template deploys one to many VM-Series applian
For the Palo Alto Networks documentation and deployment script, see [this GitHub link](https://github.com/PaloAltoNetworks/Palo-Azure-SACA).
- ### F5 SACA deployment
+### F5 Networks SACA deployment
-Two separate F5 deployment templates cover two different architectures. The first template has only one layer of F5 appliances in an active-active highly available configuration. This architecture meets the requirements for VDSS. The second template adds a second layer of active-active highly available F5s. This second layer allows customers to add their own IPS separate from F5 in between the F5 layers. Not all DoD components have specific IPS prescribed for use. If that's the case, the single layer of F5 appliances works for most because that architecture includes IPS on the F5 devices.
+Two separate F5 deployment templates cover two different architectures. The first template has only one layer of F5 appliances in an active-active highly available configuration. This architecture meets the requirements of SCCA. The second template adds a second layer of active-active highly available F5s. This second layer allows customers to add their own IPS separate from F5 in between the F5 layers. Not all DoD components have specific IPS prescribed for use. If that's the case, the single layer of F5 appliances works for most because that architecture includes IPS on the F5 devices.
![F5 SACA diagram](media/f5saca.png)
azure-maps Creator Indoor Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/creator-indoor-maps.md
As you begin to develop solutions for indoor maps, you can discover ways to inte
The following example shows how to update a dataset, create a new tileset, and delete an old tileset: 1. Follow steps in the [Upload a Drawing package](#upload-a-drawing-package) and [Convert a Drawing package](#convert-a-drawing-package) sections to upload and convert the new Drawing package.
-2. Use the [Dataset Create API](/rest/api/maps/v2/dataset) to append the converted data to the existing dataset.
-3. Use the [Tileset Create API](/rest/api/maps/v2/tileset) to generate a new tileset out of the updated dataset.
+2. Use the [Dataset Create API](/rest/api/maps/v2/dataset/create) to append the converted data to the existing dataset.
+3. Use the [Tileset Create API](/rest/api/maps/v2/tileset/create) to generate a new tileset out of the updated dataset.
4. Save the new **tilesetId** for the next step. 5. To enable the visualization of the updated campus dataset, update the tileset identifier in your application. If the old tileset is no longer used, you can delete it.
azure-maps How To Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/how-to-create-template.md
To complete this article:
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-maps-create/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/maps-create/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.maps/maps-create/azuredeploy.json":::
azure-maps Tutorial Creator Indoor Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-creator-indoor-maps.md
To retrieve content metadata:
7. Select **Send**.
-8. In the response window, select the **Headers** tab. The metadata should like the following JSON fragment:
+8. In the response window, select the **Body** tab. The metadata should like the following JSON fragment:
```json {
The following JSON fragment displays a sample conversion warning:
## Create a dataset
-A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset, use the [Dataset Create API](/rest/api/maps/v2/dataset). The Dataset Create API takes the `conversionId` for the converted Drawing package and returns a `datasetId` of the created dataset.
+A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset, use the [Dataset Create API](/rest/api/maps/v2/dataset/create). The Dataset Create API takes the `conversionId` for the converted Drawing package and returns a `datasetId` of the created dataset.
To create a dataset:
azure-monitor Java In Process Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-in-process-agent.md
to enable this preview feature and auto-collect the telemetry emitted by these A
* [Communication Chat](/java/api/overview/azure/communication-chat-readme) 1.0.0+ * [Communication Common](/java/api/overview/azure/communication-common-readme) 1.0.0+ * [Communication Identity](/java/api/overview/azure/communication-identity-readme) 1.0.0+
+* [Communication Phone Numbers](/java/api/overview/azure/communication-phonenumbers-readme) 1.0.0+
* [Communication SMS](/java/api/overview/azure/communication-sms-readme) 1.0.0+ * [Cosmos DB](/java/api/overview/azure/cosmos-readme) 4.13.0+
+* [Digital Twins - Core](/java/api/overview/azure/digitaltwins-core-readme) 1.1.0+
* [Event Grid](/java/api/overview/azure/messaging-eventgrid-readme) 4.0.0+ * [Event Hubs](/java/api/overview/azure/messaging-eventhubs-readme) 5.6.0+ * [Event Hubs - Azure Blob Storage Checkpoint Store](/java/api/overview/azure/messaging-eventhubs-checkpointstore-blob-readme) 1.5.1+
to enable this preview feature and auto-collect the telemetry emitted by these A
* [Key Vault - Keys](/java/api/overview/azure/security-keyvault-keys-readme) 4.2.6+ * [Key Vault - Secrets](/java/api/overview/azure/security-keyvault-secrets-readme) 4.2.6+ * [Service Bus](/java/api/overview/azure/messaging-servicebus-readme) 7.1.0+
+* [Storage - Blobs](/java/api/overview/azure/storage-blob-readme) 12.11.0+
+* [Storage - Blobs Batch](/java/api/overview/azure/storage-blob-batch-readme) 12.9.0+
+* [Storage - Blobs Cryptography](/java/api/overview/azure/storage-blob-cryptography-readme) 12.11.0+
+* [Storage - Common](/java/api/overview/azure/storage-common-readme) 12.11.0+
+* [Storage - Files Data Lake](/java/api/overview/azure/storage-file-datalake-readme) 12.5.0+
+* [Storage - Files Shares](/java/api/overview/azure/storage-file-share-readme) 12.9.0+
+* [Storage - Queues](/java/api/overview/azure/storage-queue-readme) 12.9.0+
* [Text Analytics](/java/api/overview/azure/ai-textanalytics-readme) 5.0.4+ [//]: # "the above names and links scraped from https://azure.github.io/azure-sdk/releases/latest/java.html"
to enable this preview feature and auto-collect the telemetry emitted by these A
[//]: # " }" [//]: # " var version = versionBadge.textContent.trim()" [//]: # " var link = stableRow.querySelectorAll('a')[2].href"
-[//]: # " str += '* [' + name + '](' + link + ') ' + version"
+[//]: # " str += '* [' + name + '](' + link + ') ' + version + '\n'"
[//]: # "}" [//]: # "console.log(str)"
azure-monitor Java Standalone Telemetry Processors Examples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-telemetry-processors-examples.md
# Telemetry processor examples - Azure Monitor Application Insights for Java This article provides examples of telemetry processors in Application Insights for Java. You'll find samples for include and exclude configurations. You'll also find samples for attribute processors and span processors.
-## Include and exclude samples
+## Include and exclude Span samples
In this section, you'll see how to include and exclude spans. You'll also see how to exclude multiple spans and apply selective processing. ### Include spans
This span doesn't match the exclude properties, and the processor actions are ap
This section demonstrates how to exclude spans for an attribute processor. Spans that match the properties aren't processed by this processor. A match requires the following conditions to be met:
-* An attribute (for example, `env` or `dev`) must exist in the span.
+* An attribute (for example, `env` with value `dev`) must exist in the span.
* The span must have an attribute that has key `test_request`. The following spans match the exclude properties, and the processor actions aren't applied.
These spans don't match the include properties, and processor actions aren't app
} } ```+ ## Attribute processor samples ### Insert
-The following sample inserts the new attribute `{"attribute1": "attributeValue1"}` into spans where the key `attribute1` doesn't exist.
+The following sample inserts the new attribute `{"attribute1": "attributeValue1"}` into spans and logs where the key `attribute1` doesn't exist.
```json {
The following sample inserts the new attribute `{"attribute1": "attributeValue1"
### Insert from another key
-The following sample uses the value from attribute `anotherkey` to insert the new attribute `{"newKey": "<value from attribute anotherkey>"}` into spans where the key `newKey` doesn't exist. If the attribute `anotherkey` doesn't exist, no new attribute is inserted into spans.
+The following sample uses the value from attribute `anotherkey` to insert the new attribute `{"newKey": "<value from attribute anotherkey>"}` into spans and logs where the key `newKey` doesn't exist. If the attribute `anotherkey` doesn't exist, no new attribute is inserted into spans and logs.
```json {
The following sample uses the value from attribute `anotherkey` to insert the ne
### Update
-The following sample updates the attribute to `{"db.secret": "redacted"}`. It updates the attribute `boo` by using the value from attribute `foo`. Spans that don't have the attribute `boo` don't change.
+The following sample updates the attribute to `{"db.secret": "redacted"}`. It updates the attribute `boo` by using the value from attribute `foo`. Spans and logs that don't have the attribute `boo` don't change.
```json {
The following sample shows how to change the span name to `{operation_website}`.
} } ```++
+## Log processor samples
+
+### Extract attributes from a log message body
+
+Let's assume the input log message body is `Starting PetClinicApplication on WorkLaptop with PID 27984 (C:\randompath\target\classes started by userx in C:\randompath)`. The following sample results in the output message body `Starting PetClinicApplication on WorkLaptop with PID {PIDVALUE} (C:\randompath\target\classes started by userx in C:\randompath)`. It adds the new attribute `PIDVALUE=27984` to the log.
+
+```json
+{
+ "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000",
+ "preview": {
+ "processors": [
+ {
+ "type": "log",
+ "body": {
+ "toAttributes": {
+ "rules": [
+ "^Starting PetClinicApplication on WorkLaptop with PID (?<PIDVALUE>\\d+) .*"
+ ]
+ }
+ }
+ }
+ ]
+ }
+}
+```
+
+### Masking sensitive data in log message
+
+The following sample shows how to mask sensitive data in a log message body using both log processor and attribute processor.
+Let's assume the input log message body is `User account with userId 123456xx failed to login`. The log processor updates output message body to `User account with userId {redactedUserId} failed to login` and the attribute processor deletes the new attribute `redactedUserId` which was adding in the previous step.
+```json
+{
+ "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000",
+ "preview": {
+ "processors": [
+ {
+ "type": "log",
+ "body": {
+ "toAttributes": {
+ "rules": [
+ "^User account with userId (?<redactedUserId>\\d+) .*"
+ ]
+ }
+ }
+ },
+ {
+ "type": "attribute",
+ "actions": [
+ {
+ "key": "redactedUserId",
+ "action": "delete"
+ }
+ ]
+ }
+ ]
+ }
+}
+```
azure-monitor Java Standalone Telemetry Processors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-telemetry-processors.md
Here are some use cases for telemetry processors:
## Terminology
-Before you learn about telemetry processors, you should understand the term *span*. A span is a general term for:
+Before you learn about telemetry processors, you should understand the terms *span* and *log*.
+
+A span is a type of telemetry that represent one of:
* An incoming request. * An outgoing dependency (for example, a remote call to another service). * An in-process dependency (for example, work being done by subcomponents of the service).
-For telemetry processors, these span components are important:
+A log is a type of telemetry that represents:
+
+* log data captured from log4j, logback, and java.util.logging
+
+For telemetry processors, these span/log components are important:
* Name
+* Body
* Attributes The span name is the primary display for requests and dependencies in the Azure portal. Span attributes represent both standard and custom properties of a given request or dependency.
+The trace message or body is the primary display for logs in the Azure portal. Log attributes represent both standard and custom properties of a given log
+ ## Telemetry processor types
-Currently, the two types of telemetry processors are attribute processors and span processors.
+Currently, the three types of telemetry processors are attribute processors, span processors and log processors.
-An attribute processor can insert, update, delete, or hash attributes.
+An attribute processor can insert, update, delete, or hash attributes of a telemetry item (`span` or `log`).
It can also use a regular expression to extract one or more new attributes from an existing attribute.
-A span processor can update the telemetry name.
+A span processor can update the telemetry name of requests and dependencies.
It can also use a regular expression to extract one or more new attributes from the span name.
+A log processor can update the telemetry name of logs.
+It can also use a regular expression to extract one or more new attributes from the log name.
+ > [!NOTE] > Currently, telemetry processors process only attributes of type string. They don't process attributes of type Boolean or number.
To begin, create a configuration file named *applicationinsights.json*. Save it
{ "type": "span", ...
- }
- ]
- }
-}
-```
-
-## Include criteria and exclude criteria
-
-Both attribute processors and span processors support optional `include` and `exclude` criteria.
-A processor is applied only to spans that match its `include` criteria (if it's provided)
-_and_ don't match its `exclude` criteria (if it's provided).
-
-To configure this option, under `include` or `exclude` (or both), specify at least one `matchType` and either `spanNames` or `attributes`.
-The include-exclude configuration allows more than one specified condition.
-All specified conditions must evaluate to true to result in a match.
-
-* **Required field**: `matchType` controls how items in `spanNames` arrays and `attributes` arrays are interpreted. Possible values are `regexp` and `strict`.
-
-* **Optional fields**:
- * `spanNames` must match at least one of the items.
- * `attributes` specifies the list of attributes to match. All of these attributes must match exactly to result in a match.
-
-> [!NOTE]
-> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked.
-
-### Sample usage
-
-```json
-"processors": [
- {
- "type": "attribute",
- "include": {
- "matchType": "strict",
- "spanNames": [
- "spanA",
- "spanB"
- ]
- },
- "exclude": {
- "matchType": "strict",
- "attributes": [
- {
- "key": "redact_trace",
- "value": "false"
- }
- ]
- },
- "actions": [
- {
- "key": "credit_card",
- "action": "delete"
}, {
- "key": "duplicate_key",
- "action": "delete"
+ "type": "log",
+ ...
} ] }
-]
+}
```
-For more information, see [Telemetry processor examples](./java-standalone-telemetry-processors-examples.md).
## Attribute processor
-The attribute processor modifies attributes of a span. It can support the ability to include or exclude spans. It takes a list of actions that are performed in the order that the configuration file specifies. The processor supports these actions:
+The attribute processor modifies attributes of a `span` or a `log`. It can support the ability to include or exclude `span` or `log`. It takes a list of actions that are performed in the order that the configuration file specifies. The processor supports these actions:
- `insert` - `update` - `delete` - `hash` - `extract`+ ### `insert`
-The `insert` action inserts a new attribute in spans where the key doesn't already exist.
+The `insert` action inserts a new attribute in telemetry item where the `key` doesn't already exist.
```json "processors": [
The `insert` action requires the following settings:
### `update`
-The `update` action updates an attribute in spans where the key already exists.
+The `update` action updates an attribute in telemetry item where the `key` already exists.
```json "processors": [
The `update` action requires the following settings:
### `delete`
-The `delete` action deletes an attribute from a span.
+The `delete` action deletes an attribute from a telemetry item.
```json "processors": [
The `extract` action requires the following settings:
* `pattern` * `action`: `extract`
+### Include criteria and exclude criteria
+
+Attribute processors support optional `include` and `exclude` criteria.
+A attribute processor is applied only to telemetry that match its `include` criteria (if it's provided)
+_and_ don't match its `exclude` criteria (if it's provided).
+
+To configure this option, under `include` or `exclude` (or both), specify at least one `matchType` and either `spanNames` or `attributes`.
+The include-exclude configuration allows more than one specified condition.
+All specified conditions must evaluate to true to result in a match.
+
+* **Required field**: `matchType` controls how items in `spanNames` arrays and `attributes` arrays are interpreted. Possible values are `regexp` and `strict`.
+
+* **Optional fields**:
+ * `spanNames` must match at least one of the items.
+ * `attributes` specifies the list of attributes to match. All of these attributes must match exactly to result in a match.
+
+> [!NOTE]
+> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked.
+
+> [!NOTE]
+> If the `include` or `exclude` configuration donot have `spanNames` specified, then the matching criteria is applied on both `spans` and `logs`.
+
+### Sample usage
+
+```json
+"processors": [
+ {
+ "type": "attribute",
+ "include": {
+ "matchType": "strict",
+ "spanNames": [
+ "spanA",
+ "spanB"
+ ]
+ },
+ "exclude": {
+ "matchType": "strict",
+ "attributes": [
+ {
+ "key": "redact_trace",
+ "value": "false"
+ }
+ ]
+ },
+ "actions": [
+ {
+ "key": "credit_card",
+ "action": "delete"
+ },
+ {
+ "key": "duplicate_key",
+ "action": "delete"
+ }
+ ]
+ }
+]
+```
For more information, see [Telemetry processor examples](./java-standalone-telemetry-processors-examples.md). ## Span processor
The values in the span name are replaced by extracted attribute names. Each rule
Here's how values are replaced by extracted attribute names: 1. The span name is checked against the regex.
-1. If the regex matches, all named subexpressions of the regex are extracted as attributes.
-1. The extracted attributes are added to the span.
-1. Each subexpression name becomes an attribute name.
-1. The subexpression matched portion becomes the attribute value.
-1. The matched portion in the span name is replaced by the extracted attribute name. If the attributes already exist in the span, they're overwritten.
+2. If the regex matches, all named subexpressions of the regex are extracted as attributes.
+3. The extracted attributes are added to the span.
+4. Each subexpression name becomes an attribute name.
+5. The subexpression matched portion becomes the attribute value.
+6. The matched portion in the span name is replaced by the extracted attribute name. If the attributes already exist in the span, they're overwritten.
This process is repeated for all rules in the order they're specified. Each subsequent rule works on the span name that's the output of the previous rule.
This section lists some common span attributes that telemetry processors can use
| `db.user` | string | Username for accessing the database. | | `db.name` | string | String used to report the name of the database being accessed. For commands that switch the database, this string should be set to the target database, even if the command fails.| | `db.statement` | string | Database statement that's being run.|+
+### Include criteria and exclude criteria
+
+Span processors support optional `include` and `exclude` criteria.
+A span processor is applied only to telemetry that match its `include` criteria (if it's provided)
+_and_ don't match its `exclude` criteria (if it's provided).
+
+To configure this option, under `include` or `exclude` (or both), specify at least one `matchType` and either `spanNames` or span `attributes`.
+The include-exclude configuration allows more than one specified condition.
+All specified conditions must evaluate to true to result in a match.
+
+* **Required field**: `matchType` controls how items in `spanNames` arrays and `attributes` arrays are interpreted. Possible values are `regexp` and `strict`.
+
+* **Optional fields**:
+ * `spanNames` must match at least one of the items.
+ * `attributes` specifies the list of attributes to match. All of these attributes must match exactly to result in a match.
+
+> [!NOTE]
+> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked.
+
+### Sample usage
+
+```json
+"processors": [
+ {
+ "type": "span",
+ "include": {
+ "matchType": "strict",
+ "spanNames": [
+ "spanA",
+ "spanB"
+ ]
+ },
+ "exclude": {
+ "matchType": "strict",
+ "attributes": [
+ {
+ "key": "attribute1",
+ "value": "attributeValue1"
+ }
+ ]
+ },
+ "name": {
+ "toAttributes": {
+ "rules": [
+ "rule1",
+ "rule2",
+ "rule3"
+ ]
+ }
+ }
+ }
+]
+```
+For more information, see [Telemetry processor examples](./java-standalone-telemetry-processors-examples.md).
+
+## Log processor
+
+> [!NOTE]
+> This feature is available only in version 3.1.1 and later.
+
+The log processor modifies either the log message body or attributes of a log based on the log message body. It can support the ability to include or exclude logs.
+
+### Update Log message body
+
+The `body` section requires the `fromAttributes` setting. The values from these attributes are used to create a new body, concatenated in the order that the configuration specifies. The processor will change the log body only if all of these attributes are present on the log.
+
+The `separator` setting is optional. This setting is a string. It's specified to split values.
+> [!NOTE]
+> If renaming relies on the attributes processor to modify attributes, ensure the log processor is specified after the attributes processor in the pipeline specification.
+
+```json
+"processors": [
+ {
+ "type": "log",
+ "body": {
+ "fromAttributes": [
+ "attributeKey1",
+ "attributeKey2",
+ ],
+ "separator": "::"
+ }
+ }
+]
+```
+
+### Extract attributes from the log message body
+
+The `toAttributes` section lists the regular expressions to match the log message body. It extracts attributes based on subexpressions.
+
+The `rules` setting is required. This setting lists the rules that are used to extract attribute values from the body.
+
+The values in the log message body are replaced by extracted attribute names. Each rule in the list is a regular expression (regex) pattern string.
+
+Here's how values are replaced by extracted attribute names:
+
+1. The log message body is checked against the regex.
+2. If the regex matches, all named subexpressions of the regex are extracted as attributes.
+3. The extracted attributes are added to the log.
+4. Each subexpression name becomes an attribute name.
+5. The subexpression matched portion becomes the attribute value.
+6. The matched portion in the log name is replaced by the extracted attribute name. If the attributes already exist in the log, they're overwritten.
+
+This process is repeated for all rules in the order they're specified. Each subsequent rule works on the log name that's the output of the previous rule.
+
+```json
+"processors": [
+ {
+ "type": "log",
+ "body": {
+ "toAttributes": {
+ "rules": [
+ "rule1",
+ "rule2",
+ "rule3"
+ ]
+ }
+ }
+ }
+]
+
+```
+
+### Include criteria and exclude criteria
+
+Log processors support optional `include` and `exclude` criteria.
+A log processor is applied only to telemetry that match its `include` criteria (if it's provided)
+_and_ don't match its `exclude` criteria (if it's provided).
+
+To configure this option, under `include` or `exclude` (or both), specify the `matchType` and `attributes`.
+The include-exclude configuration allows more than one specified condition.
+All specified conditions must evaluate to true to result in a match.
+
+* **Required field**:
+ * `matchType` controls how items in `attributes` arrays are interpreted. Possible values are `regexp` and `strict`.
+ * `attributes` specifies the list of attributes to match. All of these attributes must match exactly to result in a match.
+
+> [!NOTE]
+> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked.
+
+> [!NOTE]
+> Log processors donot support `spanNames`.
+
+### Sample usage
+
+```json
+"processors": [
+ {
+ "type": "log",
+ "include": {
+ "matchType": "strict",
+ "attributes": [
+ {
+ "key": "attribute1",
+ "value": "value1"
+ }
+ ]
+ },
+ "exclude": {
+ "matchType": "strict",
+ "attributes": [
+ {
+ "key": "attribute2",
+ "value": "value2"
+ }
+ ]
+ },
+ "body": {
+ "toAttributes": {
+ "rules": [
+ "rule1",
+ "rule2",
+ "rule3"
+ ]
+ }
+ }
+ }
+]
+```
+For more information, see [Telemetry processor examples](./java-standalone-telemetry-processors-examples.md).
azure-monitor Azure Web Apps Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/azure-web-apps-analytics.md
Last updated 07/02/2018
> [!NOTE] > The Azure Web App Analytics solution has moved to community support.
->- The solution is no longer available from the Azure Marketplace but can be installed from [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/101-webappazure-oms-monitoring/) where it's supported by the community.
+>- The solution is no longer available from the Azure Marketplace but can be installed from [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/webappazure-oms-monitoring/) where it's supported by the community.
>- Customers who have already installed the solution can continue to use it with changes. >- Microsoft recommends that you use [Application Insights](../app/app-insights-overview.md) to monitor your web applications.
azure-monitor Network Performance Monitor Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/network-performance-monitor-faq.md
Listed below are the platform requirements for NPM's various capabilities:
- NPM's Performance Monitor and Service Connectivity Monitor capabilities support both Windows server and Windows desktops/client operating systems. Windows server OS versions supported are 2008 SP1 or later. Windows desktops/client versions supported are Windows 10, Windows 8.1, Windows 8, and Windows 7. - NPM's ExpressRoute Monitor capability supports only Windows server (2008 SP1 or later) operating system.
-### Can I use Linux machines as monitoring nodes in NPM?
+### Can I use machines as monitoring nodes in NPM?
The capability to monitor networks using Linux-based nodes is now generally available. Access the agent [here](../../virtual-machines/extensions/oms-linux.md). ### What are the size requirements of the nodes to be used for monitoring by NPM?
You can view the health status of the nodes being used for monitoring from the f
### Can NPM report latency numbers in microseconds? NPM rounds the latency numbers in the UI and in milliseconds. The same data is stored at a higher granularity (sometimes up to four decimal places).
+### Does NPM support multi-homed nodes?
+No. Each NPM node requires a dedicated Log Analytics workspace.
+
+### What additional requirements does the NPM have for Linux?
+The OMS agent for Linux also requires GLIBC 2.14 or later.
+ ## Next steps -- Learn more about Network Performance Monitor by referring to [Network Performance Monitor solution in Azure](./network-performance-monitor.md).
+- Learn more about Network Performance Monitor by referring to [Network Performance Monitor solution in Azure](./network-performance-monitor.md).
azure-monitor Logs Dedicated Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-dedicated-clusters.md
The capabilities that require dedicated clusters are:
- **[Customer-managed Keys](../logs/customer-managed-keys.md)** - Encrypt the cluster data using keys that are provided and controlled by the customer. - **[Lockbox](../logs/customer-managed-keys.md#customer-lockbox-preview)** - Customers can control Microsoft support engineers access requests for data. - **[Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption)** protects against a scenario where one of the encryption algorithms or keys may be compromised. In this case, the additional layer of encryption continues to protect your data.-- **[Multi-workspace](../logs/cross-workspace-query.md)** - If a customer is using more than one workspace for production it might make sense to use dedicated cluster. Cross-workspace queries will run faster if all workspaces are on the same cluster. It might also be more cost effective to use dedicated cluster as the assigned capacity reservation tiers take into account all cluster ingestion and applies to all its workspaces, even if some of them are small and not eligible for capacity reservation discount.
+- **[Multi-workspace](../logs/cross-workspace-query.md)** - If a customer is using more than one workspace for production it might make sense to use dedicated cluster. Cross-workspace queries will run faster if all workspaces are on the same cluster. It might also be more cost effective to use dedicated cluster as the assigned commitment tier takes into account all cluster ingestion and applies to all its workspaces, even if some of them are small and not eligible for commitment tier discount.
Dedicated clusters require customers to commit using a capacity of at least 1 TB of data ingestion per day. Migration to a dedicated cluster is simple. There is no data loss or service interruption.
All operations on the cluster level require the `Microsoft.OperationalInsights/c
## Cluster pricing model
-Log Analytics Dedicated Clusters use a Capacity Reservation pricing model which of at least 1000 GB/day. Any usage above the reservation level will be billed at the Pay-As-You-Go rate. Capacity Reservation pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
+Log Analytics Dedicated Clusters use a Commitment Tier pricing model which of at least 1000 GB/day. Any usage above the tier level will be billed at effective per-GB rate of that Commitment Tier. Commitment Tier pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
-The cluster capacity reservation level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000 GB/day or more in increments of 100 GB/day.
+The cluster Commitment Tier level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000, 2000 or 5000 GB/day.
There are two modes of billing for usage on a cluster. These can be specified by the `billingType` parameter when configuring your cluster. 1. **Cluster**: in this case (which is the default), billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster.
-2. **Workspaces**: the Capacity Reservation costs for your Cluster are attributed proportionately to the workspaces in the Cluster (after accounting for per-node allocations from [Azure Security Center](../../security-center/index.yml) for each workspace.)
+2. **Workspaces**: the Commitment Tier costs for your Cluster are attributed proportionately to the workspaces in the cluster (after accounting for per-node allocations from [Azure Security Center](../../security-center/index.yml) for each workspace.) This full details of this pricing model are explained [here]( https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#log-analytics-dedicated-clusters)..
-If your workspace is using legacy Per Node pricing tier, when it is linked to a cluster it will be billed based on data ingested against the clusterΓÇÖs Capacity Reservation, and no longer per node. Per node data allocations from Azure Security Center will continue to be applied.
+If your workspace is using legacy Per Node pricing tier, when it is linked to a cluster it will be billed based on data ingested against the clusterΓÇÖs Commitment Tier, and no longer Per Node. Per-node data allocations from Azure Security Center will continue to be applied.
-More details are billing for Log Analytics dedicated clusters are available [here]( https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#log-analytics-dedicated-clusters).
+Complete details are billing for Log Analytics dedicated clusters are available [here]( https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#log-analytics-dedicated-clusters).
## Asynchronous operations and status check
The following properties must be specified:
- **ClusterName**: Used for administrative purposes. Users are not exposed to this name. - **ResourceGroupName**: As for any Azure resource, clusters belong to a resource group. We recommended you use a central IT resource group because clusters are usually shared by many teams in the organization. For more design considerations, review [Designing your Azure Monitor Logs deployment](../logs/design-logs-deployment.md) - **Location**: A cluster is located in a specific Azure region. Only workspaces located in this region can be linked to this cluster.-- **SkuCapacity**: You must specify the *capacity reservation* level (sku) when creating a *cluster* resource. The *capacity reservation* level can be in the range of 1,000 GB to 3,000 GB per day. You can update it in steps of 100 later if needed. If you need capacity reservation level higher than 3,000 GB per day, contact us at LAIngestionRate@microsoft.com. For more information on cluster costs, see [Manage Costs for Log Analytics clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters)
+- **SkuCapacity**: You must specify the Commitment Tier (sku) when creating a cluster resource. The Commitment Tier can be set to 1000, 2000 or 5000 GB/day. For more information on cluster costs, see [Manage Costs for Log Analytics clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters). Note that commitment tiers were formerly called capacity reservations.
-After you create your *Cluster* resource, you can edit additional properties such as *sku*, *keyVaultProperties, or *billingType*. See more details below.
+After you create your *cluster* resource, you can edit additional properties such as *sku*, *keyVaultProperties, or *billingType*. See more details below.
You can have up to 2 active clusters per subscription per region. If cluster is deleted, it is still reserved for 14 days. You can have up to 4 reserved clusters per subscription per region (active or recently deleted).
After you create your *Cluster* resource and it is fully provisioned, you can ed
- **keyVaultProperties** - Updates the key in Azure Key Vault. See [Update cluster with Key identifier details](../logs/customer-managed-keys.md#update-cluster-with-key-identifier-details). It contains the following parameters: *KeyVaultUri*, *KeyName*, *KeyVersion*. - **billingType** - The *billingType* property determines the billing attribution for the *cluster* resource and its data:
- - **Cluster** (default) - The Capacity Reservation costs for your Cluster are attributed to the *Cluster* resource.
- - **Workspaces** - The Capacity Reservation costs for your Cluster are attributed proportionately to the workspaces in the Cluster, with the *Cluster* resource being billed some of the usage if the total ingested data for the day is under the Capacity Reservation. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the Cluster pricing model.
+ - **Cluster** (default) - The costs for your Cluster are attributed to the *Cluster* resource.
+ - **Workspaces** - The costs for your Cluster are attributed proportionately to the workspaces in the Cluster, with the *Cluster* resource being billed some of the usage if the total ingested data for the day is under the Commitment Tier. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the Cluster pricing model.
- **Identity** - The identity to be used to authenticate to your Key Valt. This can be System-assigned or User-assigned. >[!IMPORTANT]
The same as for 'clusters in a resource group', but in subscription scope.
-### Update capacity reservation in cluster
+### Update commitment tier in cluster
-When the data volume to your linked workspaces change over time and you want to update the capacity reservation level appropriately. The Capacity is specified in units of GB and can have values of 1000 GB/day or more in increments of 100 GB/day. Note that you donΓÇÖt have to provide the full REST request body but should include the sku.
+When the data volume to your linked workspaces change over time and you want to update the Commitment Tier level appropriately. The tier is specified in units of GB and can have values of 1000, 2000 or 5000 GB/day. Note that you donΓÇÖt have to provide the full REST request body but should include the sku.
**CLI**
azure-monitor Manage Cost Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/manage-cost-storage.md
Also, note that some solutions, such as [Azure Defender (Security Center)](https
### Log Analytics Dedicated Clusters
-Log Analytics Dedicated Clusters are collections of workspaces into a single managed Azure Data Explorer cluster to support advanced scenarios such as [Customer-Managed Keys](customer-managed-keys.md). Log Analytics Dedicated Clusters use a commitment tier pricing model which must be configured to at least 1000 GB/day. The cluster commitment tier has a 31-day commitment period after the commitment level is increased. During the commitment period the commitment tier level cannot be reduced, but it can be increased at any time. When workspaces are associated to a cluster, the data ingestion billing for those workspaces are done at the cluster level using the configured commitment tier level. Learn more about [creating a Log Analytics Clusters](customer-managed-keys.md#create-cluster) and [associating workspaces to it](customer-managed-keys.md#link-workspace-to-cluster). Commitment tier pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
+[Log Analytics Dedicated Clusters](logs-dedicated-clusters.md) are collections of workspaces into a single managed Azure Data Explorer cluster to support advanced scenarios such as [Customer-Managed Keys](customer-managed-keys.md). Log Analytics Dedicated Clusters use a commitment tier pricing model which must be configured to at least 1000 GB/day. The cluster commitment tier has a 31-day commitment period after the commitment level is increased. During the commitment period the commitment tier level cannot be reduced, but it can be increased at any time. When workspaces are associated to a cluster, the data ingestion billing for those workspaces are done at the cluster level using the configured commitment tier level. Learn more about [creating a Log Analytics Clusters](customer-managed-keys.md#create-cluster) and [associating workspaces to it](customer-managed-keys.md#link-workspace-to-cluster). Commitment tier pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
The cluster commitment tier level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000 GB/day or more in increments of 100 GB/day. This is detailed at [Azure Monitor customer-managed key](customer-managed-keys.md#create-cluster).
azure-monitor Vminsights Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/vm/vminsights-alerts.md
InsightsMetrics
| where Origin == "vm.azm.ms" | where Namespace == "LogicalDisk" and Name == "TransfersPerSecond" | extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"])
-| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m) ), Computer, _ResourceId, Disk
+| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk
``` ### Logical disk data rate
InsightsMetrics
| where Origin == "vm.azm.ms" | where Namespace == "LogicalDisk" and Name == "BytesPerSecond" | extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"])
-| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m) , Computer, _ResourceId, Disk
+| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk
``` ### Network interfaces bytes received - all interfaces
azure-netapp-files Azure Netapp Files Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-faqs.md
Azure NetApp Files provides volume performance metrics. You can also use Azure M
See [Performance impact of Kerberos on NFSv4.1 volumes](performance-impact-kerberos.md) for information about security options for NFSv4.1, the performance vectors tested, and the expected performance impact.
+### Does Azure NetApp Files support SMB Direct?
+
+No, Azure NetApp Files does not support SMB Direct.
+
+### Is NIC Teaming supported in Azure?
+
+NIC Teaming is not supported in Azure. Although multiple network interfaces are supported on Azure virtual machines, they represent a logical rather than a physical construct. As such, they provide no fault tolerance. Also, the bandwidth available to an Azure virtual machine is calculated for the machine itself and not any individual network interface.
+
+### Are jumbo frames supported?
+
+Jumbo frames are not supported with Azure virtual machines.
+ ## NFS FAQs ### I want to have a volume mounted automatically when an Azure VM is started or rebooted. How do I configure my host for persistent NFS volumes?
Use the **JSON View** link on the volume overview pane, and look for the **start
No. However, Azure NetApp Files SMB shares can serve as a DFS Namespace (DFS-N) folder target. To use an Azure NetApp Files SMB share as a DFS-N folder target, provide the Universal Naming Convention (UNC) mount path of the Azure NetApp Files SMB share by using the [DFS Add Folder Target](/windows-server/storage/dfs-namespaces/add-folder-targets#to-add-a-folder-target) procedure. + ### SMB encryption FAQs This section answers commonly asked questions about SMB encryption (SMB 3.0 and SMB 3.1.1).
azure-netapp-files Azure Netapp Files Quickstart Set Up Account Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md
See [Register for Azure NetApp Files](azure-netapp-files-register.md) for more i
The following code snippet shows how to create a NetApp account in an Azure Resource Manager template (ARM template), using the [Microsoft.NetApp/netAppAccounts](/azure/templates/microsoft.netapp/netappaccounts) resource. To run the code, download the [full ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/101-anf-nfs-volume/azuredeploy.json) from our GitHub repo. <!-- Block begins with "type": "Microsoft.NetApp/netAppAccounts", -->
The following code snippet shows how to create a NetApp account in an Azure Reso
The following code snippet shows how to create a capacity pool in an Azure Resource Manager template (ARM template), using the [Microsoft.NetApp/netAppAccounts/capacityPools](/azure/templates/microsoft.netapp/netappaccounts/capacitypools) resource. To run the code, download the [full ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/101-anf-nfs-volume/azuredeploy.json) from our GitHub repo. <!-- LN 185, block begins with "type": "Microsoft.NetApp/netAppAccounts/capacityPools", -->
The following code snippet shows how to create a capacity pool in an Azure Resou
The following code snippets show how to set up a VNet and create an Azure NetApp Files volume in an Azure Resource Manager template (ARM template). VNet setup uses the [Microsoft.Network/virtualNetworks](/azure/templates/Microsoft.Network/virtualNetworks) resource. Volume creation uses the [Microsoft.NetApp/netAppAccounts/capacityPools/volumes](/azure/templates/microsoft.netapp/netappaccounts/capacitypools/volumes) resource. To run the code, download the [full ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/101-anf-nfs-volume/azuredeploy.json) from our GitHub repo. <!-- Block begins with "type": "Microsoft.Network/virtualNetworks", --> <!-- Block begins with "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", -->
azure-netapp-files Azure Netapp Files Smb Performance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-smb-performance.md
Title: FAQs about SMB performance for Azure NetApp Files| Microsoft Docs
-description: Answers frequently asked questions about SMB performance for Azure NetApp Files.
+ Title: SMB performance best practices for Azure NetApp Files| Microsoft Docs
+description: Helps you understand SMB performance and best practices for Azure NetApp Files.
documentationcenter: ''
Last updated 05/19/2021
-# FAQs about SMB performance for Azure NetApp Files
+# SMB performance best practices for Azure NetApp Files
-This article answers frequently asked questions (FAQs) about SMB performance best practices for Azure NetApp Files.
+This article helps you understand SMB performance and best practices for Azure NetApp Files.
-## Is SMB Multichannel enabled in SMB shares?
+## SMB Multichannel
-Yes, SMB Multichannel is enabled by default, a change put in place in early January 2020. All SMB shares pre-dating existing SMB volumes have had the feature enabled, and all newly created volumes will also have the feature enabled at time of creation.
+SMB Multichannel is enabled by default in SMB shares. All SMB shares pre-dating existing SMB volumes have had the feature enabled, and all newly created volumes will also have the feature enabled at time of creation.
Any SMB connection established before the feature enablement will need to be reset to take advantage of the SMB Multichannel functionality. To reset, you can disconnect and reconnect the SMB share.
-## Is RSS supported?
-
-Yes, Azure NetApp Files supports receive-side-scaling (RSS).
-
-With SMB Multichannel enabled, an SMB3 client establishes multiple TCP connections to the Azure NetApp Files SMB server over a network interface card (NIC) that is single RSS capable.
-
-## Which Windows versions support SMB Multichannel?
- Windows has supported SMB Multichannel since Windows 2012 to enable best performance. See [Deploy SMB Multichannel](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn610980(v%3Dws.11)) and [The basics of SMB Multichannel](/archive/blogs/josebda/the-basics-of-smb-multichannel-a-feature-of-windows-server-2012-and-smb-3-0) for details. -
-## Does my Azure virtual machine support RSS?
-
-To see if your Azure virtual machine NICs support RSS, run the command
-`Get-SmbClientNetworkInterface` as follows and check the field `RSS Capable`:
-
-![Screenshot that shows RSS output for Azure virtual machine.](../media/azure-netapp-files/azure-netapp-files-formance-rss-support.png)
-
-## Does Azure NetApp Files support SMB Direct?
-
-No, Azure NetApp Files does not support SMB Direct.
-
-## What is the benefit of SMB Multichannel?
+### Benefits of SMB Multichannel
The SMB Multichannel feature enables an SMB3 client to establish a pool of connections over a single network interface card (NIC) or multiple NICs and to use them to send requests for a single SMB session. In contrast, by design, SMB1 and SMB2 require the client to establish one connection and send all the SMB traffic for a given session over that connection. This single connection limits the overall protocol performance that can be achieved from a single client.
-## Should I configure multiple NICs on my client for SMB?
-
-No. The SMB client will match the NIC count returned by the SMB server. Each storage volume is accessible from one and only one storage endpoint. That means that only one NIC will be used for any given SMB relationship.
-
-As the output of `Get-SmbClientNetworkInterace` below shows, the virtual machine has 2 network interfaces--15 and 12. As shown under the following command `Get-SmbMultichannelConnection`, even though there are two RSS-capable NICS, only interface 12 is used in connection with the SMB share; interface 15 is not in use.
-
-![Screeshot that shows output for RSS-capable NICS.](../media/azure-netapp-files/azure-netapp-files-rss-capable-nics.png)
-
-## Is NIC Teaming supported in Azure?
-
-NIC Teaming is not supported in Azure. Although multiple network interfaces are supported on Azure virtual machines, they represent a logical rather than a physical construct. As such, they provide no fault tolerance. Also, the bandwidth available to an Azure virtual machine is calculated for the machine itself and not any individual network interface.
-
-## WhatΓÇÖs the performance like for SMB Multichannel?
+### Performance for SMB Multichannel
The following tests and graphs demonstrate the power of SMB Multichannel on single-instance workloads.
-### Random I/O
+#### Random I/O
With SMB Multichannel disabled on the client, pure 4 KiB read and write tests were performed using FIO and a 40 GiB working set. The SMB share was detached between each test, with increments of the SMB client connection count per RSS network interface settings of `1`,`4`,`8`,`16`, `set-SmbClientConfiguration -ConnectionCountPerRSSNetworkInterface <count>`. The tests show that the default setting of `4` is sufficient for I/O intensive workloads; incrementing to `8` and `16` had negligible effect.
The Azure virtual machine does not affect SMB (nor NFS) storage I/O limits. As
![Chart that shows random I/O comparison test.](../media/azure-netapp-files/azure-netapp-files-random-io-tests-list.png)
-### Sequential IO
+#### Sequential IO
Tests similar to the random I/O tests described previously were performed with 64-KiB sequential I/O. Although the increases in client connection count per RSS network interface beyond 4ΓÇÖ had no noticeable effect on random I/O, the same does not apply to sequential I/O. As the following graph shows, each increase is associated with a corresponding increase in read throughput. Write throughput remained flat due to network bandwidth restrictions placed by Azure for each instance type/size.
Azure places network rate limits on each virtual machine type/size. The rate lim
![Chart that shows sequential I/O comparison test.](../media/azure-netapp-files/azure-netapp-files-sequential-io-tests-list.png)
-## What performance is expected with a single instance with a 1-TB dataset?
+## SMB Signing
+
+The SMB protocol provides the basis for file and print sharing and other networking operations such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
+
+SMB Signing is supported for all SMB protocol versions that are supported by Azure NetApp Files.
+
+### Performance impact of SMB Signing
+
+SMB Signing has a deleterious effect upon SMB performance. Among other potential causes of the performance degradation, the digital signing of each packet consumes additional client-side CPU as the perfmon output below shows. In this case, Core 0 appears responsible for SMB, including SMB Signing. A comparison with the non-multichannel sequential read throughput numbers in the previous section shows that SMB Signing reduces overall throughput from 875MiB/s to approximately 250MiB/s.
+
+![Chart that shows SMB Signing performance impact.](../media/azure-netapp-files/azure-netapp-files-smb-signing-performance.png)
++
+## Performance for a single instance with a 1-TB dataset
To provide more detailed insight into workloads with read/write mixes, the following two charts show the performance of a single, Ultra service-level cloud volume of 50 TB with a 1-TB dataset and with SMB multichannel of 4. An optimal IODepth of 16 was used, and Flexible IO (FIO) parameters were used to ensure the full use of the network bandwidth (`numjobs=16`).
The following chart shows the results for sequential I/O:
![Chart that shows Windows 2019 standard _D32ds_v4 64K sequential throughput.](../media/azure-netapp-files/smb-performance-standard-64k-throughput.png)
-## What performance is expected when scaling out using 5 VMs with a 1-TB dataset?
+## Performance when scaling out using 5 VMs with a 1-TB dataset
These tests with 5 VMs use the same testing environment as the single VM, with each process writing to its own file.
The following chart shows the results for sequential I/O:
![Chart that shows Windows 2019 standard _D32ds_v4 64K 5-instance sequential throughput.](../media/azure-netapp-files/smb-performance-standard-64k-throughput-5-instances.png)
-## How do you monitor Hyper-V ethernet adapters and ensure that you maximize network capacity?
+## How to monitor Hyper-V ethernet adapters
One strategy used in testing with FIO is to set `numjobs=16`. Doing so forks each job into 16 specific instances to maximize the Microsoft Hyper-V Network Adapter.
After you have data traffic running in your volumes, you can monitor your adapte
![Screenshot that shows Performance Monitor output.](../media/azure-netapp-files/smb-performance-performance-monitor-output.png)
-## Is Accelerated Networking recommended?
+## Accelerated Networking
For maximum performance, it is recommended that you configure [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-powershell.md) on your virtual machines where possible. Keep the following considerations in mind: * The Azure portal enables Accelerated Networking by default for virtual machines supporting this feature. However, other deployment methods such as Ansible and similar configuration tools may not. Failure to enable Accelerated Networking can hobble the performance of a machine. * If Accelerated Networking is not enabled on the network interface of a virtual machine due to its lack of support for an instance type or size, it will remain disabled with larger instance types. You will need manual intervention in those cases.
-## Are jumbo frames supported?
+## RSS
-Jumbo frames are not supported with Azure virtual machines.
+Azure NetApp Files supports receive-side-scaling (RSS).
-## Is SMB Signing supported?
+With SMB Multichannel enabled, an SMB3 client establishes multiple TCP connections to the Azure NetApp Files SMB server over a network interface card (NIC) that is single RSS capable.
-The SMB protocol provides the basis for file and print sharing and other networking operations such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
+To see if your Azure virtual machine NICs support RSS, run the command
+`Get-SmbClientNetworkInterface` as follows and check the field `RSS Capable`:
-SMB Signing is supported for all SMB protocol versions that are supported by Azure NetApp Files.
+![Screenshot that shows RSS output for Azure virtual machine.](../media/azure-netapp-files/azure-netapp-files-formance-rss-support.png)
-## What is the performance impact of SMB Signing?
-SMB Signing has a deleterious effect upon SMB performance. Among other potential causes of the performance degradation, the digital signing of each packet consumes additional client-side CPU as the perfmon output below shows. In this case, Core 0 appears responsible for SMB, including SMB Signing. A comparison with the non-multichannel sequential read throughput numbers in the previous section shows that SMB Signing reduces overall throughput from 875MiB/s to approximately 250MiB/s.
+## Multiple NICs on SMB clients
-![Chart that shows SMB Signing performance impact.](../media/azure-netapp-files/azure-netapp-files-smb-signing-performance.png)
+You should not configure multiple NICs on your client for SMB. The SMB client will match the NIC count returned by the SMB server. Each storage volume is accessible from one and only one storage endpoint. That means that only one NIC will be used for any given SMB relationship.
-## What is the anticipated impact of SMB encryption on client workloads?
+As the output of `Get-SmbClientNetworkInterace` below shows, the virtual machine has 2 network interfaces--15 and 12. As shown under the following command `Get-SmbMultichannelConnection`, even though there are two RSS-capable NICS, only interface 12 is used in connection with the SMB share; interface 15 is not in use.
-See [SMB encryption FAQs](azure-netapp-files-faqs.md#smb_encryption_impact).
+![Screeshot that shows output for RSS-capable NICS.](../media/azure-netapp-files/azure-netapp-files-rss-capable-nics.png)
## Next steps
azure-portal Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/quick-create-template.md
The dashboard you create in the next part of this quickstart requires an existin
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-azure-portal-dashboard/). The template for this article is too long to show here. To view the template, see [azuredeploy.json](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.portal/azure-portal-dashboard/azuredeploy.json). One Azure resource is defined in the template, [Microsoft.Portal/dashboards](/azure/templates/microsoft.portal/dashboards) - Create a dashboard in the Azure portal.
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azure-portal-dashboard/). The template for this article is too long to show here. To view the template, see [azuredeploy.json](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.portal/azure-portal-dashboard/azuredeploy.json). One Azure resource is defined in the template, [Microsoft.Portal/dashboards](/azure/templates/microsoft.portal/dashboards) - Create a dashboard in the Azure portal.
## Deploy the template
azure-resource-manager Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-powershell.md
To pass an external parameter file, use the `TemplateParameterUri` parameter:
```powershell New-AzResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName ExampleResourceGroup ` -TemplateFile <path-to-bicep> `
- -TemplateParameterUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-account-create/azuredeploy.parameters.json
+ -TemplateParameterUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.parameters.json
``` ## Preview changes
azure-resource-manager Key Vault Parameter https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/key-vault-parameter.md
Last updated 06/01/2021
# Use Azure Key Vault to pass secure parameter value during Bicep deployment
-Instead of putting a secure value (like a password) directly in your Bicep file or parameter file, you can retrieve the value from an [Azure Key Vault](../../key-vault/general/overview.md) during a deployment. You retrieve the value by referencing the key vault and secret in your parameter file. When a [module](./modules.md) expects a `string` parameter with `secure:ture` modifier, you can use the `getSecret` function to obtain a key vault secret. The value is never exposed because you only reference its key vault ID. The key vault can exist in a different subscription than the resource group you're deploying to.
+Instead of putting a secure value (like a password) directly in your Bicep file or parameter file, you can retrieve the value from an [Azure Key Vault](../../key-vault/general/overview.md) during a deployment. You retrieve the value by referencing the key vault and secret in your parameter file. When a [module](./modules.md) expects a `string` parameter with `secure:true` modifier, you can use the `getSecret` function to obtain a key vault secret. The value is never exposed because you only reference its key vault ID. The key vault can exist in a different subscription than the resource group you're deploying to.
This article's focus is how to pass a sensitive value as a Bicep parameter. The article doesn't cover how to set a virtual machine property to a certificate's URL in a key vault. For a quickstart template of that scenario, see [Install a certificate from Azure Key Vault on a Virtual Machine](https://github.com/Azure/azure-quickstart-templates/tree/master/201-vm-winrm-keyvault-windows).
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/azure-subscription-service-limits.md
Title: Azure subscription limits and quotas description: Provides a list of common Azure subscription and service limits, quotas, and constraints. This article includes information on how to increase limits along with maximum values. Previously updated : 04/07/2021 Last updated : 06/09/2021 # Azure subscription and service limits, quotas, and constraints
The latest values for Azure Machine Learning Compute quotas can be found in the
[!INCLUDE [quantum-limits](../../../includes/azure-quantum-limits.md)]
-## Azure role-based access control limits
+## Azure RBAC limits
+
+The following limits apply to [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
[!INCLUDE [role-based-access-control-limits](../../../includes/role-based-access-control/limits.md)]
azure-resource-manager Tag Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/tag-resources.md
The following limitations apply to tags:
> > * Azure Front Door doesn't support the use of `#` in the tag name. >
- > * The follow Azure resources only support 15 tags:
+ > * The following Azure resources only support 15 tags:
> * Azure Automation > * Azure CDN > * Azure DNS (Zone and A records) > * Azure Private DNS (Zone, A records, and virtual network link)
-
-* Azure Automation and Azure CDN only support 15 tags on resources.
## Next steps
azure-resource-manager Linked Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md
The following example shows how to use a base URL to create two URLs for linked
```json "variables": {
- "templateBaseUrl": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/postgresql-on-ubuntu/",
+ "templateBaseUrl": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/application-workloads/postgre/postgresql-on-ubuntu/",
"sharedTemplateUrl": "[uri(variables('templateBaseUrl'), 'shared-resources.json')]", "vmTemplateUrl": "[uri(variables('templateBaseUrl'), 'database-2disk-resources.json')]" }
azure-resource-manager Template Cloud Consistency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-cloud-consistency.md
In the following code, `_artifactsLocation` is used to point to a single locatio
"metadata": { "description": "The base URI where artifacts required by this template are located." },
- "defaultValue": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-vm-custom-script-windows/"
+ "defaultValue": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-custom-script-windows/"
}, "_artifactsLocationSasToken": { "type": "securestring",
azure-resource-manager Template Tutorial Create Multiple Instances https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-create-multiple-instances.md
To complete this article, you need:
## Open a Quickstart template
-[Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/) is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this quickstart is called [Create a standard storage account](https://azure.microsoft.com/resources/templates/101-storage-account-create/). The template defines an Azure Storage account resource.
+[Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/) is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this quickstart is called [Create a standard storage account](https://azure.microsoft.com/resources/templates/storage-account-create/). The template defines an Azure Storage account resource.
1. From Visual Studio Code, select **File** > **Open File**. 1. In **File name**, paste the following URL:
azure-resource-manager Template Tutorial Create Templates With Dependent Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-create-templates-with-dependent-resources.md
To complete this article, you need:
## Open a Quickstart template
-Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/101-vm-simple-windows/).
+Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/vm-simple-windows/).
1. From Visual Studio Code, select **File** > **Open File**. 2. In **File name**, paste the following URL:
azure-resource-manager Template Tutorial Deploy Vm Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-deploy-vm-extensions.md
If you choose to publish the file to your own location, update the `fileUri` ele
## Open a quickstart template
-Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/101-vm-simple-windows/).
+Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/vm-simple-windows/).
1. In Visual Studio Code, select **File** > **Open File**. 1. In the **File name** box, paste the following URL:
azure-resource-manager Template Tutorial Deployment Script https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-deployment-script.md
To complete this article, you need:
Instead of creating a template from scratch, you open a template from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/). Azure Quickstart Templates is a repository for ARM templates.
-The template used in this quickstart is called [Create an Azure Key Vault and a secret](https://azure.microsoft.com/resources/templates/101-key-vault-create/). The template creates a key vault, and then adds a secret to the key vault.
+The template used in this quickstart is called [Create an Azure Key Vault and a secret](https://azure.microsoft.com/resources/templates/key-vault-create/). The template creates a key vault, and then adds a secret to the key vault.
1. From Visual Studio Code, select **File** > **Open File**. 2. In **File name**, paste the following URL:
azure-resource-manager Template Tutorial Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-troubleshoot.md
To complete this article, you need:
## Create a problematic template
-Open a template called [Create a standard storage account](https://azure.microsoft.com/resources/templates/101-storage-account-create/) from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/), and setup two template issues.
+Open a template called [Create a standard storage account](https://azure.microsoft.com/resources/templates/storage-account-create/) from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/), and setup two template issues.
1. From Visual Studio Code, select **File** > **Open File**. 2. In **File name**, paste the following URL:
azure-resource-manager Template Tutorial Use Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-use-key-vault.md
Now you've prepared a key vault and a secret. The following sections show you ho
## Open a quickstart template
-Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template that's used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/101-vm-simple-windows/).
+Azure Quickstart Templates is a repository for ARM templates. Instead of creating a template from scratch, you can find a sample template and customize it. The template that's used in this tutorial is called [Deploy a simple Windows VM](https://azure.microsoft.com/resources/templates/vm-simple-windows/).
1. In Visual Studio Code, select **File** > **Open File**.
azure-signalr Signalr Quickstart Azure Signalr Service Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-quickstart-azure-signalr-service-arm-template.md
An Azure account with an active subscription. [Create one for free](https://azur
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-signalr/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/signalr/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.signalrservice/signalr/azuredeploy.json":::
azure-sql Audit Write Storage Account Behind Vnet Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/audit-write-storage-account-behind-vnet-firewall.md
You can configure auditing to write database events on a storage account behind
> [!IMPORTANT] > In order to use storage account behind virtual network and firewall, you need to set **isStorageBehindVnet** parameter to true -- [Deploy an Azure SQL Server with Auditing enabled to write audit logs to a blob storage](https://azure.microsoft.com/resources/templates/201-sql-auditing-server-policy-to-blob-storage)
+- [Deploy an Azure SQL Server with Auditing enabled to write audit logs to a blob storage](https://azure.microsoft.com/resources/templates/sql-auditing-server-policy-to-blob-storage)
> [!NOTE] > The linked sample is on an external public repository and is provided 'as is', without warranty, and are not supported under any Microsoft support program/service.
azure-sql Single Database Create Arm Template Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/single-database-create-arm-template-quickstart.md
If you don't have an Azure subscription, [create a free account](https://azure.m
A single database has a defined set of compute, memory, IO, and storage resources using one of two [purchasing models](purchasing-models.md). When you create a single database, you also define a [server](logical-servers.md) to manage it and place it within [Azure resource group](../../active-directory-b2c/overview.md) in a specified region.
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-sql-database/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/sql-database/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.sql/sql-database/azuredeploy.json":::
azure-sql Sql Database Vulnerability Assessment Rules Changelog https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-database-vulnerability-assessment-rules-changelog.md
This article details the changes made to the SQL Vulnerability Assessment servic
|VA1282 |Orphan roles should be removed |Logic change | |VA1286 |Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) |Removed rule | |VA1288 |Sensitive data columns should be classified |Description change |
+|VA2030 |Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions |Removed rule |
|VA2033 |Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns |Description change | |VA2062 |Database-level firewall rules should not grant excessive access |Description change | |VA2063 |Server-level firewall rules should not grant excessive access |Description change |
azure-sql Threat Detection Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/threat-detection-overview.md
Previously updated : 06/07/2021 Last updated : 06/09/2021 tags: azure-synapse
For a full investigation experience, it is recommended to enable auditing, which
## Alerts
-Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. For a list of alerts for Azure SQL Database, see the [Alerts for SQL Database and Azure Synapse Analytics in Azure Security Center](../../security-center/alerts-reference.md#alerts-sql-db-and-warehouse).
+Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. For a list of alerts, see the [Alerts for SQL Database and Azure Synapse Analytics in Azure Security Center](../../security-center/alerts-reference.md#alerts-sql-db-and-warehouse).
## Explore detection of a suspicious event
azure-sql Backup Activity Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/backup-activity-monitor.md
+
+ Title: "Monitor backup activity"
+
+description: Learn how to monitor Azure SQL Managed Instance backup activity using extended events.
++++
+ms.devlang:
++++ Last updated : 12/14/2018+
+# Monitor backup activity for Azure SQL Managed Instance
+
+This article teaches you to configure extended event (XEvent) sessions to monitor backup activity for [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md).
+
+## Overview
+
+Azure SQL Managed Instance emits events (also known as [Extended Events or XEvents](../database/xevent-db-diff-from-svr.md)) during backup activity for the purpose of reporting. Configure an XEvent session to track information such as backup status, backup type, size, time, and location within the msdb database. This information can be integrated with backup monitoring software and also used for the purpose of Enterprise Audit.
+
+Enterprise Audits may require proof of successful backups, time of backup, and duration of the backup.
+
+## Configure XEvent session
+
+Use the extended event `backup_restore_progress_trace` to record the progress of your SQL Managed Instance back up. Modify the XEvent sessions as needed to track the information you're interested in for your business. These T-SQL snippets store the XEvent sessions in the ring buffer, but it's also possible to write to [Azure Blob Storage](../database/xevent-code-event-file.md). XEvent sessions storing data in the ring buffer have a limit of about 1000 messages so should only be used to track recent activity. Additionally, ring buffer data is lost upon failover. As such, for a historical record of backups, write to an event file instead.
+
+### Simple tracking
+
+Configure a simple XEvent session to capture simple events about complete full backups. This script collects the name of the database, the total number of bytes processed, and the time the backup completed.
+
+Use Transact-SQL (T-SQL) to configure the simple XEvent session:
++
+```sql
+CREATE EVENT SESSION [Simple backup trace] ON SERVER
+ADD EVENT sqlserver.backup_restore_progress_trace(
+WHERE operation_type = 0
+AND trace_message LIKE '%100 percent%')
+ADD TARGET package0.ring_buffer
+WITH(STARTUP_STATE=ON)
+GO
+ALTER EVENT SESSION [Simple backup trace] ON SERVER
+STATE = start;
+```
+++
+### Verbose tracking
+
+Configure a verbose XEvent session to track greater details about your backup activity. This script captures start and finish of both full, differential and log backups. Since this script is more verbose, it fills up the ring buffer faster, so entries may recycle faster than with the simple script.
+
+Use Transact-SQL (T-SQL) to configure the verbose XEvent session:
+
+```sql
+CREATE EVENT SESSION [Verbose backup trace] ON SERVER
+ADD EVENT sqlserver.backup_restore_progress_trace(
+ WHERE (
+ [operation_type]=(0) AND (
+ [trace_message] like '%100 percent%' OR
+ [trace_message] like '%BACKUP DATABASE%' OR [trace_message] like '%BACKUP LOG%'))
+ )
+ADD TARGET package0.ring_buffer
+WITH (MAX_MEMORY=4096 KB,EVENT_RETENTION_MODE=ALLOW_SINGLE_EVENT_LOSS,
+ MAX_DISPATCH_LATENCY=30 SECONDS,MAX_EVENT_SIZE=0 KB,MEMORY_PARTITION_MODE=NONE,
+ TRACK_CAUSALITY=OFF,STARTUP_STATE=ON)
+
+ALTER EVENT SESSION [Verbose backup trace] ON SERVER
+STATE = start;
+
+```
+
+## Monitor backup progress
+
+After the XEvent session is created, you can use Transact-SQL (T-SQL) to query ring buffer results and monitor the progress of the backup. Once the XEvent starts, it collects all backup events so entries are added to the session roughly every 5-10 minutes.
+
+### Simple tracking
+
+The following Transact-SQL (T-SQL) code queries the simple XEvent session and returns the name of the database, the total number of bytes processed, and the time the backup completed:
+
+```sql
+WITH
+a AS (SELECT xed = CAST(xet.target_data AS xml)
+FROM sys.dm_xe_session_targets AS xet
+JOIN sys.dm_xe_sessions AS xe
+ON (xe.address = xet.event_session_address)
+WHERE xe.name = 'Backup trace'),
+b AS(SELECT
+d.n.value('(@timestamp)[1]', 'datetime2') AS [timestamp],
+ISNULL(db.name, d.n.value('(data[@name="database_name"]/value)[1]', 'varchar(200)')) AS database_name,
+d.n.value('(data[@name="trace_message"]/value)[1]', 'varchar(4000)') AS trace_message
+FROM a
+CROSS APPLY xed.nodes('/RingBufferTarget/event') d(n)
+LEFT JOIN master.sys.databases db
+ON db.physical_database_name = d.n.value('(data[@name="database_name"]/value)[1]', 'varchar(200)'))
+SELECT * FROM b
+```
+
+The following screenshot shows an example of the output of the above query:
+
+![Screenshot of the xEvent output](./media/backup-activity-monitor/present-xevents-output.png)
+
+In this example, five databases were automatically backed up over the course of 2 hours and 30 minutes, and there are 130 entries in the XEvent session.
+
+### Verbose tracking
+
+The following Transact-SQL (T-SQL) code queries the verbose XEvent session and returns the name of the database, as well as the start and finish of both full, differential and log backups.
++
+```sql
+WITH
+a AS (SELECT xed = CAST(xet.target_data AS xml)
+FROM sys.dm_xe_session_targets AS xet
+JOIN sys.dm_xe_sessions AS xe
+ON (xe.address = xet.event_session_address)
+WHERE xe.name = 'Verbose backup trace'),
+b AS(SELECT
+d.n.value('(@timestamp)[1]', 'datetime2') AS [timestamp],
+ISNULL(db.name, d.n.value('(data[@name="database_name"]/value)[1]', 'varchar(200)')) AS database_name,
+d.n.value('(data[@name="trace_message"]/value)[1]', 'varchar(4000)') AS trace_message
+FROM a
+CROSS APPLY xed.nodes('/RingBufferTarget/event') d(n)
+LEFT JOIN master.sys.databases db
+ON db.physical_database_name = d.n.value('(data[@name="database_name"]/value)[1]', 'varchar(200)'))
+SELECT * FROM b
+```
+
+The following screenshot shows an example of a full backup in the XEvent session:
++
+The following screenshot shows an example of an output of a differential backup in the XEvent session:
+++
+## Next steps
+
+Once your backup has completed, you can then [restore to a point in time](point-in-time-restore.md) or [configure a long-term retention policy](long-term-backup-retention-configure.md).
+
+To learn more, see [automated backups](../database/automated-backups-overview.md).
azure-sql Connectivity Architecture Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/connectivity-architecture-overview.md
The following virtual network features are currently *not supported* with SQL Ma
- Learn how to create a managed instance: - From the [Azure portal](instance-create-quickstart.md). - By using [PowerShell](scripts/create-configure-managed-instance-powershell.md).
- - By using [an Azure Resource Manager template](https://azure.microsoft.com/resources/templates/101-sqlmi-new-vnet/).
- - By using [an Azure Resource Manager template (using JumpBox, with SSMS included)](https://azure.microsoft.com/resources/templates/201-sqlmi-new-vnet-w-jumpbox/).
+ - By using [an Azure Resource Manager template](https://azure.microsoft.com/resources/templates/sqlmi-new-vnet/).
+ - By using [an Azure Resource Manager template (using JumpBox, with SSMS included)](https://azure.microsoft.com/resources/templates/sqlmi-new-vnet-w-jumpbox/).
azure-sql Create Template Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/create-template-quickstart.md
If you don't have an Azure subscription, [create a free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-sqlmi-new-vnet/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/sqlmi-new-vnet/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.sql/sqlmi-new-vnet/azuredeploy.json":::
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/frequently-asked-questions-faq.md
- Title: Frequently asked questions (FAQ)
-description: Azure SQL Managed Instance frequently asked questions (FAQ)
-------- Previously updated : 09/21/2020-
-# Azure SQL Managed Instance frequently asked questions (FAQ)
-
-This article contains the most common questions about [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md).
-
-## Supported features
-
-**Where can I find a list of features supported on SQL Managed Instance?**
-
-For a list of supported features in SQL Managed Instance, see [Azure SQL Managed Instance features](../database/features-comparison.md).
-
-For differences in syntax and behavior between Azure SQL Managed Instance and SQL Server, see [T-SQL differences from SQL Server](transact-sql-tsql-differences-sql-server.md).
--
-## Technical specification, resource limits and other limitations
-
-**Where can I find technical characteristics and resource limits for SQL Managed Instance?**
-
-For available hardware generation characteristics, see [Technical differences in hardware generations](resource-limits.md#hardware-generation-characteristics).
-For available service tiers and their characteristics, see [Technical differences between service tiers](resource-limits.md#service-tier-characteristics).
-
-**What service tier am I eligible for?**
-
-Any customer is eligible for any service tier. However, if you want to exchange your existing licenses for discounted rates on Azure SQL Managed Instance by using [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/), bear in mind that SQL Server Enterprise Edition customers with Software Assurance are eligible for the [General Purpose](../database/service-tier-general-purpose.md) or [Business Critical](../database/service-tier-business-critical.md) performance tiers and SQL Server Standard Edition customers with Software Assurance are eligible for the General Purpose performance tier only. For more details, see [Specific rights of the AHB](../azure-hybrid-benefit.md?tabs=azure-powershell#what-are-the-specific-rights-of-the-azure-hybrid-benefit-for-sql-server).
-
-**What subscription types are supported for SQL Managed Instance?**
-
-For the list of supported subscription types, see [Supported subscription types](resource-limits.md#supported-subscription-types).
-
-**Which Azure regions are supported?**
-
-Managed instances can be created in most of the Azure regions; see [Supported regions for SQL Managed Instance](https://azure.microsoft.com/global-infrastructure/services/?products=sql-database&regions=all). If you need managed instance in a region that is currently not supported, [send a support request via the Azure portal](../database/quota-increase-request.md).
-
-**Are there any quota limitations for SQL Managed Instance deployments?**
-
-Managed instance has two default limits: limit on the number of subnets you can use and a limit on the number of vCores you can provision. Limits vary across the subscription types and regions. For the list of regional resource limitations by subscription type, see table from [Regional resource limitation](resource-limits.md#regional-resource-limitations). These are soft limits that can be increased on demand. If you need to provision more managed instances in your current regions, send a support request to increase the quota using the Azure portal. For more information, see [Request quota increases for Azure SQL Database](../database/quota-increase-request.md).
-
-**Can I increase the number of databases limit (100) on my managed instance on demand?**
-
-No, and currently there are no committed plans to increase the number of databases on SQL Managed Instance.
-
-**Where can I migrate if I have more than 8TB of data?**
-You can consider migrating to other Azure flavors that suit your workload: [Azure SQL Database Hyperscale](../database/service-tier-hyperscale.md) or [SQL Server on Azure Virtual Machines](../virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md).
-
-**Where can I migrate if I have specific hardware requirements such as larger RAM to vCore ratio or more CPUs?**
-You can consider migrating to [SQL Server on Azure Virtual Machines](../virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) or [Azure SQL Database](../database/sql-database-paas-overview.md) memory/cpu optimized.
-
-## Known issues and defects
-
-**Where can I find known issues and defects?**
-
-For product defects and known issues, see [Known issues](../database/doc-changes-updates-release-notes.md#known-issues).
-
-## New features
-
-**Where can I find latest features and the features in public preview?**
-
-For new and preview features, see [Release notes](../database/doc-changes-updates-release-notes.md?tabs=managed-instance).
-
-## Create, update, delete or move SQL Managed Instance
-
-**How can I provision SQL Managed Instance?**
-
-You can provision an instance from [Azure portal](instance-create-quickstart.md), [PowerShell](scripts/create-configure-managed-instance-powershell.md), [Azure CLI](https://techcommunity.microsoft.com/t5/azure-sql-database/create-azure-sql-managed-instance-using-azure-cli/ba-p/386281) and [ARM templates](/archive/blogs/sqlserverstorageengine/creating-azure-sql-managed-instance-using-arm-templates).
-
-**Can I provision Managed Instances in an existing subscription?**
-
-Yes, you can provision a Managed Instance in an existing subscription if that subscription belongs to the [Supported subscription types](resource-limits.md#supported-subscription-types).
-
-**Why couldn't I provision a Managed Instance in the subnet which name starts with a digit?**
-
-This is a current limitation on underlying component that verifies subnet name against the regex ^[a-zA-Z_][^\\\/\:\*\?\"\<\>\|\`\'\^]*(?<![\.\s])$. All names that pass the regex and are valid subnet names are currently supported.
-
-**How can I scale my managed instance?**
-
-You can scale your managed instance from [Azure portal](../managed-instance/service-tiers-managed-instance-vcore.md?tabs=azure-portal#selecting-a-hardware-generation), [PowerShell](/archive/blogs/sqlserverstorageengine/change-size-azure-sql-managed-instance-using-powershell), [Azure CLI](/cli/azure/sql/mi#az_sql_mi_update) or [ARM templates](/archive/blogs/sqlserverstorageengine/updating-azure-sql-managed-instance-properties-using-arm-templates).
-
-**Can I move my Managed Instance from one region to another?**
-
-Yes, you can. For instructions, see [Move resources across regions](../database/move-resources-across-regions.md).
-
-**How can I delete my Managed Instance?**
-
-You can delete Managed Instances via Azure portal, [PowerShell](/powershell/module/az.sql/remove-azsqlinstance), [Azure CLI](/cli/azure/sql/mi#az_sql_mi_delete) or [Resource Manager REST APIs](/rest/api/sql/managedinstances/delete).
-
-**How much time does it take to create or update an instance, or to restore a database?**
-
-Expected time to create a new managed instance or to change service tiers (vCores, storage), depends on several factors. See [Management operations](sql-managed-instance-paas-overview.md#management-operations).
-
-## Naming conventions
-
-**Can a managed instance have the same name as a SQL Server on-premises instance?**
-
-Changing a managed instance name is not supported.
-
-**Can I change DNS zone prefix?**
-
-Yes, Managed Instance default DNS zone *.database.windows.net* can be changed.
-
-To use another DNS zone instead of the default, for example, *.contoso.com*:
-- Use CliConfig to define an alias. The tool is just a registry settings wrapper, so it can be done using group policy or a script as well.-- Use *CNAME* with the *TrustServerCertificate=true* option.-
-## Migration options
-
-**How can I migrate from Azure SQL Database single or elastic pool to SQL Managed Instance?**
-
-Managed instance offers the same performance levels per compute and storage size as other deployment options of Azure SQL Database. If you want to consolidate data on a single instance, or you simply need a feature supported exclusively in managed instance, you can migrate your data by using export/import (BACPAC) functionality. Here are other ways to consider for SQL Database migration to SQL Managed Instance:
-- Using [Data Source External](https://techcommunity.microsoft.com/t5/azure-database-support-blog/lesson-learned-129-using-data-source-external-from-azure-sql/ba-p/1443210)-- Using [SQLPackage](https://techcommunity.microsoft.com/t5/azure-database-support-blog/how-to-migrate-azure-sql-database-to-azure-sql-managed-instance/ba-p/369182)-- Using [BCP](https://medium.com/azure-sqldb-managed-instance/migrate-from-azure-sql-managed-instance-using-bcp-674c92efdca7)-
-**How can I migrate my instance database to a single Azure SQL Database?**
-
-One option is to [export a database to BACPAC](../database/database-export.md) and then [import the BACPAC file](../database/database-import.md). This is the recommended approach if your database is smaller than 100 GB.
-
-[Transactional replication](replication-two-instances-and-sql-server-configure-tutorial.md) can be used if all tables in the database have *primary* keys and there are no In-memory OLTP objects in the database.
-
-Native COPY_ONLY backups taken from managed instance cannot be restored to SQL Server because managed instance has a higher database version compared to SQL Server. For more details, see [Copy-only backup](/sql/relational-databases/backup-restore/copy-only-backups-sql-server?preserve-view=true&view=sql-server-ver15).
-
-**How can I migrate my SQL Server instance to SQL Managed Instance?**
-
-To migrate your SQL Server instance, see [SQL Server instance migration to Azure SQL Managed Instance](migrate-to-instance-from-sql-server.md).
-
-**How can I migrate from other platforms to SQL Managed Instance?**
-
-For migration information about migrating from other platforms, see [Azure Database Migration Guide](https://datamigration.microsoft.com/).
-
-## Switch hardware generation
-
-**Can I switch my managed instance hardware generation between Gen 4 and Gen 5 online?**
-
-Automated online switching from Gen4 to Gen5 is possible if Gen5 hardware is available in the region where your managed instance is provisioned. In this case, you can check [vCore model overview page](../database/service-tiers-vcore.md) explaining how to switch between hardware generations.
-
-This is a long-running operation as a new managed instance will be provisioned in the background and databases automatically transferred between the old and new instance with a quick failover at the end of the process.
-
-Note: Gen4 hardware is being phased out and is no longer available for new deployments. All new databases must be deployed on Gen5 hardware. Switching from Gen5 to Gen4 is also not available.
-
-## Performance
-
-**How can I compare Managed Instance performance to SQL Server performance?**
-
-For a performance comparison between managed instance and SQL Server, a good starting point is [Best practices for performance comparison between Azure SQL managed instance and SQL Server](https://techcommunity.microsoft.com/t5/azure-sql-database/the-best-practices-for-performance-comparison-between-azure-sql/ba-p/683210) article.
-
-**What causes performance differences between Managed Instance and SQL Server?**
-
-See [Key causes of performance differences between SQL managed instance and SQL Server](https://azure.microsoft.com/blog/key-causes-of-performance-differences-between-sql-managed-instance-and-sql-server/). For more information about the log file size impact on General Purpose Managed Instance performance , see [Impact of log file size on General Purpose](https://medium.com/azure-sqldb-managed-instance/impact-of-log-file-size-on-general-purpose-managed-instance-performance-21ad170c823e).
-
-**How do I tune performance of my managed instance?**
-
-You can optimize the performance of your managed instance by:
-- [Automatic tuning](../database/automatic-tuning-overview.md) that provides peak performance and stable workloads through continuous performance tuning based on AI and machine learning.-- [In-memory OLTP](../in-memory-oltp-overview.md) that improves throughput and latency on transactional processing workloads and delivers faster business insights. -
-To tune the performance even further, consider applying some of the *best practices* for [Application and database tuning](../database/performance-guidance.md#tune-your-database).
-If your workload consists of lots of small transactions, consider [switching the connection type from proxy to redirect mode](connection-types-overview.md#changing-connection-type) for lower latency and higher throughput.
-
-## Monitoring, Metrics and Alerts
-
-**What are the options for monitoring and alerting for my managed instance?**
-
-For all possible options to monitor and alert on SQL Managed Instance consumption and performance, see [Azure SQL Managed Instance monitoring options blog post](https://techcommunity.microsoft.com/t5/azure-sql-database/monitoring-options-available-for-azure-sql-managed-instance/ba-p/1065416). For the real-time performance monitoring for SQL MI, see [Real-time performance monitoring for Azure SQL DB Managed Instance](/archive/blogs/sqlcat/real-time-performance-monitoring-for-azure-sql-database-managed-instance).
-
-**Can I use SQL Profiler for performance tracking?**
-
-Yes, SQL Profiler is supported or SQL Managed Instance. For more details, see [SQL Profiler](/sql/tools/sql-server-profiler/sql-server-profiler?preserve-view=true&view=sql-server-ver15).
-
-**Are Database Advisor and Query Performance Insight supported for Managed Instance databases?**
-
-No, they are not supported. You can use [DMVs](../database/monitoring-with-dmvs.md) and [Query Store](/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store?preserve-view=true&view=sql-server-ver15) together with [SQL Profiler](/sql/tools/sql-server-profiler/sql-server-profiler?preserve-view=true&view=sql-server-ver15) and [XEvents](/sql/relational-databases/extended-events/extended-events?preserve-view=true&view=sql-server-ver15) to monitor your databases.
-
-**Can I create metric alerts on SQL Managed Instance?**
-
-Yes. For instructions, see [Create alerts for SQL Managed Instance](alerts-create.md).
-
-**Can I create metric alerts on a database in managed instance?**
-
-You cannot, alerting metrics are available for managed instance only. Alerting metrics for individual databases in managed instance are not available.
-
-## Storage size
-
-**What is the maximum storage size for SQL Managed Instance?**
-
-Storage size for SQL Managed Instance depends on the selected service tier (General Purpose or Business Critical). For storage limitations of these service tiers, see [Service tier characteristics](../database/service-tiers-general-purpose-business-critical.md).
-
-**What is the minimum storage size available for a managed instance?**
-
-The minimum amount of storage available in an instance is 32 GB. Storage can be added in increments of 32 GB up to the maximum storage size. First 32GB are free of charge.
-
-**Can I increase storage space assigned to an instance, independently from compute resources?**
-
-Yes, you can purchase add-on storage, independently from compute, to some extent. See *Max instance reserved storage* in the [Table](resource-limits.md#hardware-generation-characteristics).
-
-**How can I optimize my storage performance in General Purpose service tier?**
-
-To optimize storage performance, see [Storage best practices in General Purpose](https://techcommunity.microsoft.com/t5/datacat/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525).
-
-## Backup and restore
-
-**Is the backup storage deducted from my managed instance storage?**
-
-No, backup storage is not deducted from your managed instance storage space. The backup storage is independent from the instance storage space and it is not limited in size. Backup storage is limited by the time period to retain the backup of your instance databases, configurable up to 35 days. For details, see [Automated backups](../database/automated-backups-overview.md).
-
-**How can I see when automated backups are made on my managed instance?**
-
-To track when automated backups have been performed on Managed Instance, see [How to track the automated backup for an Azure SQL Managed Instance](https://techcommunity.microsoft.com/t5/azure-database-support-blog/lesson-learned-128-how-to-track-the-automated-backup-for-an/ba-p/1442355).
-
-**Is on-demand backup supported?**
-
-Yes, you can create a copy-only full backup in their Azure Blob Storage, but it will only be restorable in Managed Instance. For details, see [Copy-only backup](/sql/relational-databases/backup-restore/copy-only-backups-sql-server?preserve-view=true&view=sql-server-ver15). However, copy-only backup is impossible if the database is encrypted by service-managed TDE since the certificate used for encryption is inaccessible. In such case, use point-in-time-restore feature to move the database to another SQL Managed Instance, or switch to customer-managed key.
-
-**Is native restore (from .bak files) to Managed Instance supported?**
-
-Yes, it is supported and available for SQL Server 2005+ versions. To use native restore, upload your .bak file to Azure blob storage and execute T-SQL commands. For more details, see [Native restore from URL](./migrate-to-instance-from-sql-server.md#native-restore-from-url).
-
-## Business continuity
-
-**Are my system databases replicated to the secondary instance in a failover group?**
-
-System databases are not replicated to the secondary instance in a failover group. Therefore, scenarios that depend on objects from the system databases will be impossible on the secondary instance unless the objects are manually created on the secondary. For workaround, see [Enable scenarios dependent on the object from the system databases](../database/auto-failover-group-overview.md?tabs=azure-powershell#enable-scenarios-dependent-on-objects-from-the-system-databases).
-ΓÇ»
-## Networking requirements
-
-**What are the current inbound/outbound NSG constraints on the Managed Instance subnet?**
-
-The required NSG and UDR rules are documented [here](connectivity-architecture-overview.md#mandatory-inbound-security-rules-with-service-aided-subnet-configuration), and automatically set by the service.
-Please keep in mind that these rules are just the ones we need for maintaining the service. To connect to managed instance and use different features you will need to set additional, feature specific rules, that you need to maintain.
-
-**How can I set inbound NSG rules on management ports?**
-
-SQL Managed Instance is responsible for setting rules on management ports. This is achieved through functionality named [service-aided subnet configuration](connectivity-architecture-overview.md#service-aided-subnet-configuration).
-This is to ensure uninterrupted flow of management traffic in order to fulfill an SLA.
-
-**Can I get the source IP ranges that are used for the inbound management traffic?**
-
-Yes. You could analyze traffic coming through your networks security group by [configuring Network Watcher flow logs](../../network-watcher/network-watcher-monitoring-overview.md#analyze-traffic-to-or-from-a-network-security-group).
-
-**Can I set NSG to control access to the data endpoint (port 1433)?**
-
-Yes. After a Managed Instance is provisioned you can set NSG that controls inbound access to the port 1433. It is advised to narrow its IP range as much as possible.
-
-**Can I set the NVA or on-premises firewall to filter the outbound management traffic based on FQDNs?**
-
-No. This is not supported for several reasons:
-- Routing traffic that represent response to inbound management request would be asymmetric and could not work.-- Routing traffic that goes to storage would be affected by throughput constraints and latency so this way we won't be able to provide expected service quality and availability.-- Based on experience, these configurations are error prone and not supportable.-
-**Can I set the NVA or firewall for the outbound non-management traffic?**
-
-Yes. The simplest way to achieve this is to add 0/0 rule to a UDR associated with managed instance subnet to route traffic through NVA.
-
-**How many IP addresses do I need for a Managed Instance?**
-
-Subnet must have sufficient number of available [IP addresses](connectivity-architecture-overview.md#network-requirements). To determine VNet subnet size for SQL Managed Instance, see [Determine required subnet size and range for Managed Instance](./vnet-subnet-determine-size.md).
-
-**What if there are not enough IP addresses for performing instance update operation?**
-
-In case there are not enough [IP addresses](connectivity-architecture-overview.md#network-requirements) in the subnet where your managed instance is provisioned, you will have to create a new subnet and a new managed instance inside it. We also suggest that the new subnet is created with more IP addresses allocated so future update operations will avoid similar situations. After the new instance is provisioned, you can manually back up and restore data between the old and new instances or perform cross-instance [point-in-time restore](point-in-time-restore.md?tabs=azure-powershell).
-
-**Do I need an empty subnet to create a Managed Instance?**
-
-No. You can use either an empty subnet or a subnet that already contains Managed Instance(s).
-
-**Can I change the subnet address range?**
-
-Not if there are Managed Instances inside. This is an Azure networking infrastructure limitation. You are only allowed to [add additional address space to an empty subnet](../../virtual-network/virtual-network-manage-subnet.md#change-subnet-settings).
-
-**Can I move my managed instance to another subnet?**
-
-No. This is a current Managed Instance design limitation. However, you can provision a new instance in another subnet and manually back up and restore data between the old and the new instance or perform cross-instance [point-in-time restore](point-in-time-restore.md?tabs=azure-powershell).
-
-**Do I need an empty virtual network to create a Managed Instance?**
-
-This is not required. You can either [Create a virtual network for Azure SQL Managed Instance](./virtual-network-subnet-create-arm-template.md) or [Configure an existing virtual network for Azure SQL Managed Instance](./vnet-existing-add-subnet.md).
-
-**Can I place a Managed Instance with other services in a subnet?**
-
-No. Currently we do not support placing Managed Instance in a subnet that already contains other resource types.
-
-## Connectivity
-
-**Can I connect to my managed instance using IP address?**
-
-No, this is not supported. A Managed Instance's host name maps to the load balancer in front of the Managed Instance's virtual cluster. As one virtual cluster can host multiple Managed Instances, a connection cannot be routed to the proper Managed Instance without specifying its name.
-For more information on SQL Managed Instance virtual cluster architecture, see [Virtual cluster connectivity architecture](connectivity-architecture-overview.md#virtual-cluster-connectivity-architecture).
-
-**Can my managed instance have a static IP address?**
-
-This is currently not supported.
-
-In rare but necessary situations, we might need to do an online migration of a managed instance to a new virtual cluster. If needed, this migration is because of changes in our technology stack aimed to improve security and reliability of the service. Migrating to a new virtual cluster results in changing the IP address that is mapped to the managed instance host name. The managed instance service doesn't claim static IP address support and reserves the right to change it without notice as a part of regular maintenance cycles.
-
-For this reason, we strongly discourage relying on immutability of the IP address as it could cause unnecessary downtime.
-
-**Does Managed Instance have a public endpoint?**
-
-Yes. Managed Instance has a public endpoint that is by default used only for Service Management, but a customer may enable it for data access as well. For more details, see [Use SQL Managed Instance with public endpoints](./public-endpoint-overview.md). To configure public endpoint, go to [Configure public endpoint in SQL Managed Instance](public-endpoint-configure.md).
-
-**How does Managed Instance control access to the public endpoint?**
-
-Managed Instance controls access to the public endpoint at both the network and application level.
-
-Management and deployment services connect to a managed instance by using a [management endpoint](./connectivity-architecture-overview.md#management-endpoint) that maps to an external load balancer. Traffic is routed to the nodes only if it's received on a predefined set of ports that only the managed instance's management components use. A built-in firewall on the nodes is set up to allow traffic only from Microsoft IP ranges. Certificates mutually authenticate all communication between management components and the management plane. For more details, see [Connectivity architecture for SQL Managed Instance](./connectivity-architecture-overview.md#virtual-cluster-connectivity-architecture).
-
-**Could I use the public endpoint to access the data in Managed Instance databases?**
-
-Yes. The customer will need to enable public endpoint data access from [Azure portal](public-endpoint-configure.md#enabling-public-endpoint-for-a-managed-instance-in-the-azure-portal) / [PowerShell](public-endpoint-configure.md#enabling-public-endpoint-for-a-managed-instance-using-powershell) / ARM and configure NSG to lock down access to the data port (port number 3342). For more information, see [Configure public endpoint in Azure SQL Managed Instance](public-endpoint-configure.md) and [Use Azure SQL Managed Instance securely with public endpoint](public-endpoint-overview.md).
-
-**Can I specify a custom port for SQL data endpoint(s)?**
-
-No, this option is not available. For private data endpoint, Managed Instance uses default port number 1433 and for public data endpoint, Managed Instance uses default port number 3342.
-
-**What is the recommended way to connect Managed Instances placed in different regions?**
-
-Express Route circuit peering is the preferred way to do that. Global virtual network peering is supported with the limitation described in the note below.
-
-> [!IMPORTANT]
-> [On 9/22/2020 we announced global virtual network peering for newly created virtual clusters](https://azure.microsoft.com/en-us/updates/global-virtual-network-peering-support-for-azure-sql-managed-instance-now-available/). That means that global virtual network peering is supported for SQL Managed Instances created in empty subnets after the announcement date, as well for all the subsequent managed instances created in those subnets. For all the other SQL Managed Instances peering support is limited to the networks in the same region due to the [constraints of global virtual network peering](../../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). See also the relevant section of the [Azure Virtual Networks frequently asked questions](../../virtual-network/virtual-networks-faq.md#what-are-the-constraints-related-to-global-vnet-peering-and-load-balancers) article for more details.
-
-If Express Route circuit peering and global virtual network peering is not possible, the only other option is to create Site-to-Site VPN connection ([Azure portal](../../vpn-gateway/tutorial-site-to-site-portal.md), [PowerShell](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md), [Azure CLI](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.md)).
-
-## Mitigate data exfiltration risks
-
-**How can I mitigate data exfiltration risks?**
-
-To mitigate any data exfiltration risks, customers are recommended to apply a set of security settings and controls:
--- Turn on [Transparent Data Encryption (TDE)](../database/transparent-data-encryption-tde-overview.md) on all databases.-- Turn off Common Language Runtime (CLR). This is recommended on-premises as well.-- Use Azure Active Directory (Azure AD) authentication only.-- Access the instance with a low-privileged DBA account.-- Configure JIT jumpbox access for the sysadmin account.-- Turn on [SQL auditing](/sql/relational-databases/security/auditing/sql-server-audit-database-engine), and integrate it with alerting mechanisms.-- Turn on [Threat Detection](../database/threat-detection-configure.md) from the [Azure Defender for SQL](../database/azure-defender-for-sql.md) suite.-
-## DNS
-
-**Can I configure a custom DNS for SQL Managed Instance?**
-
-Yes. See [How to configure a Custom DNS for Azure SQL Managed Instance](./custom-dns-configure.md).
-
-**Can I do DNS refresh?**
-
-Yes. See [Synchronize virtual network DNS servers setting on SQL Managed Instance virtual cluster](./synchronize-vnet-dns-servers-setting-on-virtual-cluster.md).
-
-## Change time zone
-
-**Can I change the time zone for an existing managed instance?**
-
-Time zone configuration can be set when a managed instance is provisioned for the first time. Changing the time zone of an existing managed instance isn't supported. For details, see [Time zone limitations](timezones-overview.md#limitations).
-
-Workarounds include creating a new managed instance with the proper time zone and then either performing a manual backup and restore, or what we recommend, performing a [cross-instance point-in-time restore](/archive/blogs/sqlserverstorageengine/cross-instance-point-in-time-restore-in-azure-sql-database-managed-instance).
--
-## Security and database encryption
-
-**Is the sysadmin server role available for SQL Managed Instance?**
-
-Yes, customers can create logins that are members of the sysadmin role. Customers who assume the sysadmin privilege are also assuming responsibility for operating the instance, which can negatively impact the SLA commitment. To add login to sysadmin server role, see [Azure AD authentication](./aad-security-configure-tutorial.md#azure-ad-authentication).
-
-**Is Transparent Data Encryption supported for SQL Managed Instance?**
-
-Yes, Transparent Data Encryption is supported for SQL Managed Instance. For details, see [Transparent Data Encryption for SQL Managed Instance](../database/transparent-data-encryption-tde-overview.md?tabs=azure-portal).
-
-**Can I leverage the "bring your own key" model for TDE?**
-
-Yes, Azure Key Vault for BYOK scenario is available for Azure SQL Managed Instance. For details, see [Transparent Data Encryption with customer-managed key](../database/transparent-data-encryption-tde-overview.md?tabs=azure-portal#customer-managed-transparent-data-encryptionbring-your-own-key).
-
-**Can I migrate an encrypted SQL Server database?**
-
-Yes, you can. To migrate an encrypted SQL Server database, you need to export and import your existing certificates into Managed Instance, then take a full database backup and restore it in Managed Instance.
-
-You can also use [Azure Database Migration Service](https://azure.microsoft.com/services/database-migration/) to migrate the TDE encrypted databases.
-
-**How can I configure TDE protector rotation for SQL Managed Instance?**
-
-You can rotate TDE protector for Managed Instance using Azure Cloud Shell. For instructions, see [Transparent Data Encryption in SQL Managed Instance using your own key from Azure Key Vault](scripts/transparent-data-encryption-byok-powershell.md).
-
-**Can I restore my encrypted database to SQL Managed Instance?**
-
-Yes, you don't need to decrypt your database to restore it to SQL Managed Instance. You do need to provide a certificate/key used as the encryption key protector on the source system to SQL Managed Instance to be able to read data from the encrypted backup file. There are two possible ways to do it:
--- *Upload certificate-protector to SQL Managed Instance*. It can be done using PowerShell only. The [sample script](./tde-certificate-migrate.md) describes the whole process.-- *Upload asymmetric key-protector to Azure Key Vault and point SQL Managed Instance to it*. This approach resembles bring-your-own-key (BYOK) TDE use case that also uses Key Vault integration to store the encryption key. If you don't want to use the key as an encryption key protector, and just want to make the key available for SQL Managed Instance to restore encrypted database(s), follow instructions for [setting up BYOK TDE](../database/transparent-data-encryption-tde-overview.md#manage-transparent-data-encryption), and don't check the checkbox **Make the selected key the default TDE protector**.-
-Once you make the encryption protector available to SQL Managed Instance, you can proceed with the standard database restore procedure.
-
-## Purchasing models and benefits
-
-**What purchasing models are available for SQL Managed Instance?**
-
-SQL Managed Instance offers [vCore-based purchasing model](sql-managed-instance-paas-overview.md#vcore-based-purchasing-model).
-
-**What cost benefits are available for SQL Managed Instance?**
-
-You can save costs with the Azure SQL benefits in the following ways:
-- Maximize existing investments in on-premises licenses and save up to 55 percent with [Azure Hybrid Benefit](../azure-hybrid-benefit.md?tabs=azure-powershell). -- Commit to a reservation for compute resources and save up to 33 percent with [Reserved Instance Benefit](../database/reserved-capacity-overview.md). Combine this with Azure Hybrid benefit for savings up to 82 percent. -- Save up to 55 percent versus list prices with [Azure Dev/Test Pricing Benefit](https://azure.microsoft.com/pricing/dev-test/) that offers discounted rates for your ongoing development and testing workloads.-
-**Who is eligible for Reserved Instance benefit?**
-
-To be eligible for reserved Instance benefit, your subscription type must be an enterprise agreement (offer numbers: MS-AZR-0017P or MS-AZR-0148P) or an individual agreement with pay-as-you-go pricing (offer numbers: MS-AZR-0003P or MS-AZR-0023P). For more information about reservations, see [Reserved Instance Benefit](../database/reserved-capacity-overview.md).
-
-**Is it possible to cancel, exchange or refund reservations?**
-
-You can cancel, exchange or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations](../../cost-management-billing/reservations/exchange-and-refund-azure-reservations.md).
-
-## Billing for Managed Instance and backup storage
-
-**What are the SQL Managed Instance pricing options?**
-
-To explore Managed Instance pricing options, see [Pricing page](https://azure.microsoft.com/pricing/details/azure-sql/sql-managed-instance/single/).
-
-**How can I track billing cost for my managed instance?**
-
-You can do so using the [Azure Cost Management solution](../../cost-management-billing/index.yml). Navigate to **Subscriptions** in the [Azure portal](https://portal.azure.com) and select **Cost Analysis**.
-
-Use the **Accumulated costs** option and then filter by the **Resource type** as `microsoft.sql/managedinstances`.
-
-**How much automated backups cost?**
-
-You get the equal amount of free backup storage space as the reserved data storage space purchased, regardless of the backup retention period set. If your backup storage consumption is within the allocated free backup storage space, automated backups on managed instance will have no additional cost for you, therefore will be free of charge. Exceeding the use of backup storage above the free space will result in costs of about $0.20 - $0.24 per GB/month in US regions, or see the pricing page for details for your region. For more details, see [Backup storage consumption explained](https://techcommunity.microsoft.com/t5/azure-sql-database/backup-storage-consumption-on-managed-instance-explained/ba-p/1390923).
-
-**How can I monitor billing cost for my backup storage consumption?**
-
-You can monitor cost for backup storage via Azure portal. For instructions, see [Monitor costs for automated backups](../database/automated-backups-overview.md?tabs=managed-instance#monitor-costs).
-
-**How can I optimize my backup storage costs on the managed instance?**
-
-To optimize your backup storage costs, see [Fine backup tuning on SQL Managed Instance](https://techcommunity.microsoft.com/t5/azure-sql-database/fine-tuning-backup-storage-costs-on-managed-instance/ba-p/1390935).
-
-## Cost-saving use cases
-
-**Where can I find use cases and resulting cost savings with SQL Managed Instance?**
-
-SQL Managed Instance case studies:
--- [Komatsu](https://customers.microsoft.com/story/komatsu-australia-manufacturing-azure)-- [KMD](https://customers.microsoft.com/en-c-professional-services-azure-sql-database)-- [PowerDETAILS](https://customers.microsoft.com/story/powerdetails-partner-professional-services-azure-sql-database-managed-instance)-- [Allscripts](https://customers.microsoft.com/story/allscripts-partner-professional-services-azure)-
-To get a better understanding of the benefits, costs, and risks associated with deploying Azure SQL Managed Instance, there's also a Forrester study: [The Total Economic Impact of Microsoft Azure SQL Database Managed Instance](https://azure.microsoft.com/resources/forrester-tei-sql-database-managed-instance).
-
-## Password policy
-
-**What password policies are applied for SQL Managed Instance SQL logins?**
-
-SQL Managed Instance password policy for SQL logins inherits Azure platform policies that are applied to the VMs forming virtual cluster holding the managed instance. At the moment it is not possible to change any of these settings as these settings are defined by Azure and inherited by managed instance.
-
- > [!IMPORTANT]
- > Azure platform can change policy requirements without notifying services relying on that policies.
-
-**What are current Azure platform policies?**
-
-Each login must set its password upon login and change its password after it reaches maximum age.
-
-| **Policy** | **Security Setting** |
-| | |
-| Maximum password age | 42 days |
-| Minimum password age | 1 day |
-| Minimum password length | 10 characters |
-| Password must meet complexity requirements | Enabled |
-
-**Is it possible to disable password complexity and expiration in SQL Managed Instance on login level?**
-
-Yes, it is possible to control CHECK_POLICY and CHECK_EXPIRATION fields on login level. You can check current settings by executing following T-SQL command:
-
-```sql
-SELECT *
-FROM sys.sql_logins
-```
-
-After that, you can modify specified login settings by executing :
-
-```sql
-ALTER LOGIN <login_name> WITH CHECK_POLICY = OFF;
-ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = OFF;
-```
-
-(replace 'test' with desired login name and adjust policy and expiration values)
--
-## Service updates
-
-**What is the Root CA change for Azure SQL Database & SQL Managed Instance?**
-
-See [Certificate rotation for Azure SQL Database & SQL Managed Instance](../updates/ssl-root-certificate-expiring.md).
-
-**What is a planned maintenance event for SQL Managed Instance?**
-
-See [Plan for Azure maintenance events in SQL Managed Instance](../database/planned-maintenance.md).
--
-## Azure feedback and support
-
-**Where can I leave my ideas for SQL Managed Instance improvements?**
-
-You can vote for a new Managed Instance feature or put a new improvement idea on voting on [SQL Managed Instance Feedback Forum](https://feedback.azure.com/forums/915676-sql-managed-instance). This way you can contribute to the product development and help us prioritize our potential improvements.
-
-**How can I create Azure support request?**
-
-To learn how to create Azure support request, see [How to create Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md).
azure-sql Virtual Network Subnet Create Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/virtual-network-subnet-create-arm-template.md
The easiest way to create and configure a virtual network is to use an Azure Res
2. Select the **Deploy to Azure** button:
- [![Image showing a button labeled "Deploy to Azure".](https://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-sql-managed-instance-azure-environment%2Fazuredeploy.json)
+ [![Image showing a button labeled "Deploy to Azure".](https://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.sql%2Fsql-managed-instance-azure-environment%2Fazuredeploy.json)
This button opens a form that you can use to configure the network environment where you can deploy SQL Managed Instance.
azure-sql Db2 To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/db2-to-sql-database-guide.md
For additional assistance, see the following resources, which were developed in
|Asset |Description | ||| |[Data workload assessment model and tool](https://github.com/Microsoft/DataMigrationTeam/tree/master/Data%20Workload%20Assessment%20Model%20and%20Tool)| This tool provides suggested "best fit" target platforms, cloud readiness, and application/database remediation level for a given workload. It offers simple, one-click calculation and report generation that helps to accelerate large estate assessments by providing and automated and uniform target platform decision process.|
-|[Db2 zOS data assets discovery and assessment package](https://www.microsoft.com/download/details.aspx?id=103108)|After running the SQL script on a database, you can export the results to a file on the file system. Several file formats are supported, including *.csv, so that you can capture the results in external tools such as spreadsheets. This method can be useful if you want to easily share results with teams that do not have the workbench installed.|
+|[Db2 zOS data assets discovery and assessment package](https://www.microsoft.com/download/details.aspx?id=103108)|After running the SQL script on a database, you can export the results to a file on the file system. Several file formats are supported, including \*.csv, so that you can capture the results in external tools such as spreadsheets. This method can be useful if you want to easily share results with teams that do not have the workbench installed.|
|[IBM Db2 LUW inventory scripts and artifacts](https://www.microsoft.com/download/details.aspx?id=103109)|This asset includes a SQL query that hits IBM Db2 LUW version 11.1 system tables and provides a count of objects by schema and object type, a rough estimate of "raw data" in each schema, and the sizing of tables in each schema, with results stored in a CSV format.|
+|[IBM Db2 to SQL DB - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|The Database Compare utility is a Windows console application that you can use to verify that the data is identical both on source and target platforms. You can use the tool to efficiently compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
azure-sql Mysql To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/mysql-to-sql-database-guide.md
For more assistance with completing this migration scenario, see the following r
| Title | Description | | | | | [Data workload assessment model and tool](https://github.com/Microsoft/DataMigrationTeam/tree/master/Data%20Workload%20Assessment%20Model%20and%20Tool) | Provides suggested ΓÇ£best fitΓÇ¥ target platforms, cloud readiness, and application/database remediation levels for specified workloads. It offers simple, one-click calculation and report generation that helps to accelerate large estate assessments by providing an automated, uniform target-platform decision process. |
+|[MySQL to SQL DB - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|The Database Compare utility is a Windows console application that you can use to verify that the data is identical both on source and target platforms. You can use the tool to efficiently compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
The Data SQL Engineering team developed these resources. This team's core charte
- For migration videos, see [Overview of the migration journey and recommended migration and assessment tools and services](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/). -- For more [cloud migration resources](https://azure.microsoft.com/migration/resources/), see [cloud migration solutions](https://azure.microsoft.com/migration).
+- For more [cloud migration resources](https://azure.microsoft.com/migration/resources/), see [cloud migration solutions](https://azure.microsoft.com/migration).
azure-sql Oracle To Sql Database Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/oracle-to-sql-database-guide.md
For more assistance with completing this migration scenario, see the following r
| [Automate SSMA Oracle Assessment Collection & Consolidation](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Automate%20SSMA%20Oracle%20Assessment%20Collection%20%26%20Consolidation) | This set of resources uses a .csv file as entry (sources.csv in the project folders) to produce the xml files that are needed to run an SSMA assessment in console mode. The source.csv is provided by the customer based on an inventory of existing Oracle instances. The output files are AssessmentReportGeneration_source_1.xml, ServersConnectionFile.xml, and VariableValueFile.xml.| | [SSMA for Oracle Common Errors and How to Fix Them](https://aka.ms/dmj-wp-ssma-oracle-errors) | With Oracle, you can assign a nonscalar condition in the WHERE clause. However, SQL Server doesn't support this type of condition. As a result, SSMA for Oracle doesn't convert queries with a nonscalar condition in the WHERE clause. Instead, it generates the error O2SS0001. This white paper provides more details on the issue and ways to resolve it. | | [Oracle to SQL Server Migration Handbook](https://github.com/microsoft/DataMigrationTeam/blob/master/Whitepapers/Oracle%20to%20SQL%20Server%20Migration%20Handbook.pdf) | This document focuses on the tasks associated with migrating an Oracle schema to the latest version of SQL Server Database. If the migration requires changes to features or functionality, the possible impact of each change on the applications that use the database must be considered carefully. |
+|[Oracle to SQL DB - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|SSMA for Oracle Tester is the recommended tool to automatically validate the database object conversion and data migration, and it's a superset of Database Compare functionality.<br /><br />If you're looking for an alternative data validation option, you can use the Database Compare utility to compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
The Data SQL Engineering team developed these resources. This team's core charte
- [Cloud Migration Resources](https://azure.microsoft.com/migration/resources) - For video content, see:
- - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
+ - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
azure-sql Db2 To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/db2-to-managed-instance-guide.md
For additional assistance, see the following resources, which were developed in
|[Data workload assessment model and tool](https://github.com/Microsoft/DataMigrationTeam/tree/master/Data%20Workload%20Assessment%20Model%20and%20Tool)| This tool provides suggested "best fit" target platforms, cloud readiness, and application/database remediation level for a given workload. It offers simple, one-click calculation and report generation that helps to accelerate large estate assessments by providing and automated and uniform target platform decision process.| |[Db2 zOS data assets discovery and assessment package](https://www.microsoft.com/download/details.aspx?id=103108)|After running the SQL script on a database, you can export the results to a file on the file system. Several file formats are supported, including \*.csv, so that you can capture the results in external tools such as spreadsheets. This method can be useful if you want to easily share results with teams that do not have the workbench installed.| |[IBM Db2 LUW inventory scripts and artifacts](https://www.microsoft.com/download/details.aspx?id=103109)|This asset includes a SQL query that hits IBM Db2 LUW version 11.1 system tables and provides a count of objects by schema and object type, a rough estimate of "raw data" in each schema, and the sizing of tables in each schema, with results stored in a CSV format.|
+|[IBM Db2 to SQL MI - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|The Database Compare utility is a Windows console application that you can use to verify that the data is identical both on source and target platforms. You can use the tool to efficiently compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
azure-sql Oracle To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/oracle-to-managed-instance-guide.md
For more assistance with completing this migration scenario, see the following r
| [Automate SSMA Oracle Assessment Collection & Consolidation](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Automate%20SSMA%20Oracle%20Assessment%20Collection%20%26%20Consolidation) | This set of resources uses a .csv file as entry (sources.csv in the project folders) to produce the xml files that are needed to run an SSMA assessment in console mode. The source.csv is provided by the customer based on an inventory of existing Oracle instances. The output files are AssessmentReportGeneration_source_1.xml, ServersConnectionFile.xml, and VariableValueFile.xml.| | [SSMA for Oracle Common Errors and How to Fix Them](https://aka.ms/dmj-wp-ssma-oracle-errors) | With Oracle, you can assign a nonscalar condition in the WHERE clause. However, SQL Server doesn't support this type of condition. As a result, SSMA for Oracle doesn't convert queries with a nonscalar condition in the WHERE clause. Instead, it generates the error O2SS0001. This white paper provides more details on the issue and ways to resolve it. | | [Oracle to SQL Server Migration Handbook](https://github.com/microsoft/DataMigrationTeam/blob/master/Whitepapers/Oracle%20to%20SQL%20Server%20Migration%20Handbook.pdf) | This document focuses on the tasks associated with migrating an Oracle schema to the latest version of SQL Server Database. If the migration requires changes to features or functionality, the possible impact of each change on the applications that use the database must be considered carefully. |
+|[Oracle to SQL MI - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|SSMA for Oracle Tester is the recommended tool to automatically validate the database object conversion and data migration, and it's a superset of Database Compare functionality.<br /><br />If you're looking for an alternative data validation option, you can use the Database Compare utility to compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
The Data SQL Engineering team developed these resources. This team's core charte
- [Best practices for costing and sizing workloads for migration to Azure](/azure/cloud-adoption-framework/migrate/azure-best-practices/migrate-best-practices-costs) - For video content, see:
- - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
+ - [Overview of the migration journey and the tools and services recommended for performing assessment and migration](https://azure.microsoft.com/resources/videos/overview-of-migration-and-recommended-tools-services/)
azure-sql Db2 To Sql On Azure Vm Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide.md
For additional assistance, see the following resources, which were developed in
|[Data workload assessment model and tool](https://github.com/Microsoft/DataMigrationTeam/tree/master/Data%20Workload%20Assessment%20Model%20and%20Tool)| This tool provides suggested "best fit" target platforms, cloud readiness, and application/database remediation level for a given workload. It offers simple, one-click calculation and report generation that helps to accelerate large estate assessments by providing and automated and uniform target platform decision process.| |[Db2 zOS data assets discovery and assessment package](https://www.microsoft.com/download/details.aspx?id=103108)|After running the SQL script on a database, you can export the results to a file on the file system. Several file formats are supported, including \*.csv, so that you can capture the results in external tools such as spreadsheets. This method can be useful if you want to easily share results with teams that do not have the workbench installed.| |[IBM Db2 LUW inventory scripts and artifacts](https://www.microsoft.com/download/details.aspx?id=103109)|This asset includes a SQL query that hits IBM Db2 LUW version 11.1 system tables and provides a count of objects by schema and object type, a rough estimate of "raw data" in each schema, and the sizing of tables in each schema, with results stored in a CSV format.|
+|[IBM Db2 to SQL Server - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|The Database Compare utility is a Windows console application that you can use to verify that the data is identical both on source and target platforms. You can use the tool to efficiently compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data platform migration projects to Microsoft's Azure data platform.
azure-sql Oracle To Sql On Azure Vm Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/oracle-to-sql-on-azure-vm-guide.md
For more help with completing this migration scenario, see the following resourc
| [Automate SSMA Oracle Assessment Collection & Consolidation](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Automate%20SSMA%20Oracle%20Assessment%20Collection%20%26%20Consolidation) | This set of resources uses a .csv file as entry (sources.csv in the project folders) to produce the XML files that you need to run an SSMA assessment in console mode. You provide the source.csv file by taking an inventory of existing Oracle instances. The output files are AssessmentReportGeneration_source_1.xml, ServersConnectionFile.xml, and VariableValueFile.xml.| | [SSMA issues and possible remedies when migrating Oracle databases](https://aka.ms/dmj-wp-ssma-oracle-errors) | With Oracle, you can assign a non-scalar condition in a WHERE clause. SQL Server doesn't support this type of condition. So SSMA for Oracle doesn't convert queries that have a non-scalar condition in the WHERE clause. Instead, it generates an error: O2SS0001. This white paper provides details on the problem and ways to resolve it. | | [Oracle to SQL Server Migration Handbook](https://github.com/microsoft/DataMigrationTeam/blob/master/Whitepapers/Oracle%20to%20SQL%20Server%20Migration%20Handbook.pdf) | This document focuses on the tasks associated with migrating an Oracle schema to the latest version of SQL Server. If the migration requires changes to features/functionality, you need to carefully consider the possible effect of each change on the applications that use the database. |
+|[Oracle to SQL Server - Database Compare utility](https://www.microsoft.com/download/details.aspx?id=103016)|SSMA for Oracle Tester is the recommended tool to automatically validate the database object conversion and data migration, and it's a superset of Database Compare functionality.<br /><br />If you're looking for an alternative data validation option, you can use the Database Compare utility to compare data down to the row or column level in all or selected tables, rows, and columns.|
The Data SQL Engineering team developed these resources. This team's core charter is to unblock and accelerate complex modernization for data-platform migration projects to the Microsoft Azure data platform.
The Data SQL Engineering team developed these resources. This team's core charte
- [Get free extended support for SQL Server 2008 and SQL Server 2008 R2](../../virtual-machines/windows/sql-server-2008-extend-end-of-support.md) - To assess the application access layer, use [Data Access Migration Toolkit Preview](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit).-- For details on how to do data access layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
+- For details on how to do data access layer A/B testing, see [Overview of Database Experimentation Assistant](/sql/dea/database-experimentation-assistant-overview).
azure-video-analyzer Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/sdk.md
Azure Video Analyzer includes two groups of SDKs. The management SDKs are used f
## Management SDKs
-The management SDKs allow you to interact with the resources exposed by Azure Resource Manager. You can create Video Analyzer account, generate provisioning tokens for edge modules, manage access policies for videos and more. The SDKs are built on top of an underlying [REST API].
+The management SDKs allow you to interact with the resources exposed by Azure Resource Manager. You can create Video Analyzer account, generate provisioning tokens for edge modules, manage access policies for videos and more. The SDKs are built on top of an underlying [REST API](https://docs.microsoft.com/rest/api/videoanalyzer/?branch=video).
The following platforms are supported:
azure-video-analyzer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/release-notes.md
To stay up-to-date with the most recent Azure Video Analyzer for Media (former V
* Bug fixes * Deprecated functionality
+## May 2021
+
+### New source languages support for speech-to-text (STT), translation, and search
+
+Video Analyzer for Media now supports STT, translation, and search in Chinese (Cantonese) ('zh-HK'), Dutch (Netherlands) ('Nl-NL'), Czech ('Cs-CZ'), Polish ('Pl-PL'), Swedish (Sweden) ('Sv-SE'), Norwegian('nb-NO'), Finnish('fi-FI'), Canadian French ('fr-CA'), Thai('th-TH'),
+Arabic: (United Arab Emirates) ('ar-AE', 'ar-EG'), (Iraq) ('ar-IQ'), (Jordan) ('ar-JO'), (Kuwait) ('ar-KW'), (Lebanon) ('ar-LB'), (Oman) ('ar-OM'), (Qatar) ('ar-QA'), (Palestinian Authority) ('ar-PS'), (Syria) ('ar-SY'), and Turkish('tr-TR').
+
+These languages are available in both API and Video Analyzer for Media website. Select the language from the combobox under **Video source language**.
+
+### New theme for Azure Video Analyzer for Media
+
+New theme is available: 'Azure' along with the 'light' and 'dark themes. To select a theme, click on the gear icon in the top-right corner of the website, find themes under **User settings**.
+
+### New open-source code you can leverage
+
+Three new Git-Hub projects are available at our [GitHub repository](https://github.com/Azure-Samples/media-services-video-indexer):
+
+* Code to help you leverage the newly added [widget customization](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/Embedding%20widgets).
+* Solution to help you add [custom search](https://github.com/Azure-Samples/media-services-video-indexer/tree/master/VideoSearchWithAutoMLVision) to your video libraries.
+* Solution to help you add [de-duplication](https://github.com/Azure-Samples/media-services-video-indexer/commit/6b828f598f5bf61ce1b6dbcbea9e8b87ba11c7b1) to your video libraries.
+
+### New option to toggle bounding boxes (for observed people) on the player
+
+When indexing a video through our advanced video settings, you can view our new observed people capabilities.
+
+If there are people detected in your media file, you can enable a bounding box on the detected person through the media player.
+ ## April 2021 The Video Indexer service was renamed to Azure Video Analyzer for Media.
You can now use the search feature, at the top of the [Video Analyzer for Media
### Multiple account owners
-Account owner role was added to Video Analyzer for Media. You can add, change and remove users; change their role. For details on how to share an account, see [Invite users](invite-users.md).
+Account owner role was added to Video Analyzer for Media. You can add, change, and remove users; change their role. For details on how to share an account, see [Invite users](invite-users.md).
### Audio event detection (public preview) > [!NOTE] > This feature is only available in trial accounts.
-Video Analyzer for Media now detects the following audio effects in the non-speech segments of the content: gunshot, glass shatter, alarm, siren, explosion, dog bark, screaming, laughter, crowd reactions (cheering, clapping and booing) and Silence.
+Video Analyzer for Media now detects the following audio effects in the non-speech segments of the content: gunshot, glass shatter, alarm, siren, explosion, dog bark, screaming, laughter, crowd reactions (cheering, clapping, and booing) and Silence.
The newly added audio affects feature is available when indexing your file by choosing the **Advanced option** -> **Advanced audio** preset (under Video + audio indexing). Standard indexing will only include **silence** and **crowd reaction**.
In the coming weeks we will change it and return the [Video Analyzer for Media w
Do not use the internal URLs, you should be using the [Video Analyzer for Media public APIs](https://api-portal.videoindexer.ai/). * If you are embedding Video Analyzer for Media URLs in your applications and the URLs are not pointing to the [Video Analyzer for Media website](https://www.videoindexer.ai/) or the Video Analyzer for Media API endpoint (`https://api.videoindexer.ai`) but rather to a regional endpoint (for example, `https://wus2.videoindexer.ai`), regenerate the URLs.
- You can do it it by either:
+ You can do it by either:
* Replacing the URL with a URL pointing to the Video Analyzer for Media widget APIs (for example, the [insights widget](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Video-Insights-Widget)) * Using the Video Analyzer for Media website to generate a new embedded URL:
cloud-services Cloud Services Guestos Update Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-update-matrix.md
na Previously updated : 5/26/2021 Last updated : 6/9/2021 # Azure Guest OS releases and SDK compatibility matrix
The September Guest OS has released.
.NET Framework installed: 3.5, 4.7.2 > [!NOTE]
-> The Windows Azure SDK for .NET - 3.0 can be downloaded [here][Windows Azure SDK].
->
->Installation steps:
->1. Please uninstall any older versions of MicrosoftAzureAuthoringTools*.msi
->2. Install the [Azure SDK for .NET - 3.0][Windows Azure SDK]
->3. Restart your machine
->4. Create a new Cloud Service project and add a single Worker Role
->5. Change the OS Family to 6 and build a package
->6. Deploy the package to Azure using the Azure portal or Visual Studio
+> It is recommended to develop Cloud Services on Visual Studio 2019 and install the Azure Workload.
> >Guest OS Family 6 release enforces TLS 1.2 by explicitly disabling TLS 1.0 and 1.1 and defining a specific set of cipher suites. Learn [more].
cognitive-services Use Persondirectory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/Face-API-How-to-Topics/use-persondirectory.md
HttpResponseMessage response;
// Request body var body = new Dictionary<string, object>(); body.Add("faceIds", new List<string>{"{guid1}", "{guid2}", …});
-body.Add("personIds", "['*']");
+body.Add("personIds", new List<string>{"{guid1}", "{guid2}", …});
byte[] byteData = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(body)); using (var content = new ByteArrayContent(byteData))
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/Overview.md
The Detect API detects human faces in an image and returns the rectangle coordin
> [!NOTE] > The face detection feature is also available through the [Computer Vision service](../computer-vision/overview.md). However, if you want to do further Face operations like Identify, Verify, Find Similar, or Group, you should use this Face service instead.
-![An image of a woman and a man, with rectangles drawn around their faces and age and gender displayed](./Images/Face.detection.jpg)
- For more information on face detection, see the [Face detection](concepts/face-detection.md) concepts article. Also see the [Detect API](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) reference documentation. ## Face verification
cognitive-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/encrypt-data-at-rest.md
Customer-managed keys are available in all Azure Search regions.
## Encryption of data in transit
-QnA Maker portal runs in the user's browser. Every action triggers a direct call to the respective cognitive service API. Hence, QnA Maker is compliant for data in transit.
+QnA Maker portal runs in the user's browser. Every action triggers a direct call to the respective Cognitive Service API. Hence, QnA Maker is compliant for data in transit.
However, as the QnA Maker portal service is hosted in West-US, it is still not ideal for non-US customers. ## Next steps
cognitive-services How To Custom Commands Developer Flow Test https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-commands-developer-flow-test.md
To set up the client, checkout [Windows Voice Assistant Client](https://github.c
> [!div class="mx-imgBorder"] > ![WVAC Create profile](media/custom-commands/conversation.png)
-## Test programatically with Cognitive Services Voice Assistant Test Tool
-The Voice Assistant Test (VST) tool is a configurable .NET core C# console application for end-to-end functional regression tests for your Microsoft Voice Assistant.
+## Test programatically with the Cognitive Services Voice Assistant Test Tool
-The tool can run manually as a console command or automated as part of Azure DevOps CI/CD pipeline to prevent regressions in your bot.
+The Voice Assistant Test Tool is a configurable .NET Core C# console application for end-to-end functional regression tests for your Microsoft Voice Assistant.
-To setup the tool, see [Voice Assistant Test Tool](https://github.com/Azure-Samples/Cognitive-Services-Voice-Assistant/tree/main/clients/csharp-dotnet-core/voice-assistant-test).
+The tool can run manually as a console command or automated as part of an Azure DevOps CI/CD pipeline to prevent regressions in your bot.
+
+To learn how to set up the tool, see [Voice Assistant Test Tool](https://github.com/Azure-Samples/Cognitive-Services-Voice-Assistant/tree/main/clients/csharp-dotnet-core/voice-assistant-test).
+
+## Test with Speech SDK-enabled client applications
-## Test with Speech SDK-enabled client applications
The Speech software development kit (SDK) exposes many of the Speech service capabilities, which allows you to develop speech-enabled applications. It's available in many programming languages on most platforms. To set up a Universal Windows Platform (UWP) client application with Speech SDK, and integrate it with your custom command application:
cognitive-services How To Use Codec Compressed Audio Input Streams https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-use-codec-compressed-audio-input-streams.md
zone_pivot_groups: programming-languages-set-twenty-two
-# Use codec compressed audio input with the Speech SDK
+# Use codec compressed audio input
-The Speech service SDK can accept compressed audio formats. It decoompresses the audio before it sends it over the wire to the Speech service as raw PCM.
+The Speech SDK and Speech CLI can accept compressed audio formats using GStreamer. GStreamer decompresses the audio before it is sent over the wire to the Speech service as raw PCM.
Platform | Languages | Supported GStreamer version | : | : | ::
Android | Java | [1.18.3](https://gstreamer.freedesktop.org/data/pkg/android/1.
## Speech SDK version required for compressed audio input * Speech SDK version 1.10.0 or later is required for RHEL 8 and CentOS 8 * Speech SDK version 1.11.0 or later is required for for Windows.
-* Speech SDK version 1.16.0 or later for latest gstreamer on Windows and Android.
+* Speech SDK version 1.16.0 or later for latest GStreamer on Windows and Android.
[!INCLUDE [supported-audio-formats](includes/supported-audio-formats.md)]
cognitive-services Spx Basics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/spx-basics.md
spx help translate
## Next steps
+* [Install GStreamer to use Speech CLI with MP3 and other formats](./how-to-use-codec-compressed-audio-input-streams.md)
* [Speech CLI configuration options](./spx-data-store-configuration.md) * [Batch operations with the Speech CLI](./spx-batch-operations.md)
cognitive-services Cognitive Services Apis Create Account Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-apis-create-account-cli.md
az group create \
When creating a new resource, you will need to know the "kind" of service you want to use, along with the [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/) (or sku) you want. You will use this and other information as parameters when creating the resource.
-### Multi-service
-
-| Service | Kind |
-|-||
-| Multiple services. See the [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/) page for more details. | `CognitiveServices` |
--
-> [!NOTE]
-> Many of the Cognitive Services below have a free tier you can use to try the service. To use the free tier, use `F0` as the sku for your resource.
-
-### Vision
-
-| Service | Kind |
-|-||
-| Computer Vision | `ComputerVision` |
-| Custom Vision - Prediction | `CustomVision.Prediction` |
-| Custom Vision - Training | `CustomVision.Training` |
-| Face | `Face` |
-| Form Recognizer | `FormRecognizer` |
-| Ink Recognizer | `InkRecognizer` |
-
-### Speech
-
-| Service | Kind |
-|--|-|
-| Speech Services | `SpeechServices` |
-| Speech Recognition | `SpeakerRecognition` |
-
-### Language
-
-| Service | Kind |
-|--||
-| Form Understanding | `FormUnderstanding` |
-| LUIS | `LUIS` |
-| QnA Maker | `QnAMaker` |
-| Text Analytics | `TextAnalytics` |
-| Text Translation | `TextTranslation` |
-### Decision
-| Service | Kind |
-|-|--|
-| Anomaly Detector | `AnomalyDetector` |
-| Content Moderator | `ContentModerator` |
-| Personalizer | `Personalizer` |
You can find a list of available Cognitive Service "kinds" with the [az cognitiveservices account list-kinds](/cli/azure/cognitiveservices/account#az_cognitiveservices_account_list_kinds) command:
cognitive-services Reference Sdk Api V2 0 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/api-v2-0/reference-sdk-api-v2-0.md
description: Use the Form Recognizer client library v3.0.0 or REST API v2.0 to c
-+ Last updated 05/25/2021
cognitive-services Build Training Data Set https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/build-training-data-set.md
description: Learn how to ensure your training data set is optimized for