Updates from: 06/11/2021 03:16:08
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Conditional Access User Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/conditional-access-user-flow.md
To add a Conditional Access policy:
| **Device platforms** |Not supported |Characterized by the operating system that runs on a device. For more information, see [Device platforms](../active-directory/conditional-access/concept-conditional-access-conditions.md#device-platforms). | | **Locations** |P1,P2 |Named locations may include the public IPv4 network information, country or region, or unknown areas that don't map to specific countries or regions. For more information, see [Locations](../active-directory/conditional-access/concept-conditional-access-conditions.md#locations). | -
-1. Under **Access controls**, select **Grant**. Then select whether to block or grant access:
+3. Under **Access controls**, select **Grant**. Then select whether to block or grant access:
|Option | License | Note | |||| | **Block access** |P1, P2| Prevents access based on the conditions specified in this conditional access policy. | | **Grant access** with **Require multi-factor authentication** | P1, P2| Based on the conditions specified in this conditional access policy, the user is required to go through Azure AD B2C multi-factor authentication. |
-1. Under **Enable policy**, select one of the following:
+4. Under **Enable policy**, select one of the following:
| Option | License | Note | ||||
To add a Conditional Access policy:
|**On** | P1, P2 |The access policy is evaluated and not enforced. | |**Off** | P1, P2 | The access policy is not activated and has no effect on the users. |
-1. Enable your test Conditional Access policy by selecting **Create**.
+5. Enable your test Conditional Access policy by selecting **Create**.
## Template 1: Sign-in risk-based Conditional Access
-Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they are really who they say they are.
-A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../active-directory/identity-protection/concept-identity-protection-risks.md#sign-in-risk). Note the [limitations on Identity Protection detections for B2C](./identity-protection-investigate-risk.md?pivots=b2c-user-flow#service-limitations-and-considerations).
-If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
-Configure Conditional Access through the Azure portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring MFA when the sign-in risk is *medium* or *high*.
-To configure your conditional access:
+Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they are really who they say they are. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating Azure AD Identity Protection sign-in risk detections.
+
+Note the limitations on Identity Protection detections for B2C. If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
+
+Configure Conditional Access through the Azure portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring MFA when the sign-in risk is medium or high.
-1. Sign in to the **Azure portal**.
-2. Browse to **Azure AD B2C** > **Security** > **Conditional Access**.
-3. Select **New policy**.
-4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-5. Under **Assignments**, select **Users and groups**.
1. Under **Include**, select **All users**. 2. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 3. Select **Done**.
With the location condition in Conditional Access, you can control access to you
[Using the location condition in a Conditional Access policy](../active-directory/conditional-access/location-condition.md Configure Conditional Access through Azure portal or Microsoft Graph APIs to enable a Conditional Access policy blocking access to specific locations.
+For more information about the location condition in Conditional Access can be found in the article, [Using the location condition in a Conditional Access policy](../active-directory/conditional-access/location-condition.md)
### Define locations+ 1. Sign in to the **Azure portal**. 2. Browse to **Azure AD B2C** > **Security** > **Conditional Access** > **Named Locations**. 3. Select **Countries location** or **IP ranges location**
active-directory-b2c Configure Authentication Sample Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app.md
Previously updated : 05/25/2021 Last updated : 06/10/2021
For web apps that request an ID token directly from Azure AD B2C, enable the imp
1. Under **Implicit grant**, select the **ID tokens** check box. 1. Select **Save**.
-## Step 3: Get your tenant name
-
-To integrate your app with your Azure AD B2C tenant, you need to specify your tenant name in the app configuration file. Follow these steps to get your tenant name:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
-1. In the **Overview**, copy the first part of the **Domain name**.
-
-![Get your tenant name](./media/configure-authentication-sample-web-app/get-azure-ad-b2c-tenant-name.png)
--
-## Step 4: Get the web app sample
+## Step 3: Get the web app sample
[Download the zip file](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/refs/heads/master.zip), or clone the sample web application from GitHub.
git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-op
Extract the sample file to a folder where the total character length of the path is less than 260.
-## Step 5: Configure the sample application
+## Step 4: Configure the sample application
In the sample folder, under the `1-WebApp-OIDC/1-5-B2C/` folder, open the **WebApp-OpenIDConnect-DotNet.csproj** project with Visual Studio or Visual Studio Code. Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the following properties of the app settings:
-* **Instance** - Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
-* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Instance** - Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.
* **Client ID** - Replace `<web-app-application-id>` with the Application ID from [Step 2](#step-2-register-a-web-application). * **Policy name** - Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](#step-1-configure-your-user-flow).
Your final configuration file should look like the following JSON:
} ```
-## Step 6: Run the sample application
+## Step 5: Run the sample application
1. Build and run the project. 1. Browse to https://localhost:5001.
active-directory-b2c Enable Authentication Web Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application.md
Previously updated : 05/25/2021 Last updated : 06/10/2021
Azure AD B2C identity provider settings are stored in the `appsettings.json` fil
The required information is described in the [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) article. Use the following settings:
-* **Instance** - Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
-* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Instance** - Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.
* **Client ID** - Replace `<web-app-application-id>` with the Application ID from [Step 2](configure-authentication-sample-web-app.md#step-2-register-a-web-application). * **Policy name** - Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](configure-authentication-sample-web-app.md#step-1-configure-your-user-flow).
active-directory-b2c Force Password Reset https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/force-password-reset.md
Previously updated : 05/28/2021 Last updated : 06/10/2021 zone_pivot_groups: b2c-policy-type
zone_pivot_groups: b2c-policy-type
[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] ## Overview+ As an administrator, you can [reset a user's password](manage-users-portal.md#reset-a-users-password) if the user forgets their password. Or you would like to force them to reset the password. In this article, you'll learn how to force a password reset in these scenarios. When an administrator resets a user's password via the Azure portal, the value of the [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is set to `true`. The [sign-in and sign-up journey](add-sign-up-and-sign-in-policy.md) checks the value of this attribute. After the user completes the sign-in, if the attribute is set to `true`, the user must reset their password. Then the value of the attribute is set to back `false`.
The password reset flow is applicable to local accounts in Azure AD B2C that use
::: zone pivot="b2c-user-flow"
-### Force a password reset after 90 days
-
-As an administrator, you can set a user's password expiration to 90 days, using [MS Graph](microsoft-graph-operations.md). After 90 days, the value of [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is automatically set to `true`. For more information on how to set a user's password expiration policy, see [Password policy attribute](user-profile-attributes.md#password-policy-attribute).
-
-Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.
- ## Prerequisites [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
-## Configure your policy
+## Configure your user flow
To enable the **Forced password reset** setting in a sign-up or sign-in user flow:
To enable the **Forced password reset** setting in a sign-up or sign-in user flo
1. Under **Password configuration**, select **Forced password reset**. 1. Select **Save**.
-### Test the user flow
+## Test the user flow
1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator or a password administrator. For more information about the available roles, see [Assigning administrator roles in Azure Active Directory](../active-directory/roles/permissions-reference.md#all-roles). 1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
To enable the **Forced password reset** setting in a sign-up or sign-in user flo
1. Sign in with the user account for which you reset the password. 1. You now must change the password for the user. Change the password and select **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.
+## Force password reset on next login
+
+To force reset the password on next login, update the account password profile using MS Graph [Update user](/graph/api/user-update) operation. The following example updates the password profile [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute to `true`, which forces the user to reset the password on next login.
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+"passwordProfile": {
+ "forceChangePasswordNextSignIn": true
+}
+```
+
+Once the account password profile has been set, you must also configure force password reset flow, as described in this article.
+
+## Force a password reset after 90 days
+
+As an administrator, you can set a user's password expiration to 90 days, using [MS Graph](microsoft-graph-operations.md). After 90 days, the value of [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is automatically set to `true`. To force a password reset after 90 days, remove the `DisablePasswordExpiration` value from the user's profile [Password policy](user-profile-attributes.md#password-policy-attribute) attribute.
+
+The following example updates the password policy to `None`, which forces a password reset after 90 days:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+ "passwordPolicies": "None"
+}
+```
+
+If you disabled the strong [password complexity](password-complexity.md), update the password policy to [DisableStrongPassword](user-profile-attributes.md#password-policy-attribute):
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+ "passwordPolicies": "DisableStrongPassword"
+}
+```
+
+Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.
+
+### Password expiry duration
+
+The password expiry duration default value is **90** days. The value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure Active Directory Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure.
+ ::: zone-end ::: zone pivot="b2c-custom-policy"
active-directory-b2c Https Cipher Tls Requirements https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/https-cipher-tls-requirements.md
To verify that your endpoints comply with the requirements described in this art
See also following articles: - [Troubleshooting applications that don't support TLS 1.2](../cloud-services/applications-dont-support-tls-1-2.md)-- [Cipher Suites in TLS/SSL (Schannel SSP)](https://docs.microsoft.com/windows/win32/secauthn/cipher-suites-in-schannel)-- [How to enable TLS 1.2](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2)-- [Solving the TLS 1.0 Problem](https://docs.microsoft.com/security/engineering/solving-tls1-problem)----
+- [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel)
+- [How to enable TLS 1.2](/mem/configmgr/core/plan-design/security/enable-tls-1-2)
+- [Solving the TLS 1.0 Problem](/security/engineering/solving-tls1-problem)
active-directory-b2c Identity Protection Investigate Risk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-protection-investigate-risk.md
Administrators can then choose to take action on these events. Administrators ca
- Block user from signing in - Investigate further using Azure ATP
-An administrator can choose to dismiss a user's risk in the Azure portal or programmatically through the Microsoft Graph API [Dismiss User Risk](https://docs.microsoft.com/graph/api/riskyusers-dismiss?view=graph-rest-beta&preserve-view=true). Administrator privileges are required to dismiss a user's risk. Remediating a risk can be performed by the risky user or by an administrator on the user's behalf, for example through a password reset.
+An administrator can choose to dismiss a user's risk in the Azure portal or programmatically through the Microsoft Graph API [Dismiss User Risk](/graph/api/riskyusers-dismiss?preserve-view=true&view=graph-rest-beta). Administrator privileges are required to dismiss a user's risk. Remediating a risk can be performed by the risky user or by an administrator on the user's behalf, for example through a password reset.
### Navigating the risky users report
Administrators can then choose to return to the user's risk or sign-ins report t
## Next steps -- [Add Conditional Access to a user flow](conditional-access-user-flow.md).
+- [Add Conditional Access to a user flow](conditional-access-user-flow.md).
active-directory-b2c Identity Provider Azure Ad Multi Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md
You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsP
``` 1. Under the **ClaimsProvider** element, update the value for **Domain** to a unique value that can be used to distinguish it from other identity providers.
-1. Under the **TechnicalProfile** element, update the value for **DisplayName**, for example, `Contoso Employee`. This value is displayed on the sign-in button on your sign-in page.
+1. Under the **TechnicalProfile** element, update the value for **DisplayName**, for example, `Multi-Tenant AAD`. This value is displayed on the sign-in button on your sign-in page.
1. Set **client_id** to the application ID of the Azure AD multi-tenant application that you registered earlier. 1. Under **CryptographicKeys**, update the value of **StorageReferenceId** to the name of the policy key that created earlier. For example, `B2C_1A_AADAppSecret`.
active-directory-b2c Microsoft Graph Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-operations.md
Microsoft Graph allows you to manage resources in your Azure AD B2C directory. The following Microsoft Graph API operations are supported for the management of Azure AD B2C resources, including users, identity providers, user flows, custom policies, and policy keys. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation. > [!NOTE]
-> You can also programmatically create an Azure AD B2C directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see [B2C Tenants - Create](https://docs.microsoft.com/rest/api/activedirectory/b2ctenants/create).
+> You can also programmatically create an Azure AD B2C directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see [B2C Tenants - Create](/rest/api/activedirectory/b2ctenants/create).
## Prerequisites
public static async Task ListUsers(GraphServiceClient graphClient)
<!-- LINK --> [graph-objectIdentity]: /graph/api/resources/objectidentity
-[graph-user]: (https://docs.microsoft.com/graph/api/resources/user)
+[graph-user]: (https://docs.microsoft.com/graph/api/resources/user)
active-directory-b2c Oauth2 Error Technical Profile https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/oauth2-error-technical-profile.md
The CryptographicKeys element contains the following key:
| Attribute | Required | Description | | | -- | -- |
-| issuer_secret | Yes | An X509 certificate (RSA key set). Use the `B2C_1A_TokenSigningKeyContainer` key you configure in [Get started with custom policies](custom-policy-get-started.md).|
+| issuer_secret | Yes | An X509 certificate (RSA key set). Use the `B2C_1A_TokenSigningKeyContainer` key you configure in [Get started with custom policies](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).|
| ## Invoke the technical profile
In the following example:
## Next steps
-Learn about [UserJourneys](userjourneys.md)
-
+Learn about [UserJourneys](userjourneys.md)
active-directory-b2c Partner Dynamics 365 Fraud Protection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md
# Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C
-In this sample tutorial, learn how to integrate [Microsoft Dynamics 365 Fraud Protection](https://docs.microsoft.com/dynamics365/fraud-protection/overview) (DFP) with Azure Active Directory (AD) B2C.
+In this sample tutorial, learn how to integrate [Microsoft Dynamics 365 Fraud Protection](/dynamics365/fraud-protection/overview) (DFP) with Azure Active Directory (AD) B2C.
Microsoft DFP provides organizations with the capability to assess the risk of attempts to create fraudulent accounts and log-ins. Microsoft DFP assessment can be used by the customer to block or challenge suspicious attempts to create new fake accounts or to compromise existing accounts.
The following architecture diagram shows the implementation.
## Set up your custom domain
-In a production environment, you must use a [custom domain for Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-custom-policy) and for the [Microsoft DFP fingerprinting service](https://docs.microsoft.com/dynamics365/fraud-protection/device-fingerprinting#set-up-dns). The domain for both services should be in the same root DNS zone to prevent browser privacy settings from blocking cross-domain cookies, isn't necessary in a non-production environment.
+In a production environment, you must use a [custom domain for Azure AD B2C](./custom-domain.md?pivots=b2c-custom-policy) and for the [Microsoft DFP fingerprinting service](/dynamics365/fraud-protection/device-fingerprinting#set-up-dns). The domain for both services should be in the same root DNS zone to prevent browser privacy settings from blocking cross-domain cookies, isn't necessary in a non-production environment.
Following is an example:
Following is an example:
4. Ensure CORS is enabled for your Azure AD B2C domain name `https://{your_tenant_name}.b2clogin.com` or `your custom domain`.
-See [UI customization documentation](https://docs.microsoft.com/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy) to learn more.
+See [UI customization documentation](./customize-ui-with-html.md?pivots=b2c-custom-policy) to learn more.
## Azure AD B2C configuration ### Add policy keys for your Microsoft DFP client app ID and secret
-1. In the Azure AD tenant where Microsoft DFP is set up, create an [Azure AD application and grant admin consent](https://docs.microsoft.com/dynamics365/fraud-protection/integrate-real-time-api#create-azure-active-directory-applications).
+1. In the Azure AD tenant where Microsoft DFP is set up, create an [Azure AD application and grant admin consent](/dynamics365/fraud-protection/integrate-real-time-api#create-azure-active-directory-applications).
2. Create a secret value for this application registration and note the application's client ID and client secret value.
-3. Save the client ID and client secret values as [policy keys in your Azure AD B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/policy-keys-overview).
+3. Save the client ID and client secret values as [policy keys in your Azure AD B2C tenant](./policy-keys-overview.md).
>[!NOTE] >You'll later need the policy keys to configure your Azure AD B2C policies.
In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integr
| {Settings:DfpAppClientIdKeyContainer} | Name of the policy key-in which you save the DFP client ID | `B2C_1A_DFPClientId` | | {Settings:DfpAppClientSecretKeyContainer} | Name of the policy key-in which you save the DFP client secret | `B2C_1A_DFPClientSecret` |
-*Application insights can be set up in any Azure AD tenant/subscription. This value is optional but [recommended to assist with debugging](https://docs.microsoft.com/azure/active-directory-b2c/troubleshoot-with-application-insights).
+*Application insights can be set up in any Azure AD tenant/subscription. This value is optional but [recommended to assist with debugging](./troubleshoot-with-application-insights.md).
>[!NOTE] >Add consent notification to the attribute collection page. Notify that the users' telemetry and user identity information will be recorded for account protection purposes.
For additional information, review the following articles:
- [Custom policies in Azure AD B2C](./custom-policy-overview.md) -- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-b2c Partner Ping Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-ping-identity.md
Follow these steps to create a web session:
7. In the **Client Secret** field, enter the **Key** you generated for the application in Azure AD.
-8. Optional - You can create and use custom claims with the Microsoft Graph API. If you choose to do so, select **Advanced** and deselect the **Request Profile** and **Refresh User Attributes** options. For more information on using custom claims, see [use a custom claim](../active-directory/manage-apps/application-proxy-configure-single-sign-on-with-headers.md).
+8. Optional - You can create and use custom claims with the Microsoft Graph API. If you choose to do so, select **Advanced** and deselect the **Request Profile** and **Refresh User Attributes** options. For more information on using custom claims, see [use a custom claim](../active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md).
9. Select **Save**
For additional information, review the following articles
- [Custom policies in Azure AD B2C](./custom-policy-overview.md) -- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-b2c Tenant Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tenant-management.md
Previously updated : 05/27/2021 Last updated : 06/10/2021
It's recommended that you protect all administrator accounts with multi-factor a
You can enable [Azure AD security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to force all administrative accounts to use MFA.
+## Get your tenant name
+To get your Azure AD B2C tenant name, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. In the **Overview**, copy the **Domain name**.
+
+![Screenshot demonstrates how to get the Azure AD B2C tenant name.](./media/tenant-management/get-azure-ad-b2c-tenant-name.png)
+
+## Get your tenant ID
+
+To get your Azure AD B2C tenant ID, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the Azure portal, search for and select **Azure Active Directory**.
+1. In the **Overview**, copy the **Tenant ID**.
+
+![Screenshot demonstrates how to get the Azure AD B2C tenant ID.](./media/tenant-management/get-azure-ad-b2c-tenant-id.png)
## Next steps
active-directory-domain-services Deploy Azure App Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/deploy-azure-app-proxy.md
With Azure AD Domain Services (Azure AD DS), you can lift-and-shift legacy applications running on-premises into Azure. Azure Active Directory (AD) Application Proxy then helps you support remote workers by securely publishing those internal applications part of an Azure AD DS managed domain so they can be accessed over the internet.
-If you're new to the Azure AD Application Proxy and want to learn more, see [How to provide secure remote access to internal applications](../active-directory/manage-apps/application-proxy.md).
+If you're new to the Azure AD Application Proxy and want to learn more, see [How to provide secure remote access to internal applications](../active-directory/app-proxy/application-proxy.md).
This article shows you how to create and configure an Azure AD Application Proxy connector to provide secure access to applications in a managed domain.
With a VM ready to be used as the Azure AD Application Proxy connector, now copy
> For example, if the Azure AD domain is *contoso.com*, the global administrator should be `admin@contoso.com` or another valid alias on that domain. * If Internet Explorer Enhanced Security Configuration is turned on for the VM where you install the connector, the registration screen might be blocked. To allow access, follow the instructions in the error message, or turn off Internet Explorer Enhanced Security during the install process.
- * If connector registration fails, see [Troubleshoot Application Proxy](../active-directory/manage-apps/application-proxy-troubleshoot.md).
+ * If connector registration fails, see [Troubleshoot Application Proxy](/azure/active-directory/app-proxy/application-proxy-troubleshoot).
1. At the end of the setup, a note is shown for environments with an outbound proxy. To configure the Azure AD Application Proxy connector to work through the outbound proxy, run the provided script, such as `C:\Program Files\Microsoft AAD App Proxy connector\ConfigureOutBoundProxy.ps1`. 1. On the Application proxy page in the Azure portal, the new connector is listed with a status of *Active*, as shown in the following example:
With the Azure AD Application Proxy integrated with Azure AD DS, publish applica
[create-join-windows-vm]: join-windows-vm.md [azure-bastion]: ../bastion/tutorial-create-host-portal.md [Get-ADComputer]: /powershell/module/activedirectory/get-adcomputer
-[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer
+[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
# Configure provisioning using Microsoft Graph APIs
-The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating severalΓÇöor even hundredsΓÇöof instances of an application, it can be easier to automate app creation and configuration with the Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](/azure/active-directory/saas-apps/amazon-web-service-tutorial#configure-azure-ad-sso).
+The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating severalΓÇöor even hundredsΓÇöof instances of an application, it can be easier to automate app creation and configuration with the Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](../saas-apps/amazon-web-service-tutorial.md#configure-azure-ad-sso).
**Overview of steps for using Microsoft Graph APIs to automate provisioning configuration**
Content-type: application/json
## See also - [Review the synchronization Microsoft Graph documentation](/graph/api/resources/synchronization-overview?view=graph-rest-beta)-- [Integrating a custom SCIM app with Azure AD](/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups)
+- [Integrating a custom SCIM app with Azure AD](./use-scim-to-provision-users-and-groups.md)
active-directory Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/expression-builder.md
# Understand how expression builder in Application Provisioning works
-You can use [expressions](functions-for-customizing-application-data.md) to [map attributes](https://docs.microsoft.com/azure/active-directory/app-provisioning/customize-application-attributes). Previously, you had to create these expressions manually and enter them into the expression box. Expression builder is a tool you can use to help you create expressions.
+You can use [expressions](functions-for-customizing-application-data.md) to [map attributes](./customize-application-attributes.md). Previously, you had to create these expressions manually and enter them into the expression box. Expression builder is a tool you can use to help you create expressions.
:::image type="content" source="media/expression-builder/expression-builder.png" alt-text="The default expression builder page before selecting a function." lightbox="media/expression-builder/expression-builder.png":::
When you're satisfied with the expression, move it to an attribute mapping. Copy
## Next steps
-[Reference for writing expressions for attribute mappings](functions-for-customizing-application-data.md)
+[Reference for writing expressions for attribute mappings](functions-for-customizing-application-data.md)
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/known-issues.md
The following applications and directories are not yet supported.
**AD DS - (user / group writeback from Azure AD, using the on-prem provisioning preview)** - When a user is managed by Azure AD Connect, the source of authority is on-prem Active Directory. Therefore, user attributes cannot be changed in Azure AD. This preview does not change the source of authority for users managed by Azure AD Connect.
- - Attempting to use Azure AD Connect and the on-prem provisioning to provision groups / users into AD DS can lead to creation of a loop, where Azure AD Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group / user writeback. Upvote the UserVoice feedback [here](https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16887037-enable-user-writeback-to-on-premise-ad-from-azure) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](https://docs.microsoft.com/microsoft-identity-manager/microsoft-identity-manager-2016) for user / group writeback from Azure AD to AD.
+ - Attempting to use Azure AD Connect and the on-prem provisioning to provision groups / users into AD DS can lead to creation of a loop, where Azure AD Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group / user writeback. Upvote the UserVoice feedback [here](https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16887037-enable-user-writeback-to-on-premise-ad-from-azure) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for user / group writeback from Azure AD to AD.
**Connectors other than SQL** - The Azure AD ECMA Connector Host is officially supported for generic SQL (GSQL) connector. While it is possible to use other connectors such as the web services connector or custom ECMA connectors, it is **not yet supported**.
The following attributes and objects are not supported:
- The attributes that the target application supports are discovered and surfaced in the Azure portal in Attribute Mappings. Newly added attributes will continue to be discovered. However, if an attribute type has changed (for example, string to boolean), and the attribute is part of the mappings, the type will not change automatically in the Azure portal. Customers will need to go into advanced settings in mappings and manually update the attribute type. ## Next steps-- [How provisioning works](how-provisioning-works.md)
+- [How provisioning works](how-provisioning-works.md)
active-directory On Premises Ecma Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
To gather additional details for troubleshooting agent-related problems, follow
-Azure AD allows you to monitor the provisioning service in the cloud as well as collect logs on-premises. The provisioning service emits logs for each user that was evaluated as part of the synchronization process. Those logs can be consumed through the [Azure portal UI, APIs, and log analytics](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs#ways-of-interacting-with-the-provisioning-logs). In addition, the ECMA host generates logs on-premises, showing each provisioning request received and the response sent to Azure AD.
+Azure AD allows you to monitor the provisioning service in the cloud as well as collect logs on-premises. The provisioning service emits logs for each user that was evaluated as part of the synchronization process. Those logs can be consumed through the [Azure portal UI, APIs, and log analytics](../reports-monitoring/concept-provisioning-logs.md). In addition, the ECMA host generates logs on-premises, showing each provisioning request received and the response sent to Azure AD.
### Agent installation fails * The error `System.ComponentModel.Win32Exception: The specified service already exists` indicates that the previous ECMA Host was unsuccessfully uninstalled. Please uninstall the host application. Navigate to program files and remove the ECMA Host folder. You may want to store the configuration file for backup.
active-directory Application Proxy Add On Premises Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md
For high availability in your production environment, we recommend having more t
#### Recommendations for the connector server 1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application. For more information, see [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md).
-1. The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains. Having the servers in the same domain or trusting domains is a requirement for using single sign-on (SSO) with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the connector server and web application servers are in different Active Directory domains, you need to use resource-based delegation for single sign-on. For more information, see [KCD for single sign-on with Application Proxy](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md).
+1. The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains. Having the servers in the same domain or trusting domains is a requirement for using single sign-on (SSO) with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the connector server and web application servers are in different Active Directory domains, you need to use resource-based delegation for single sign-on. For more information, see [KCD for single sign-on with Application Proxy](./application-proxy-configure-single-sign-on-with-kcd.md).
> [!WARNING] > If you've deployed Azure AD Password Protection Proxy, do not install Azure AD Application Proxy and Azure AD Password Protection Proxy together on the same machine. Azure AD Application Proxy and Azure AD Password Protection Proxy install different versions of the Azure AD Connect Agent Updater service. These different versions are incompatible when installed together on the same machine.
Allow access to the following URLs:
| ctldl.windowsupdate.com | 80/HTTP | The connector uses this URL during the registration process. | You can allow connections to &ast;.msappproxy.net, &ast;.servicebus.windows.net, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
+> [!IMPORTANT]
+> Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy Cloud services.
### DNS name resolution for Azure AD Application Proxy endpoints
To install the connector:
### General remarks
-If you've previously installed a connector, reinstall to get the latest version. To see information about previously released versions and what changes they include, see [Application Proxy: Version Release History](../manage-apps/application-proxy-release-version-history.md).
+If you've previously installed a connector, reinstall to get the latest version. To see information about previously released versions and what changes they include, see [Application Proxy: Version Release History](./application-proxy-release-version-history.md).
-If you choose to have more than one Windows server for your on-premises applications, you'll need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](../manage-apps/application-proxy-connector-groups.md).
+If you choose to have more than one Windows server for your on-premises applications, you'll need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](./application-proxy-connector-groups.md).
If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md)
-If your organization uses proxy servers to connect to the internet, you need to configure them for Application Proxy. For more information, see [Work with existing on-premises proxy servers](../manage-apps/application-proxy-configure-connectors-with-proxy-servers.md).
+If your organization uses proxy servers to connect to the internet, you need to configure them for Application Proxy. For more information, see [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md).
For information about connectors, capacity planning, and how they stay up-to-date, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
To confirm the connector installed and registered correctly:
![Azure AD Application Proxy Connectors](./media/application-proxy-add-on-premises-application/app-proxy-connectors.png)
-For more help with installing a connector, see [Problem installing the Application Proxy Connector](../manage-apps/application-proxy-connector-installation-problem.md).
+For more help with installing a connector, see [Problem installing the Application Proxy Connector](./application-proxy-connector-installation-problem.md).
### Verify the installation through your Windows server
Now that you've prepared your environment and installed a connector, you're read
| : | :-- | | **Name** | The name of the application that will appear on My Apps and in the Azure portal. | | **Internal URL** | The URL for accessing the application from inside your private network. You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.<br><br>If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at https:\//yourapp/app and uses images located at https:\//yourapp/media, then you should publish https:\//yourapp/ as the path. This internal URL doesn't have to be the landing page your users see. For more information, see [Set a custom home page for published apps](application-proxy-configure-custom-home-page.md). |
- | **External URL** | The address for users to access the app from outside your network. If you don't want to use the default Application Proxy domain, read about [custom domains in Azure AD Application Proxy](../manage-apps/application-proxy-configure-custom-domain.md). |
+ | **External URL** | The address for users to access the app from outside your network. If you don't want to use the default Application Proxy domain, read about [custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md). |
| **Pre Authentication** | How Application Proxy verifies users before giving them access to your application.<br><br>**Azure Active Directory** - Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication. **Azure Active Directory** is required for monitoring the application with Microsoft Cloud Application Security.<br><br>**Passthrough** - Users don't have to authenticate against Azure AD to access the application. You can still set up authentication requirements on the backend. | | **Connector Group** | Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don't have any connector groups created yet, your app is assigned to **Default**.<br><br>If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later. |
Now that you've prepared your environment and installed a connector, you're read
| **Backend Application Timeout** | Set this value to **Long** only if your application is slow to authenticate and connect. At default, the backend application timeout has a length of 85 seconds. When set to long, the backend timeout is increased to 180 seconds. | | **Use HTTP-Only Cookie** | Set this value to **Yes** to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, set this value to **No**. | | **Use Secure Cookie**| Set this value to **Yes** to transmit cookies over a secure channel such as an encrypted HTTPS request.
- | **Use Persistent Cookie**| Keep this value set to **No**. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../manage-apps/application-proxy-configure-cookie-settings.md).
+ | **Use Persistent Cookie**| Keep this value set to **No**. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).
| **Translate URLs in Headers** | Keep this value as **Yes** unless your application required the original host header in the authentication request. |
- | **Translate URLs in Application Body** | Keep this value as **No** unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](../manage-apps/application-proxy-configure-hard-coded-link-translation.md).<br><br>Set this value to **Yes** if you plan to monitor this application with Microsoft Cloud App Security (MCAS). For more information, see [Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory](../manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security.md). |
+ | **Translate URLs in Application Body** | Keep this value as **No** unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Set this value to **Yes** if you plan to monitor this application with Microsoft Cloud App Security (MCAS). For more information, see [Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |
7. Select **Add**.
To test the sign-on to the application:
2. At the top of the page, select **Test Application** to run a test on the application and check for any configuration issues. 3. Make sure to first launch the application to test signing into the application, then download the diagnostic report to review the resolution guidance for any detected issues.
-For troubleshooting, see [Troubleshoot Application Proxy problems and error messages](../manage-apps/application-proxy-troubleshoot.md).
+For troubleshooting, see [Troubleshoot Application Proxy problems and error messages](./application-proxy-troubleshoot.md).
## Clean up resources
You did these things:
You're ready to configure the application for single sign-on. Use the following link to choose a single sign-on method and to find single sign-on tutorials. > [!div class="nextstepaction"]
-> [Configure single sign-on](../manage-apps/sso-options.md#choosing-a-single-sign-on-method)
+> [Configure single sign-on](../manage-apps/sso-options.md#choosing-a-single-sign-on-method)
active-directory Application Proxy Configure Custom Home Page https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md
Create the home page URL, and update your app with that value. Continue using th
## Next steps -- [Enable remote access to SharePoint with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-sharepoint-server.md)-- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)
+- [Enable remote access to SharePoint with Azure AD Application Proxy](./application-proxy-integrate-with-sharepoint-server.md)
+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)
active-directory Application Proxy Connectors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-connectors.md
You may experience downtime when your connector updates if:
- You only have one connector we recommend you install a second connector and [create a connector group](application-proxy-connector-groups.md). This will avoid downtime and provide higher availability. - A connector was in the middle of a transaction when the update began. Although the initial transaction is lost, your browser should automatically retry the operation or you can refresh your page. When the request is resent, the traffic is routed to a backup connector.
-To see information about previously released versions and what changes they include, see [Application Proxy- Version Release History](../manage-apps/application-proxy-release-version-history.md).
+To see information about previously released versions and what changes they include, see [Application Proxy- Version Release History](./application-proxy-release-version-history.md).
## Creating connector groups
Connectors can be installed anywhere on the network that allows them to send req
Connectors only send outbound requests. The outbound traffic is sent to the Application Proxy service and to the published applications. You don't have to open inbound ports because traffic flows both ways once a session is established. You also don't have to configure inbound access through your firewalls.
-For more information about configuring outbound firewall rules, see [Work with existing on-premises proxy servers](../manage-apps/application-proxy-configure-connectors-with-proxy-servers.md).
+For more information about configuring outbound firewall rules, see [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md).
## Performance and scalability
Register-AppProxyConnector -EnvironmentName "AzureCloud"
For government, use `-EnvironmentName "AzureUSGovernment"`. For more details, see [Install Agent for the Azure Government Cloud](../hybrid/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud).
-To learn more about how to verify the certificate and troubleshoot problems see [Verify Machine and backend components support for Application Proxy trust certificate](../manage-apps/application-proxy-connector-installation-problem.md#verify-machine-and-backend-components-support-for-application-proxy-trust-certificate).
+To learn more about how to verify the certificate and troubleshoot problems see [Verify Machine and backend components support for Application Proxy trust certificate](./application-proxy-connector-installation-problem.md#verify-machine-and-backend-components-support-for-application-proxy-trust-certificate).
## Under the hood
You can examine the state of the service in the Services window. The connector i
## Next steps - [Publish applications on separate networks and locations using connector groups](application-proxy-connector-groups.md)-- [Work with existing on-premises proxy servers](../manage-apps/application-proxy-configure-connectors-with-proxy-servers.md)-- [Troubleshoot Application Proxy and connector errors](../manage-apps/application-proxy-troubleshoot.md)-- [How to silently install the Azure AD Application Proxy Connector](../manage-apps/application-proxy-register-connector-powershell.md)
+- [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md)
+- [Troubleshoot Application Proxy and connector errors](./application-proxy-troubleshoot.md)
+- [How to silently install the Azure AD Application Proxy Connector](./application-proxy-register-connector-powershell.md)
active-directory Application Proxy High Availability Load Balancing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md
Refer to your software vendor's documentation to understand the load-balancing r
- [Enable Application Proxy](application-proxy-add-on-premises-application.md) - [Enable single-sign on](application-proxy-configure-single-sign-on-with-kcd.md)-- [Enable Conditional Access](../manage-apps/application-proxy-integrate-with-sharepoint-server.md)
+- [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md)
- [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md) - [Learn how Azure AD architecture supports high availability](../fundamentals/active-directory-architecture.md)
active-directory Application Proxy Network Topology https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-network-topology.md
You can also consider using one other variant in this situation. If most users i
- [Enable Application Proxy](application-proxy-add-on-premises-application.md) - [Enable single-sign on](application-proxy-configure-single-sign-on-with-kcd.md)-- [Enable Conditional Access](../manage-apps/application-proxy-integrate-with-sharepoint-server.md)-- [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)
+- [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md)
+- [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)
active-directory Application Proxy Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-troubleshoot.md
# Troubleshoot Application Proxy problems and error messages
-When troubleshooting Application Proxy issues, we recommend you start with reviewing the troubleshooting flow, [Debug Application Proxy Connector issues](../manage-apps/application-proxy-debug-connectors.md), to determine if Application Proxy connectors are configured correctly. If you're still having trouble connecting to the application, follow the troubleshooting flow in [Debug Application Proxy application issues](../manage-apps/application-proxy-debug-apps.md).
+When troubleshooting Application Proxy issues, we recommend you start with reviewing the troubleshooting flow, [Debug Application Proxy Connector issues](./application-proxy-debug-connectors.md), to determine if Application Proxy connectors are configured correctly. If you're still having trouble connecting to the application, follow the troubleshooting flow in [Debug Application Proxy application issues](./application-proxy-debug-apps.md).
If errors occur in accessing a published application or in publishing applications, check the following options to see if Microsoft Azure AD Application Proxy is working correctly:
This list covers errors that your end users might encounter when they try to acc
| This corporate app can’t be accessed. You are not authorized to access this application. Authorization failed. Make sure to assign the user with access to this application. | Your user may get this error when trying to access the app you published if they use Microsoft accounts instead of their corporate account to sign in. Guest users may also get this error. Microsoft Account users and guests cannot access IWA applications. Make sure the user signs in using their corporate account that matches the domain of the published application.<br><br>You may not have assigned the user for this application. Go to the **Application** tab, and under **Users and Groups**, assign this user or user group to this application. | | This corporate app can’t be accessed right now. Please try again later…The connector timed out. | Your user may get this error when trying to access the app you published if they are not properly defined for this application on the on-premises side. Make sure that your users have the proper permissions as defined for this backend application on the on premises machine. | | This corporate app can’t be accessed. You are not authorized to access this application. Authorization failed. Make sure that the user has a license for Azure Active Directory Premium. | Your user may get this error when trying to access the app you published if they weren't explicitly assigned with a Premium license by the subscriber’s administrator. Go to the subscriber’s Active Directory **Licenses** tab and make sure that this user or user group is assigned a Premium license. |
-| A server with the specified host name could not be found. | Your user may get this error when trying to access the app you published if the application's custom domain is not configured correctly. Make sure you've uploaded a certificate for the domain and configured the DNS record correctly by following the steps in [Working with custom domains in Azure AD Application Proxy](../manage-apps/application-proxy-configure-custom-domain.md) |
+| A server with the specified host name could not be found. | Your user may get this error when trying to access the app you published if the application's custom domain is not configured correctly. Make sure you've uploaded a certificate for the domain and configured the DNS record correctly by following the steps in [Working with custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md) |
|Forbidden: This corporate app can't be accessed OR The user could not be authorized. Make sure the user is defined in your on-premises AD and that the user has access to the app in your on-premises AD. | This could be a problem with access to authorization information, see [Some applications and APIs require access to authorization information on account objects]( https://support.microsoft.com/help/331951/some-applications-and-apis-require-access-to-authorization-information). In a nutshell, add the app proxy connector machine account to the "Windows Authorization Access Group" builtin domain group to resolve. | ## My error wasn't listed here
If you encounter an error or problem with Azure AD Application Proxy that isn't
* [Enable Application Proxy for Azure Active Directory](application-proxy-add-on-premises-application.md) * [Publish applications with Application Proxy](application-proxy-add-on-premises-application.md) * [Enable single sign-on](application-proxy-configure-single-sign-on-with-kcd.md)
-* [Enable Conditional Access](../manage-apps/application-proxy-integrate-with-sharepoint-server.md)
+* [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md)
<!--Image references--> [1]: ./media/application-proxy-troubleshoot/connectorproperties.png
-[2]: ./media/active-directory-application-proxy-troubleshoot/sessionlog.png
+[2]: ./media/active-directory-application-proxy-troubleshoot/sessionlog.png
active-directory Application Proxy Wildcard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-wildcard.md
To get started, make sure you've met these requirements.
### Custom domains
-While [custom domains](../manage-apps/application-proxy-configure-custom-domain.md) are optional for all other applications, they are a prerequisite for wildcard applications. Creating custom domains requires you to:
+While [custom domains](./application-proxy-configure-custom-domain.md) are optional for all other applications, they are a prerequisite for wildcard applications. Creating custom domains requires you to:
1. Create a verified domain within Azure. 1. Upload a TLS/SSL certificate in the PFX format to your application proxy.
The wildcard application is represented with just one tile in the [MyApps panel]
### Kerberos constrained delegation
-For applications using [kerberos constrained delegation (KCD) as the SSO method](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md), the SPN listed for the SSO method may also need a wildcard. For example, the SPN could be: `HTTP/*.adventure-works.com`. You still need to have the individual SPNs configured on your backend servers (for example, `HTTP/expenses.adventure-works.com and HTTP/travel.adventure-works.com`).
+For applications using [kerberos constrained delegation (KCD) as the SSO method](./application-proxy-configure-single-sign-on-with-kcd.md), the SPN listed for the SSO method may also need a wildcard. For example, the SPN could be: `HTTP/*.adventure-works.com`. You still need to have the individual SPNs configured on your backend servers (for example, `HTTP/expenses.adventure-works.com and HTTP/travel.adventure-works.com`).
## Scenario 1: General wildcard application
If you have multiple applications published for finance and you have `finance.ad
## Next steps -- To learn more about **Custom domains**, see [Working with custom domains in Azure AD Application Proxy](../manage-apps/application-proxy-configure-custom-domain.md).-- To learn more about **Publishing applications**, see [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md)
+- To learn more about **Custom domains**, see [Working with custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md).
+- To learn more about **Publishing applications**, see [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md)
active-directory Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy.md
Application Proxy is a feature of Azure AD that enables users to access on-premi
Application Proxy works with:
-* Web applications that use [Integrated Windows Authentication](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md) for authentication
-* Web applications that use form-based or [header-based](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md) access
+* Web applications that use [Integrated Windows Authentication](./application-proxy-configure-single-sign-on-with-kcd.md) for authentication
+* Web applications that use form-based or [header-based](./application-proxy-configure-single-sign-on-with-headers.md) access
* Web APIs that you want to expose to rich applications on different devices
-* Applications hosted behind a [Remote Desktop Gateway](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md)
+* Applications hosted behind a [Remote Desktop Gateway](./application-proxy-integrate-with-remote-desktop-services.md)
* Rich client apps that are integrated with the Microsoft Authentication Library (MSAL) Application Proxy supports single sign-on. For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/sso-options.md#choosing-a-single-sign-on-method).
active-directory What Is Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/what-is-application-proxy.md
There are several ways to configure an application for single sign-on and the me
App Proxy works with apps that use the following native authentication protocol:
-* **[Integrated Windows Authentication (IWA)](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md).** For IWA, the Application Proxy connectors use Kerberos Constrained Delegation (KCD) to authenticate users to the Kerberos application.
+* **[Integrated Windows Authentication (IWA)](./application-proxy-configure-single-sign-on-with-kcd.md).** For IWA, the Application Proxy connectors use Kerberos Constrained Delegation (KCD) to authenticate users to the Kerberos application.
App Proxy also supports the following authentication protocols with third-party integration or in specific configuration scenarios:
-* [**Header-based authentication**](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md). This sign-on method uses a third-party authentication service called PingAccess and is used when the application uses headers for authentication. In this scenario, authentication is handled by PingAccess.
-* [**Forms- or password-based authentication**](../manage-apps/application-proxy-configure-single-sign-on-password-vaulting.md). With this authentication method, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application. In this scenario, authentication is handled by Azure AD.
-* [**SAML authentication**](../manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md). SAML-based single sign-on is supported for applications that use either SAML 2.0 or WS-Federation protocols. With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account.
+* [**Header-based authentication**](./application-proxy-configure-single-sign-on-with-headers.md). This sign-on method uses a third-party authentication service called PingAccess and is used when the application uses headers for authentication. In this scenario, authentication is handled by PingAccess.
+* [**Forms- or password-based authentication**](./application-proxy-configure-single-sign-on-password-vaulting.md). With this authentication method, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application. In this scenario, authentication is handled by Azure AD.
+* [**SAML authentication**](./application-proxy-configure-single-sign-on-on-premises-apps.md). SAML-based single sign-on is supported for applications that use either SAML 2.0 or WS-Federation protocols. With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account.
For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/sso-options.md#choosing-a-single-sign-on-method).
For more information on supported methods, see [Choosing a single sign-on method
The remote access solution offered by Application Proxy and Azure AD support several security benefits customers may take advantage of, including:
-* **Authenticated access**. Application Proxy is best suited to publish applications with [pre-authentication](../manage-apps/application-proxy-security.md#authenticated-access) to ensure that only authenticated connections hit your network. For applications published with pre-authentication, no traffic is allowed to pass through the App Proxy service to your on-premises environment, without a valid token. Pre-authentication, by its very nature, blocks a significant number of targeted attacks, as only authenticated identities can access the backend application.
-* **Conditional Access**. Richer policy controls can be applied before connections to your network are established. With Conditional Access, you can define restrictions on the traffic that you allow to hit your backend application. You create policies that restrict sign-ins based on location, strength of authentication, and user risk profile. As Conditional Access evolves, more controls are being added to provide additional security such as integration with Microsoft Cloud App Security (MCAS). MCAS integration enables you to configure an on-premises application for [real-time monitoring](../manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security.md) by leveraging Conditional Access to monitor and control sessions in real-time based on Conditional Access policies.
+* **Authenticated access**. Application Proxy is best suited to publish applications with [pre-authentication](./application-proxy-security.md#authenticated-access) to ensure that only authenticated connections hit your network. For applications published with pre-authentication, no traffic is allowed to pass through the App Proxy service to your on-premises environment, without a valid token. Pre-authentication, by its very nature, blocks a significant number of targeted attacks, as only authenticated identities can access the backend application.
+* **Conditional Access**. Richer policy controls can be applied before connections to your network are established. With Conditional Access, you can define restrictions on the traffic that you allow to hit your backend application. You create policies that restrict sign-ins based on location, strength of authentication, and user risk profile. As Conditional Access evolves, more controls are being added to provide additional security such as integration with Microsoft Cloud App Security (MCAS). MCAS integration enables you to configure an on-premises application for [real-time monitoring](./application-proxy-integrate-with-microsoft-cloud-application-security.md) by leveraging Conditional Access to monitor and control sessions in real-time based on Conditional Access policies.
* **Traffic termination**. All traffic to the backend application is terminated at the Application Proxy service in the cloud while the session is re-established with the backend server. This connection strategy means that your backend servers are not exposed to direct HTTP traffic. They are better protected against targeted DoS (denial-of-service) attacks because your firewall isn't under attack. * **All access is outbound**. The Application Proxy connectors only use outbound connections to the Application Proxy service in the cloud over ports 80 and 443. With no inbound connections, there's no need to open firewall ports for incoming connections or components in the DMZ. All connections are outbound and over a secure channel. * **Security Analytics and Machine Learning (ML) based intelligence**. Because it's part of Azure Active Directory, Application Proxy can leverage [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) (requires [Premium P2 licensing](https://azure.microsoft.com/pricing/details/active-directory/)). Azure AD Identity Protection combines machine-learning security intelligence with data feeds from Microsoft's [Digital Crimes Unit](https://news.microsoft.com/stories/cybercrime/https://docsupdatetracker.net/index.html) and [Microsoft Security Response Center](https://www.microsoft.com/msrc) to proactively identify compromised accounts. Identity Protection offers real-time protection from high-risk sign-ins. It takes into consideration factors like accesses from infected devices, through anonymizing networks, or from atypical and unlikely locations to increase the risk profile of a session. This risk profile is used for real-time protection. Many of these reports and events are already available through an API for integration with your SIEM systems.
The following diagram illustrates in general how Azure AD authentication service
1. After the user has accessed the application through an endpoint, the user is redirected to the Azure AD sign-in page. If you've configured Conditional Access policies, specific conditions are checked at this time to ensure that you comply with your organization's security requirements. 2. After a successful sign-in, Azure AD sends a token to the user's client device. 3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token.
-4. Application Proxy forwards the request, which is picked up by the Application Proxy [connector](../manage-apps/application-proxy-connectors.md).
+4. Application Proxy forwards the request, which is picked up by the Application Proxy [connector](./application-proxy-connectors.md).
5. The connector performs any additional authentication required on behalf of the user (*Optional depending on authentication method*), requests the internal endpoint of the application server and sends the request to the on-premises application. 6. The response from the application server is sent through the connector to the Application Proxy service. 7. The response is sent from the Application Proxy service to the user.
The following diagram illustrates in general how Azure AD authentication service
|Endpoint|The endpoint is a URL or an [end-user portal](../manage-apps/end-user-experiences.md). Users can reach applications while outside of your network by accessing an external URL. Users within your network can access the application through a URL or an end-user portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.| |Azure AD|Azure AD performs the authentication using the tenant directory stored in the cloud.| |Application Proxy service|This Application Proxy service runs in the cloud as part of Azure AD. It passes the sign-on token from the user to the Application Proxy Connector. Application Proxy forwards any accessible headers on the request and sets the headers as per its protocol, to the client IP address. If the incoming request to the proxy already has that header, the client IP address is added to the end of the comma-separated list that is the value of the header.|
-|Application Proxy connector|The connector is a lightweight agent that runs on a Windows Server inside your network. The connector manages communication between the Application Proxy service in the cloud and the on-premises application. The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. The connectors are stateless and pull information from the cloud as necessary. For more information about connectors, like how they load-balance and authenticate, see [Understand Azure AD Application Proxy connectors](../manage-apps/application-proxy-connectors.md).|
+|Application Proxy connector|The connector is a lightweight agent that runs on a Windows Server inside your network. The connector manages communication between the Application Proxy service in the cloud and the on-premises application. The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. The connectors are stateless and pull information from the cloud as necessary. For more information about connectors, like how they load-balance and authenticate, see [Understand Azure AD Application Proxy connectors](./application-proxy-connectors.md).|
|Active Directory (AD)|Active Directory runs on-premises to perform authentication for domain accounts. When single sign-on is configured, the connector communicates with AD to perform any additional authentication required.| |On-premises application|Finally, the user is able to access an on-premises application.|
-Azure AD Application Proxy consists of the cloud-based Application Proxy service and an on-premises connector. The connector listens for requests from the Application Proxy service and handles connections to the internal applications. It's important to note that all communications occur over TLS, and always originate at the connector to the Application Proxy service. That is, communications are outbound only. The connector uses a client certificate to authenticate to the Application Proxy service for all calls. The only exception to the connection security is the initial setup step where the client certificate is established. See the Application Proxy [Under the hood](../manage-apps/application-proxy-security.md#under-the-hood) for more details.
+Azure AD Application Proxy consists of the cloud-based Application Proxy service and an on-premises connector. The connector listens for requests from the Application Proxy service and handles connections to the internal applications. It's important to note that all communications occur over TLS, and always originate at the connector to the Application Proxy service. That is, communications are outbound only. The connector uses a client certificate to authenticate to the Application Proxy service for all calls. The only exception to the connection security is the initial setup step where the client certificate is established. See the Application Proxy [Under the hood](./application-proxy-security.md#under-the-hood) for more details.
### Application Proxy Connectors
-[Application Proxy connectors](../manage-apps/application-proxy-connectors.md) are lightweight agents deployed on-premises that facilitate the outbound connection to the Application Proxy service in the cloud. The connectors must be installed on a Windows Server that has access to the backend application. Users connect to the App Proxy cloud service that routes their traffic to the apps via the connectors as illustrated below.
+[Application Proxy connectors](./application-proxy-connectors.md) are lightweight agents deployed on-premises that facilitate the outbound connection to the Application Proxy service in the cloud. The connectors must be installed on a Windows Server that has access to the backend application. Users connect to the App Proxy cloud service that routes their traffic to the apps via the connectors as illustrated below.
![Azure AD Application Proxy network connections](media/what-is-application-proxy/azure-ad-application-proxy-network-connections.png)
Setup and registration between a connector and the App Proxy service is accompli
3. The connector starts to "listen" to the App Proxy service. 4. The admin adds the on-premises application to Azure AD and configures settings such as the URLs users need to connect to their apps.
-For more information, see [Plan an Azure AD Application Proxy deployment](../manage-apps/application-proxy-deployment-plan.md).
+For more information, see [Plan an Azure AD Application Proxy deployment](./application-proxy-deployment-plan.md).
It's recommended that you always deploy multiple connectors for redundancy and scale. The connectors, in conjunction with the service, take care of all the high availability tasks and can be added or removed dynamically. Each time a new request arrives it's routed to one of the connectors that is available. When a connector is running, it remains active as it connects to the service. If a connector is temporarily unavailable, it doesn't respond to this traffic. Unused connectors are tagged as inactive and removed after 10 days of inactivity. Connectors also poll the server to find out if there is a newer version of the connector. Although you can do a manual update, connectors will update automatically as long as the Application Proxy Connector Updater service is running. For tenants with multiple connectors, the automatic updates target one connector at a time in each group to prevent downtime in your environment. > [!NOTE]
-> You can monitor the Application Proxy [version history page](../manage-apps/application-proxy-release-version-history.md) to be notified when updates have been released by subscribing to its RSS feed.
+> You can monitor the Application Proxy [version history page](./application-proxy-release-version-history.md) to be notified when updates have been released by subscribing to its RSS feed.
-Each Application Proxy connector is assigned to a [connector group](../manage-apps/application-proxy-connector-groups.md). Connectors in the same connector group act as a single unit for high availability and load balancing. You can create new groups, assign connectors to them in the Azure portal, then assign specific connectors to serve specific applications. It's recommended to have at least two connectors in each connector group for high availability.
+Each Application Proxy connector is assigned to a [connector group](./application-proxy-connector-groups.md). Connectors in the same connector group act as a single unit for high availability and load balancing. You can create new groups, assign connectors to them in the Azure portal, then assign specific connectors to serve specific applications. It's recommended to have at least two connectors in each connector group for high availability.
Connector groups are useful when you need to support the following scenarios:
For more information about choosing where to install your connectors and optimiz
Up to this point, we've focused on using Application Proxy to publish on-premises apps externally while enabling single sign-on to all your cloud and on-premises apps. However, there are other use cases for App Proxy that are worth mentioning. They include:
-* **Securely publish REST APIs**. When you have business logic or APIs running on-premises or hosted on virtual machines in the cloud, Application Proxy provides a public endpoint for API access. API endpoint access lets you control authentication and authorization without requiring incoming ports. It provides additional security through Azure AD Premium features such as multi-factor authentication and device-based Conditional Access for desktops, iOS, MAC, and Android devices using Intune. To learn more, see [How to enable native client applications to interact with proxy applications](../manage-apps/application-proxy-configure-native-client-application.md) and [Protect an API by using OAuth 2.0 with Azure Active Directory and API Management](../../api-management/api-management-howto-protect-backend-with-aad.md).
-* **Remote Desktop Services** **(RDS)**. Standard RDS deployments require open inbound connections. However, the [RDS deployment with Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md) has a permanent outbound connection from the server running the connector service. This way, you can offer more applications to end users by publishing on-premises applications through Remote Desktop Services. You can also reduce the attack surface of the deployment with a limited set of two-step verification and Conditional Access controls to RDS.
-* **Publish applications that connect using WebSockets**. Support with [Qlik Sense](/azure/active-directory/app-proxy/application-proxy-qlik) is in Public Preview and will be expanded to other apps in the future.
-* **Enable native client applications to interact with proxy applications**. You can use Azure AD Application Proxy to publish web apps, but it also can be used to publish [native client applications](../manage-apps/application-proxy-configure-native-client-application.md) that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
+* **Securely publish REST APIs**. When you have business logic or APIs running on-premises or hosted on virtual machines in the cloud, Application Proxy provides a public endpoint for API access. API endpoint access lets you control authentication and authorization without requiring incoming ports. It provides additional security through Azure AD Premium features such as multi-factor authentication and device-based Conditional Access for desktops, iOS, MAC, and Android devices using Intune. To learn more, see [How to enable native client applications to interact with proxy applications](./application-proxy-configure-native-client-application.md) and [Protect an API by using OAuth 2.0 with Azure Active Directory and API Management](../../api-management/api-management-howto-protect-backend-with-aad.md).
+* **Remote Desktop Services** **(RDS)**. Standard RDS deployments require open inbound connections. However, the [RDS deployment with Application Proxy](./application-proxy-integrate-with-remote-desktop-services.md) has a permanent outbound connection from the server running the connector service. This way, you can offer more applications to end users by publishing on-premises applications through Remote Desktop Services. You can also reduce the attack surface of the deployment with a limited set of two-step verification and Conditional Access controls to RDS.
+* **Publish applications that connect using WebSockets**. Support with [Qlik Sense](./application-proxy-qlik.md) is in Public Preview and will be expanded to other apps in the future.
+* **Enable native client applications to interact with proxy applications**. You can use Azure AD Application Proxy to publish web apps, but it also can be used to publish [native client applications](./application-proxy-configure-native-client-application.md) that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
## Conclusion
Organizations should begin taking advantage of App Proxy today to take advantage
## Next steps
-* For information about planning, operating, and managing Azure AD Application Proxy, see [Plan an Azure AD Application Proxy deployment](../manage-apps/application-proxy-deployment-plan.md).
-* To schedule a live demo or get a free 90-day trial for evaluation, see [Getting started with Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial).
+* For information about planning, operating, and managing Azure AD Application Proxy, see [Plan an Azure AD Application Proxy deployment](./application-proxy-deployment-plan.md).
+* To schedule a live demo or get a free 90-day trial for evaluation, see [Getting started with Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial).
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/whats-new-docs.md
Welcome to what's new in Azure Active Directory application proxy documentation.
## April 2021
-Application proxy content has moved out of the [application management content set](/azure/active-directory/manage-apps/) and into its own content set.
+Application proxy content has moved out of the [application management content set](../manage-apps/index.yml) and into its own content set.
## March 2021
active-directory Concept Authentication Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-passwordless.md
Previously updated : 05/07/2021 Last updated : 06/10/2021
The following process is used when a user signs in with a FIDO2 security key:
While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.
-A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:
+A security key **must** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible. For more information, see the [Client to Authenticator Protocol](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html).
| # | Feature / Extension trust | Why is this feature or extension required? | | | | |
-| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key. |
-| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface. |
+| 1 | Resident/Discoverable key | This feature enables the security key to be portable, where your credential is stored on the security key and is discoverable which makes usernameless flows possible. |
+| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.<br>Both [PIN protocol 1](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#pinProto1) and [PIN protocol 2](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#pinProto2) **must** be implemented. |
| 3 | hmac-secret | This extension ensures you can sign in to your device when it's off-line or in airplane mode. | | 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory. |
+| 5 | Credential Management | This feature allows users to manage their credentials on security keys on platforms and applies to security keys that do not have this capability built-in. |
+| 6 | Bio Enrollment | This feature allows users to enroll their biometrics on their authenticators and applies to security keys that do not have this capability built in.<br> Authenticator **must** implement [authenicatorBioEnrollment](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#authenticatorBioEnrollment) command for this feature. Authenticator vendors are highly encouraged to implement [userVerificationMgmtPreview](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#prototypeAuthenticatorBioEnrollment) command also so that users can enroll bio templates it on all previous OS versions. |
+| 7 | pinUvAuthToken | This feature allows platform to have auth tokens using PIN or BIO match which helps in better user experience when multiple credentials are present on the authenticator. |
+| 8 | forcePinChange | This feature allows enterprises to ask users to change their PIN in remote deployments. |
+| 9 | setMinPINLength | This feature allows enterprises to have custom minimum PIN length for their users. Authenticator MUST implement minPinLength extension also. |
+| 10 | alwaysUV | This feature allows enterprises or users to always require user verification to use this security key. Authenticator MUST implement toggleAlwaysUv subcommand. |
+| 11 | credBlob | This extension allows websites to store small information along with the security key. |
### FIDO2 security key providers
The following providers offer FIDO2 security keys of different form factors that
> [!NOTE] > If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. The NFC reader isn't an Azure requirement or limitation. Check with the vendor for your NFC-based security key for a list of supported NFC readers.
-If you're a vendor and want to get your device on this list of supported devices, check out our guidance on how to [become a Microsoft-compatible FIDO2 security key vendor](https://docs.microsoft.com/security/zero-trust/isv/fido2-hardware-vendor).
+If you're a vendor and want to get your device on this list of supported devices, check out our guidance on how to [become a Microsoft-compatible FIDO2 security key vendor](/security/zero-trust/isv/fido2-hardware-vendor).
To get started with FIDO2 security keys, complete the following how-to:
The following considerations apply:
- Microsoft Authenticator App: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 setup, and with integrated mobile apps on any operating system. - Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge). -- Users can use passwordless credentials to access resources in tenants where they are a guest, but they may still be required to perform MFA in that resource tenant. For more information, see [Possible double multi-factor authentication](https://docs.microsoft.com/azure/active-directory/external-identities/current-limitations#possible-double-multi-factor-authentication).
+- Users can use passwordless credentials to access resources in tenants where they are a guest, but they may still be required to perform MFA in that resource tenant. For more information, see [Possible double multi-factor authentication](../external-identities/current-limitations.md#possible-double-multi-factor-authentication).
- Users may not register passwordless credentials within a tenant where they are a guest, the same way that they do not have a password managed in that tenant.
To get started with passwordless in Azure AD, complete one of the following how-
### External Links * [FIDO Alliance](https://fidoalliance.org/)
-* [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html)
+* [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html)
active-directory Concept Resilient Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-resilient-controls.md
Undo the changes you made as part of the activated contingency plan once the ser
* [Azure AD Authentication Documentation](./howto-mfaserver-iis.md) * [Manage emergency-access administrative accounts in Azure AD](../roles/security-emergency-access.md)
-* [Configure named locations in Azure Active Directory](../reports-monitoring/quickstart-configure-named-locations.md)
+* [Configure named locations in Azure Active Directory](../conditional-access/location-condition.md)
* [Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) * [How to configure hybrid Azure Active Directory joined devices](../devices/hybrid-azuread-join-plan.md) * [Windows Hello for Business Deployment Guide](/windows/security/identity-protection/hello-for-business/hello-deployment-guide) * [Password Guidance - Microsoft Research](https://research.microsoft.com/pubs/265143/microsoft_password_guidance.pdf) * [What are conditions in Azure Active Directory Conditional Access?](../conditional-access/concept-conditional-access-conditions.md) * [What are access controls in Azure Active Directory Conditional Access?](../conditional-access/controls.md)
-* [What is Conditional Access report-only mode?](../conditional-access/concept-conditional-access-report-only.md)
+* [What is Conditional Access report-only mode?](../conditional-access/concept-conditional-access-report-only.md)
active-directory Concept Sspr Licensing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-licensing.md
The following table outlines the different SSPR scenarios for password change, r
For additional licensing information, including costs, see the following pages:
-* [Microsoft 365 licensing guidance for security & compliance](https://docs.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
+* [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
* [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/) * [Azure Active Directory features and capabilities](https://www.microsoft.com/cloud-platform/azure-active-directory-features) * [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security)
active-directory Howto Authentication Passwordless Security Key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md
There are some optional settings for managing security keys per tenant.
**General** - **Allow self-service set up** should remain set to **Yes**. If set to no, your users will not be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy. -- **Enforce attestation** setting to **Yes** requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass MicrosoftΓÇÖs additional set of validation testing. For more information, see [What is a Microsoft-compatible security key?](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key)
+- **Enforce attestation** setting to **Yes** requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass MicrosoftΓÇÖs additional set of validation testing. For more information, see [What is a Microsoft-compatible security key?](/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key)
**Key Restriction Policy**
If a user's UPN changes, you can no longer modify FIDO2 security keys to account
[Learn more about device registration](../devices/overview.md)
-[Learn more about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
+[Learn more about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
active-directory Howto Authentication Sms Signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-sms-signin.md
To complete this article, you need the following resources and privileges:
* [Enterprise Mobility + Security (EMS) E3 or E5][ems-licensing] or [Microsoft 365 (M365) E3 or E5][m365-licensing] * [Office 365 F3][o365-f3]
-## Limitations
+## Known issues
-The following limitations apply to SMS-based authentication:
+Here are some known issues:
* SMS-based authentication isn't currently compatible with Azure AD Multi-Factor Authentication. * Except for Teams, SMS-based authentication isn't compatible with native Office applications. * SMS-based authentication isn't recommended for B2B accounts. * Federated users won't authenticate in the home tenant. They only authenticate in the cloud.
+* If a user's default sign-in method is a text or call to your phone number, then the SMS code or voice call is sent automatically during multifactor authentication. As of June 2021, some apps will ask users to choose **Text** or **Call** first. This option prevents sending too many security codes for different apps. If the default sign-in method is the Microsoft Authenticator app ([which we highly recommend](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752)), then the app notification is sent automatically.
## Enable the SMS-based authentication method
active-directory Howto Authentication Use Email Signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-use-email-signin.md
Here's what you need to know about email as an alternate login ID:
* The feature is available in Azure AD Free edition and higher. * The feature enables sign-in with verified domain *ProxyAddresses* for cloud-authenticated Azure AD users.
-* When a user signs in with a non-UPN email, the `unique_name` and `preferred_username` claims (if present) in the [ID token](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) will have the value of the non-UPN email.
+* When a user signs in with a non-UPN email, the `unique_name` and `preferred_username` claims (if present) in the [ID token](../develop/id-tokens.md) will have the value of the non-UPN email.
* There are two options for configuring the feature: * [Home Realm Discovery (HRD) policy](#enable-user-sign-in-with-an-email-address) - Use this option to enable the feature for the entire tenant. Global administrator privileges required. * [Staged rollout policy](#enable-staged-rollout-to-test-user-sign-in-with-an-email-address) - Use this option to test the feature with specific Azure AD groups. Global administrator privileges required.
A different approach is to synchronize the Azure AD and on-premises UPNs to the
| Option | Description | |||
-| [Alternate Login ID for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configuring-alternate-login-id) | Enable sign-in with an alternate attribute (such as Mail) for AD FS users. |
-| [Alternate Login ID in Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/plan-connect-userprincipalname#alternate-login-id) | Synchronize an alternate attribute (such as Mail) as the Azure AD UPN. |
+| [Alternate Login ID for AD FS](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id) | Enable sign-in with an alternate attribute (such as Mail) for AD FS users. |
+| [Alternate Login ID in Azure AD Connect](../hybrid/plan-connect-userprincipalname.md#alternate-login-id) | Synchronize an alternate attribute (such as Mail) as the Azure AD UPN. |
| Email as an Alternate Login ID | Enable sign-in with verified domain *ProxyAddresses* for Azure AD users. | ## Synchronize sign-in email addresses to Azure AD
With the policy applied, it can take up to 1 hour to propagate and for users to
## Enable staged rollout to test user sign-in with an email address > [!NOTE]
->This configuration option uses staged rollout policy. For more information, see [featureRolloutPolicy resource type](https://docs.microsoft.com/graph/api/resources/featurerolloutpolicy?view=graph-rest-1.0&preserve-view=true).
+>This configuration option uses staged rollout policy. For more information, see [featureRolloutPolicy resource type](/graph/api/resources/featurerolloutpolicy?preserve-view=true&view=graph-rest-1.0).
Staged rollout policy allows tenant administrators to enable features for specific Azure AD groups. It is recommended that tenant administrators use staged rollout to test user sign-in with an email address. When administrators are ready to deploy this feature to their entire tenant, they should use [HRD policy](#enable-user-sign-in-with-an-email-address).
For more information on hybrid identity operations, see [how password hash sync]
[Get-AzureADPolicy]: /powershell/module/azuread/get-azureadpolicy [New-AzureADPolicy]: /powershell/module/azuread/new-azureadpolicy [Set-AzureADPolicy]: /powershell/module/azuread/set-azureadpolicy
-[my-profile]: https://myprofile.microsoft.com
+[my-profile]: https://myprofile.microsoft.com
active-directory Howto Mfa Adfs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-adfs.md
If your organization is federated with Azure Active Directory, use Azure AD Multi-Factor Authentication or Active Directory Federation Services (AD FS) to secure resources that are accessed by Azure AD. Use the following procedures to secure Azure Active Directory resources with either Azure AD Multi-Factor Authentication or Active Directory Federation Services. >[!NOTE]
->To secure your Azure AD resource, it is recommended to require MFA through a [Conditional Access policy](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa), set the domain setting SupportsMfa to $True and [emit the multipleauthn claim](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-adfs#secure-azure-ad-resources-using-ad-fs) when a user performs two-step verification successfully.
+>To secure your Azure AD resource, it is recommended to require MFA through a [Conditional Access policy](../conditional-access/howto-conditional-access-policy-all-users-mfa.md), set the domain setting SupportsMfa to $True and [emit the multipleauthn claim](#secure-azure-ad-resources-using-ad-fs) when a user performs two-step verification successfully.
## Secure Azure AD resources using AD FS
Now that the claims are in place, we can configure trusted IPs.
4. On the Service Settings page, under **trusted IPs**, select **Skip multi-factor-authentication for requests from federated users on my intranet**. 5. Click **save**.
-That's it! At this point, federated Microsoft 365 users should only have to use MFA when a claim originates from outside the corporate intranet.
+That's it! At this point, federated Microsoft 365 users should only have to use MFA when a claim originates from outside the corporate intranet.
active-directory Howto Mfa Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-getstarted.md
Before starting a deployment of Azure AD Multi-Factor Authentication, there are
| | | | **Cloud-only** identity environment with modern authentication | **No additional prerequisite tasks** | | **Hybrid** identity scenarios | [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) is deployed and user identities are synchronized or federated with the on-premises Active Directory Domain Services with Azure Active Directory. |
-| On-premises legacy applications published for cloud access | Azure AD [Application Proxy](../manage-apps/application-proxy.md) is deployed. |
+| On-premises legacy applications published for cloud access | Azure AD [Application Proxy](../app-proxy/application-proxy.md) is deployed. |
| Using Azure AD MFA with RADIUS Authentication | A [Network Policy Server (NPS)](howto-mfa-nps-extension.md) is deployed. | | Users have Microsoft Office 2010 or earlier, or Apple Mail for iOS 11 or earlier | Upgrade to [Microsoft Office 2013 or later](https://support.microsoft.com/help/4041439/modern-authentication-configuration-requirements-for-transition-from-o) and Apple mail for iOS 12 or later. Conditional Access is not supported by legacy authentication protocols. |
Applications that authenticate directly with Azure AD and have modern authentica
### Use Azure AD MFA with Azure AD Application Proxy
-Applications residing on-premises can be published to your Azure AD tenant via [Azure AD Application Proxy](../manage-apps/application-proxy.md) and can take advantage of Azure AD Multi-Factor Authentication if they are configured to use Azure AD pre-authentication.
+Applications residing on-premises can be published to your Azure AD tenant via [Azure AD Application Proxy](../app-proxy/application-proxy.md) and can take advantage of Azure AD Multi-Factor Authentication if they are configured to use Azure AD pre-authentication.
These applications are subject to Conditional Access policies that enforce Azure AD Multi-Factor Authentication, just like any other Azure AD-integrated application.
Now that you have planned your solution, you can implement by following the step
1. Meet any necessary prerequisites 1. Deploy [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) for any hybrid scenarios
- 1. Deploy [Azure AD Application Proxy](../manage-apps/application-proxy.md) for on any on-premises apps published for cloud access
+ 1. Deploy [Azure AD Application Proxy](../app-proxy/application-proxy.md) for on any on-premises apps published for cloud access
1. Deploy [NPS](/windows-server/networking/technologies/nps/nps-top) for any RADIUS authentication 1. Ensure users have upgraded to supported versions of Microsoft Office with modern authentication enabled 1. Configure chosen [authentication methods](#choose-verification-options)
Find solutions for common issues with Azure AD MFA at the [Troubleshooting Azure
To see Azure AD Multi-Factor Authentication in action, complete the following tutorial: > [!div class="nextstepaction"]
-> [Enable Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md)
+> [Enable Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md)
active-directory Howto Password Ban Bad On Premises Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md
The following requirements apply to the Azure AD Password Protection proxy servi
The Microsoft Azure AD Connect Agent Updater service is installed side by side with the Azure AD Password Protection Proxy service. Additional configuration is required in order for the Microsoft Azure AD Connect Agent Updater service to be able to function:
-* If your environment uses an HTTP proxy server, follow the guidelines specified in [Work with existing on-premises proxy servers](../manage-apps/application-proxy-configure-connectors-with-proxy-servers.md).
+* If your environment uses an HTTP proxy server, follow the guidelines specified in [Work with existing on-premises proxy servers](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md).
* The Microsoft Azure AD Connect Agent Updater service also requires the TLS 1.2 steps specified in [TLS requirements](../app-proxy/application-proxy-add-on-premises-application.md#tls-requirements). > [!WARNING]
The `Get-AzureADPasswordProtectionDCAgent` cmdlet may be used to query the softw
## Next steps
-Now that you've installed the services that you need for Azure AD Password Protection on your on-premises servers, [enable on-prem Azure AD Password Protection in the Azure portal](howto-password-ban-bad-on-premises-operations.md) to complete your deployment.
+Now that you've installed the services that you need for Azure AD Password Protection on your on-premises servers, [enable on-prem Azure AD Password Protection in the Azure portal](howto-password-ban-bad-on-premises-operations.md) to complete your deployment.
active-directory Active Directory Acs Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/azuread-dev/active-directory-acs-migration.md
Each Microsoft cloud service that accepts tokens that are issued by Access Contr
| Service | Guidance | | - | -- |
-| Azure Service Bus | [Migrate to shared access signatures](../../service-bus-messaging/service-bus-migrate-acs-sas.md) |
+| Azure Service Bus | [Migrate to shared access signatures](../../service-bus-messaging/service-bus-sas.md) |
| Azure Service Bus Relay | [Migrate to shared access signatures](../../azure-relay/relay-migrate-acs-sas.md) | | Azure Managed Cache | [Migrate to Azure Cache for Redis](../../azure-cache-for-redis/cache-faq.md) | | Azure DataMarket | [Migrate to the Cognitive Services APIs](https://azure.microsoft.com/services/cognitive-services/) |
active-directory How To Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-attribute-mapping.md
With attribute mapping, you control how attributes are populated in Azure AD. Az
Along with these basic types, custom attribute mappings support the concept of an optional *default* value assignment. The default value assignment ensures that a target attribute is populated with a value if Azure AD or the target object doesn't have a value. The most common configuration is to leave this blank. ## Schema updates and mappings
-Cloud sync will occasionally update the schema and the list of default attributes that are [synchronized](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized?context=/azure/active-directory/cloud-provisioning/context/cp-context). These default attribute mappings will be available for new installations but will not automatically be added to existing installations. To add these mappings you can follow the steps below.
+Cloud sync will occasionally update the schema and the list of default attributes that are [synchronized](../hybrid/reference-connect-sync-attributes-synchronized.md?context=%2fazure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context). These default attribute mappings will be available for new installations but will not automatically be added to existing installations. To add these mappings you can follow the steps below.
1. Click on ΓÇ£add attribute mappingΓÇ¥
To test your attribute mapping, you can use [on-demand provisioning](how-to-on-d
- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md) - [Writing expressions for attribute mappings](reference-expressions.md) - [How to use expression builder with cloud sync](how-to-expression-builder.md)-- [Attributes synchronized to Azure Active Directory](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md)
+- [Attributes synchronized to Azure Active Directory](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md)
active-directory Reference Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-error-codes.md
The following is a list of error codes and their description
|TimeOut|Error Message: We've detected a request timeout error when contacting the on-premises agent and synchronizing your configuration. For additional issues related to your cloud sync agent, please see our troubleshooting guidance.|Request to HIS timed out. Current Timeout value is 10 minutes.|See our [troubleshooting guidance](how-to-troubleshoot.md)| |HybridSynchronizationActiveDirectoryInternalServerError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.30b500eaf9c643b2b78804e80c1421fe.5c291d3c-d29f-4570-9d6b-f0c2fa3d5926. Additional details: Processing of the HTTP request resulted in an exception. |Could not process the parameters received in SCIM request to a Search request.|Please see the HTTP response returned by the 'Response' property of this exception for details.| |HybridIdentityServiceNoAgentsAssigned|Error Message: We are unable to find an active agent for the domain you are trying to sync. Please check to see if the agents have been removed. If so, re-install the agent again.|There are no agents running. Probably agents have been removed. Register a new agent.|"In this case, you will not see any agent assigned to the domain in portal.|
-|HybridIdentityServiceNoActiveAgents|Error Message: We are unable to find an active agent for the domain you are trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Azure AD Cloud Sync Agent" under Services is running.|"Agents are not listening to the ServiceBus endpoint. [The agent is behind a firewall that does not allow connections to service bus](../../active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)|
+|HybridIdentityServiceNoActiveAgents|Error Message: We are unable to find an active agent for the domain you are trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Azure AD Cloud Sync Agent" under Services is running.|"Agents are not listening to the ServiceBus endpoint. [The agent is behind a firewall that does not allow connections to service bus](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)|
|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-prem AD domain and restart configuration from Azure Portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-prem AD domain and restart configuration from Azure Portal.| |HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus is not able to send a message to the agent. Could be an outage in service bus, or the agent is not responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| |AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Azure Active Directory is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Azure Active Directory is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|
The following is a list of error codes and their description
## Next steps - [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Concept Conditional Access Cloud Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Cloud apps, actions, and authentication context are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context. -- Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../manage-apps/what-is-application-proxy.md).
+- Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md).
- Administrators may choose to define policy not based on a cloud application but on a [user action](#user-actions) like **Register security information** or **Register or join devices (Preview)**, allowing Conditional Access to enforce controls around those actions. - Administrators can use [authentication context](#authentication-context-preview) to provide an extra layer of security inside of applications.
The Microsoft Azure Management application includes multiple underlying services
In addition to the Microsoft apps, administrators can add any Azure AD registered application to Conditional Access policies. These applications may include: -- Applications published through [Azure AD Application Proxy](../manage-apps/what-is-application-proxy.md)
+- Applications published through [Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md)
- [Applications added from the gallery](../manage-apps/add-application-portal.md) - [Custom applications not in the gallery](../manage-apps/view-applications-portal.md) - [Legacy applications published through app delivery controllers and networks](../manage-apps/secure-hybrid-access.md)
For more information about authentication context use in applications, see the f
- [Conditional Access: Conditions](concept-conditional-access-conditions.md) - [Conditional Access common policies](concept-conditional-access-policy-common.md)-- [Client application dependencies](service-dependencies.md)
+- [Client application dependencies](service-dependencies.md)
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-grant.md
This setting applies to the following iOS and Android apps:
- Microsoft Invoicing - Microsoft Kaizala - Microsoft Launcher
+- Microsoft Lists
- Microsoft Office - Microsoft OneDrive - Microsoft OneNote
active-directory Active Directory Claims Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-claims-mapping.md
Title: Customize Azure AD tenant app claims (PowerShell)
-description: This page describes Azure Active Directory claims mapping.
+description: Learn how to customize claims emitted in tokens for an application in a specific Azure Active Directory tenant.
Previously updated : 08/25/2020 Last updated : 06/10/2021
-# How to: Customize claims emitted in tokens for a specific app in a tenant (Preview)
+# Customize claims emitted in tokens for a specific app in a tenant
-> [!NOTE]
-> This feature replaces and supersedes the [claims customization](active-directory-saml-claims-customization.md) offered through the portal today. On the same application, if you customize claims using the portal in addition to the Graph/PowerShell method detailed in this document, tokens issued for that application will ignore the configuration in the portal. Configurations made through the methods detailed in this document will not be reflected in the portal.
+Claims customization is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant. You can use claims-mapping policies to:
-> [!NOTE]
-> This capability currently is in public preview. Be prepared to revert or remove any changes. The feature is available in any Azure Active Directory (Azure AD) subscription during public preview. However, when the feature becomes generally available, some aspects of the feature might require an Azure AD premium subscription. This feature supports configuring claim mapping policies for WS-Fed, SAML, OAuth, and OpenID Connect protocols.
+- select which claims are included in tokens.
+- create claim types that do not already exist.
+- choose or change the source of data emitted in specific claims.
-This feature is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant. You can use claims-mapping policies to:
+Claims customization supports configuring claim-mapping policies for the WS-Fed, SAML, OAuth, and OpenID Connect protocols.
-- Select which claims are included in tokens.-- Create claim types that do not already exist.-- Choose or change the source of data emitted in specific claims.
+> [!NOTE]
+> This feature replaces and supersedes the [claims customization](active-directory-saml-claims-customization.md) offered through the Azure portal. On the same application, if you customize claims using the portal in addition to the Microsoft Graph/PowerShell method detailed in this document, tokens issued for that application will ignore the configuration in the portal. Configurations made through the methods detailed in this document will not be reflected in the portal.
-In this article, we walk through a few common scenarios that can help you grasp how to use the [claims mapping policy type](reference-claims-mapping-policy-type.md).
+In this article, we walk through a few common scenarios that can help you grasp how to use the [claims-mapping policy type](reference-claims-mapping-policy-type.md).
-When creating a claims mapping policy, you can also emit a claim from a directory schema extension attribute in tokens. Use *ExtensionID* for the extension attribute instead of *ID* in the `ClaimsSchema` element. For more info on extension attributes, see [Using directory schema extension attributes](active-directory-schema-extensions.md).
+When creating a claims-mapping policy, you can also emit a claim from a directory schema extension attribute in tokens. Use *ExtensionID* for the extension attribute instead of *ID* in the `ClaimsSchema` element. For more info on extension attributes, see [Using directory schema extension attributes](active-directory-schema-extensions.md).
## Prerequisites
-In the following examples, you create, update, link, and delete policies for service principals. Claims mapping policies can only be assigned to service principal objects. If you are new to Azure AD, we recommend that you [learn about how to get an Azure AD tenant](quickstart-create-new-tenant.md) before you proceed with these examples.
+In the following examples, you create, update, link, and delete policies for service principals. claims-mapping policies can only be assigned to service principal objects. If you are new to Azure AD, we recommend that you [learn about how to get an Azure AD tenant](quickstart-create-new-tenant.md) before you proceed with these examples.
+
+> [!NOTE]
+> The [Azure AD PowerShell Module public preview release](https://www.powershellgallery.com/packages/AzureADPreview) is required to configure claims-mapping policies. The PowerShell module is in preview, be prepared to revert or remove any changes.
To get started, do the following steps:
To get started, do the following steps:
In this example, you create a policy that removes the [basic claim set](reference-claims-mapping-policy-type.md#claim-sets) from tokens issued to linked service principals.
-1. Create a claims mapping policy. This policy, linked to specific service principals, removes the basic claim set from tokens.
+1. Create a claims-mapping policy. This policy, linked to specific service principals, removes the basic claim set from tokens.
1. To create the policy, run this command: ``` powershell
In this example, you create a policy that removes the [basic claim set](referenc
In this example, you create a policy that adds the EmployeeID and TenantCountry to tokens issued to linked service principals. The EmployeeID is emitted as the name claim type in both SAML tokens and JWTs. The TenantCountry is emitted as the country/region claim type in both SAML tokens and JWTs. In this example, we continue to include the basic claims set in the tokens.
-1. Create a claims mapping policy. This policy, linked to specific service principals, adds the EmployeeID and TenantCountry claims to tokens.
+1. Create a claims-mapping policy. This policy, linked to specific service principals, adds the EmployeeID and TenantCountry claims to tokens.
1. To create the policy, run the following command: ``` powershell
In this example, you create a policy that adds the EmployeeID and TenantCountry
In this example, you create a policy that emits a custom claim "JoinedData" to JWTs issued to linked service principals. This claim contains a value created by joining the data stored in the extensionattribute1 attribute on the user object with ".sandbox". In this example, we exclude the basic claims set in the tokens.
-1. Create a claims mapping policy. This policy, linked to specific service principals, adds the EmployeeID and TenantCountry claims to tokens.
+1. Create a claims-mapping policy. This policy, linked to specific service principals, adds the EmployeeID and TenantCountry claims to tokens.
1. To create the policy, run the following command: ``` powershell
In this example, you create a policy that emits a custom claim "JoinedData" to J
## Security considerations
-Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents via claims mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims mapping policy to protect themselves from claims mapping policies created by malicious actors. This can be done in the following ways:
+Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors. This can be done in the following ways:
- Configure a custom signing key - Update the application manifest to accept mapped claims.
If you're not using a verified domain, Azure AD will return an `AADSTS501461` er
## Next steps -- Read the [claims mapping policy type](reference-claims-mapping-policy-type.md) reference article to learn more.
+- Read the [claims-mapping policy type](reference-claims-mapping-policy-type.md) reference article to learn more.
- To learn how to customize claims issued in the SAML token through the Azure portal, see [How to: Customize claims issued in the SAML token for enterprise applications](active-directory-saml-claims-customization.md) - To learn more about extension attributes, see [Using directory schema extension attributes in claims](active-directory-schema-extensions.md).
active-directory Active Directory How Applications Are Added https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-how-applications-are-added.md
Like application objects, service principals can also be created through multipl
* When you subscribe to Microsoft 365 or begin a trial, one or more service principals are created in the directory representing the various services that are used to deliver all of the functionality associated with Microsoft 365. * Some Microsoft 365 services like SharePoint create service principals on an ongoing basis to allow secure communication between components including workflows. * When an admin adds an application from the app gallery (this will also create an underlying app object)
-* Add an application to use the [Azure AD Application Proxy](../manage-apps/application-proxy.md)
+* Add an application to use the [Azure AD Application Proxy](../app-proxy/application-proxy.md)
* Connect an application for single sign on using SAML or password single sign-on (SSO) * Programmatically via the Microsoft Graph API or PowerShell
If you still want to prevent users in your directory from registering applicatio
> Microsoft itself uses the default configuration with users able to register applications and consent to applications on their own behalf. <!--Image references-->
-[apps_service_principals_directory]:../media/active-directory-how-applications-are-added/HowAppsAreAddedToAAD.jpg
+[apps_service_principals_directory]:../media/active-directory-how-applications-are-added/HowAppsAreAddedToAAD.jpg
active-directory Howto Create Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-create-service-principal-portal.md
Let's jump straight into creating the identity. If you run into a problem, check
1. Select **Azure Active Directory**. 1. Select **App registrations**. 1. Select **New registration**.
-1. Name the application. Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../manage-apps/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.
+1. Name the application. Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../app-proxy/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.
![Type a name for your application](./media/howto-create-service-principal-portal/create-app.png)
Keep in mind, you might need to configure additional permissions on resources th
* Learn how to [use Azure PowerShell to create a service principal](howto-authenticate-service-principal-powershell.md). * To learn about specifying security policies, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md). * For a list of available actions that can be granted or denied to users, see [Azure Resource Manager Resource Provider operations](../../role-based-access-control/resource-provider-operations.md).
-* For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.
+* For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.
active-directory Msal B2c Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-b2c-overview.md
By using Azure AD B2C as an identity management service, you can customize and c
## Supported app types and scenarios
-MSAL.js enables [single-page applications](https://docs.microsoft.com/azure/active-directory-b2c/application-types#single-page-applications) to sign-in users with Azure AD B2C using the [authorization code flow with PKCE](https://docs.microsoft.com/azure/active-directory-b2c/authorization-code-flow) grant. With MSAL.js and Azure AD B2C:
+MSAL.js enables [single-page applications](../../active-directory-b2c/application-types.md#single-page-applications) to sign-in users with Azure AD B2C using the [authorization code flow with PKCE](../../active-directory-b2c/authorization-code-flow.md) grant. With MSAL.js and Azure AD B2C:
- Users **can** authenticate with their social and local identities. - Users **can** be authorized to access Azure AD B2C protected resources (but not Azure AD protected resources).-- Users **cannot** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](https://review.docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent?branch=master#permission-types).-- Users with administrator privileges **can** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](https://review.docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent?branch=master#permission-types).
+- Users **cannot** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types).
+- Users with administrator privileges **can** obtain tokens for Microsoft APIs (e.g. MS Graph API) using [delegated permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types).
For more information, see: [Working with Azure AD B2C](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/working-with-b2c.md)
For more information, see: [Working with Azure AD B2C](https://github.com/AzureA
Follow the tutorial on how to: - [Sign in users with Azure AD B2C in a single-page application](../../active-directory-b2c/tutorial-single-page-app.md)-- [Call an Azure AD B2C protected web API](../../active-directory-b2c/tutorial-single-page-app-webapi.md)
+- [Call an Azure AD B2C protected web API](../../active-directory-b2c/tutorial-single-page-app-webapi.md)
active-directory Publisher Verification Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/publisher-verification-overview.md
Publisher verification provides the following benefits:
- **Smoother enterprise adoption**- admins can configure [user consent policies](../manage-apps/configure-user-consent.md), with publisher verification status as one of the primary policy criteria. > [!NOTE]
-> Starting in November 2020, end-users will no longer be able to grant consent to most newly registered multi-tenant apps without verified publishers if [risk-based step-up consent](/azure/active-directory/manage-apps/configure-user-consent#risk-based-step-up-consent) is enabled. This will apply to apps that are registered after November 8th 2020, use OAuth2.0 to request permissions beyond basic sign-in and read user profile, and request consent from users in different tenants than the one the app is registered in. A warning will be displayed on the consent screen informing users that these apps are risky and are from unverified publishers.
+> Starting in November 2020, end-users will no longer be able to grant consent to most newly registered multi-tenant apps without verified publishers if [risk-based step-up consent](../manage-apps/configure-user-consent.md#risk-based-step-up-consent) is enabled. This will apply to apps that are registered after November 8th 2020, use OAuth2.0 to request permissions beyond basic sign-in and read user profile, and request consent from users in different tenants than the one the app is registered in. A warning will be displayed on the consent screen informing users that these apps are risky and are from unverified publishers.
## Requirements There are a few pre-requisites for publisher verification, some of which will have already been completed by many Microsoft partners. They are:
Below are some frequently asked questions regarding the publisher verification p
## Next steps * Learn how to [mark an app as publisher verified](mark-app-as-publisher-verified.md).
-* [Troubleshoot](troubleshoot-publisher-verification.md) publisher verification.
+* [Troubleshoot](troubleshoot-publisher-verification.md) publisher verification.
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
The following samples illustrate web applications that sign in users. Some sampl
> [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample<br/>on GitHub | Description | Authentication libraries used | Authentication flow | > | - | -- | | - | -- |
-> | ASP.NET Core|[GitHub repo](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2) | ASP.NET Core Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage & App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | &#8226; [MSAL.NET](https://aka.ms/msal-net) <br/> &#8226; [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) | &#8226; [OIDC flow](https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc) <br/> &#8226; [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) <br/> &#8226; [On-Behalf-Of (OBO) flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) |
+> | ASP.NET Core|[GitHub repo](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2) | ASP.NET Core Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage & App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | &#8226; [MSAL.NET](https://aka.ms/msal-net) <br/> &#8226; [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) | &#8226; [OIDC flow](./v2-protocols-oidc.md) <br/> &#8226; [Auth code flow](./v2-oauth2-auth-code-flow.md) <br/> &#8226; [On-Behalf-Of (OBO) flow](./v2-oauth2-on-behalf-of-flow.md) |
> | Blazor | [GitHub repo](https://github.com/Azure-Samples/ms-identity-blazor-server/) | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | MSAL.NET | |
-> | ASP.NET Core|[GitHub repo](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | &#8226; [MSAL.NET](https://aka.ms/msal-net) <br/> &#8226; [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) | [On-Behalf-Of (OBO) flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) |
+> | ASP.NET Core|[GitHub repo](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | &#8226; [MSAL.NET](https://aka.ms/msal-net) <br/> &#8226; [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) | [On-Behalf-Of (OBO) flow](./v2-oauth2-on-behalf-of-flow.md) |
> | ASP.NET Core|[GitHub repo](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [Active Directory FS to Azure AD migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](https://aka.ms/msal-net) | | > | ASP.NET |[GitHub repo](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](https://aka.ms/msal-net) | | > | ASP.NET |[GitHub repo](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | [MSAL.NET](https://aka.ms/msal-net) | |
The following samples illustrate web applications that sign in users. Some sampl
> | Java </p> Servlets |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication) | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/4-Deployment/deploy-to-azure-app-service) | MSAL Java | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) | > | Java |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-webapp) | Sign in users, call Microsoft Graph | MSAL Java | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) | > | Java </p> Spring|[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-webapi) | Sign in users & call Microsoft Graph via OBO </p> &#8226; web API | MSAL Java | &#8226; [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) <br/> &#8226; [On-Behalf-Of (OBO) flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) |
-> | Node.js </p> Express |[GitHub repo](https://github.com/Azure-Samples/ms-identity-node) | Express web app sample <br/> &#8226; Sign in users <br/> &#8226; Call Microsoft Graph | MSAL Node | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
+> | Node.js </p> Express |[GitHub repo](https://github.com/Azure-Samples/ms-identity-node) | Express web app sample <br/> &#8226; Sign in users | MSAL Node | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
+> | Node.js </p> Express |[GitHub repo](https://github.com/Azure-Samples/ms-identity-node) | Express web app series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md)<br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md) | MSAL Node | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
> | Python </p> Flask |[GitHub repo](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | Flask Series <br/> &#8226; Sign in users <br/> &#8226; Sign in users (B2C) <br/> &#8226; Call Microsoft Graph <br/> &#8226; Deploy to Azure App Service | MSAL Python | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) | > | Python </p> Django |[GitHub repo](https://github.com/Azure-Samples/ms-identity-python-django-tutorial) | Django Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| MSAL Python | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) | > | Python </p> Flask |[GitHub repo](https://github.com/Azure-Samples/ms-identity-python-webapp) | Flask standalone sample <br/> [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-webapp) | MSAL Python | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
To learn about [samples](https://github.com/microsoftgraph/msgraph-community-sam
## See also
-[Microsoft Graph API conceptual and reference](/graph/use-the-api?context=graph%2fapi%2fbeta&view=graph-rest-beta&preserve-view=true)
+[Microsoft Graph API conceptual and reference](/graph/use-the-api?context=graph%2fapi%2fbeta&view=graph-rest-beta&preserve-view=true)
active-directory Azureadjoin Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/azureadjoin-plan.md
If you use AD FS, see [Verify and manage single sign-on with AD FS](/previous-ve
Users get SSO from Azure AD joined devices if the device has access to a domain controller.
-**Recommendation:** Deploy [Azure AD App proxy](../manage-apps/application-proxy.md) to enable secure access for these applications.
+**Recommendation:** Deploy [Azure AD App proxy](../app-proxy/application-proxy.md) to enable secure access for these applications.
### On-premises network shares
You can use this implementation to [require managed devices for cloud app access
> [Join your work device to your organization's network](../user-help/user-help-join-device-on-network.md) <!--Image references-->
-[1]: ./media/azureadjoin-plan/12.png
+[1]: ./media/azureadjoin-plan/12.png
active-directory Hybrid Azuread Join Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-plan.md
If your Windows 10 domain joined devices are [Azure AD registered](overview.md#g
### Hybrid Azure AD join for single forest, multiple Azure AD tenants To register devices as hybrid Azure AD join to respective tenants, organizations need to ensure that the SCP configuration is done on the devices and not in AD. More details on how to accomplish this can be found in the article [controlled validation of hybrid Azure AD join](hybrid-azuread-join-control.md). It is also important for organizations to understand that certain Azure AD capabilities will not work in a single forest, multiple Azure AD tenants configurations.-- [Device writeback](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-device-writeback) will not work. This affects [Device based Conditional Access for on-premise apps that are federated using ADFS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises). This also affects [Windows Hello for Business deployment when using the Hybrid Cert Trust model](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust).-- [Groups writeback](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-group-writeback) will not work. This affects writeback of Office 365 Groups to a forest with Exchange installed.-- [Seamless SSO](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sso) will not work. This affects SSO scenarios that organizations may be using on cross OS/broowser platforms, for example iOS/Linux with Firefox, Safari, Chrome without the Windows 10 extension.-- [Hybrid Azure AD join for Windows down-level devices in managed environment](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-down-level-devices) will not work. For example, hybrid Azure AD join on Windows Server 2012 R2 in a managed environment requires Seamless SSO and since Seamless SSO will not work, hybrid Azure AD join for such a setup will not work.-- [On-premises Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad-on-premises) will not work.This affects ability to perform password changes and password reset events against on-premises Active Directory Domain Services (AD DS) domain controllers using the same global and custom banned password lists that are stored in Azure AD.
+- [Device writeback](../hybrid/how-to-connect-device-writeback.md) will not work. This affects [Device based Conditional Access for on-premise apps that are federated using ADFS](/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises). This also affects [Windows Hello for Business deployment when using the Hybrid Cert Trust model](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust).
+- [Groups writeback](../hybrid/how-to-connect-group-writeback.md) will not work. This affects writeback of Office 365 Groups to a forest with Exchange installed.
+- [Seamless SSO](../hybrid/how-to-connect-sso.md) will not work. This affects SSO scenarios that organizations may be using on cross OS/broowser platforms, for example iOS/Linux with Firefox, Safari, Chrome without the Windows 10 extension.
+- [Hybrid Azure AD join for Windows down-level devices in managed environment](./hybrid-azuread-join-managed-domains.md#enable-windows-down-level-devices) will not work. For example, hybrid Azure AD join on Windows Server 2012 R2 in a managed environment requires Seamless SSO and since Seamless SSO will not work, hybrid Azure AD join for such a setup will not work.
+- [On-premises Azure AD Password Protection](../authentication/concept-password-ban-bad-on-premises.md) will not work.This affects ability to perform password changes and password reset events against on-premises Active Directory Domain Services (AD DS) domain controllers using the same global and custom banned password lists that are stored in Azure AD.
### Additional considerations
The table below provides details on support for these on-premises AD UPNs in Win
> [Configure hybrid Azure Active Directory join for managed environment](hybrid-azuread-join-managed-domains.md) <!--Image references-->
-[1]: ./media/hybrid-azuread-join-plan/12.png
+[1]: ./media/hybrid-azuread-join-plan/12.png
active-directory Groups Dynamic Membership https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/groups-dynamic-membership.md
An example of a rule that uses a custom extension property is:
user.extension_c272a57b722d4eb29bfe327874ae79cb_OfficeNumber -eq "123" ```
-The custom property name can be found in the directory by querying a user's property using Graph Explorer and searching for the property name. Also, you can now select **Get custom extension properties** link in the dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension properties for that app.
+The custom property name can be found in the directory by querying a user's property using Graph Explorer and searching for the property name. Also, you can now select **Get custom extension properties** link in the dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension properties for that app.
+
+For more information, see [Use the attributes in dynamic groups](../hybrid/how-to-connect-sync-feature-directory-extensions.md#use-the-attributes-in-dynamic-groups) in the article [Azure AD Connect sync: Directory extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md).
## Rules for devices
active-directory Users Revoke Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-revoke-access.md
Most browser-based applications use session tokens instead of access and refresh
## Revoke access for a user in the hybrid environment
-For a hybrid environment with on-premises Active Directory synchronized with Azure Active Directory, Microsoft recommends IT admins to take the following actions. If you have an **Azure AD only environment**, skip to the [Azure Active Directory environment](https://docs.microsoft.com/azure/active-directory/enterprise-users/users-revoke-access#azure-active-directory-environment) section.
+For a hybrid environment with on-premises Active Directory synchronized with Azure Active Directory, Microsoft recommends IT admins to take the following actions. If you have an **Azure AD only environment**, skip to the [Azure Active Directory environment](#azure-active-directory-environment) section.
### On-premises Active Directory environment
Once admins have taken the above steps, the user can't gain new tokens for any a
- [Secure access practices for Azure AD administrators](../roles/security-planning.md) - [Add or update user profile information](../fundamentals/active-directory-users-profile-azure-portal.md)-- [Remove or Delete a former employee](/microsoft-365/admin/add-users/remove-former-employee)
+- [Remove or Delete a former employee](/microsoft-365/admin/add-users/remove-former-employee)
active-directory Users Sharing Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-sharing-accounts.md
Azure AD features that enable account sharing include:
* Custom Password apps * [App usage dashboard/reports](../authentication/howto-sspr-reporting.md) * End-user access portals
-* [App proxy](../manage-apps/application-proxy.md)
+* [App proxy](../app-proxy/application-proxy.md)
* [Active Directory Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.AzureActiveDirectory) ## Sharing an account
active-directory Azure Ad Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/azure-ad-account.md
++
+ Title: Azure AD Account identity provider
+description: Use Azure Active Directory to enable an external user (guest) to sign in to your Azure AD apps with their Azure AD work account.
+++++ Last updated : 06/02/2021+++++++
+# Azure Active Directory (Azure AD) identity provider for External Identities
+
+Azure Active Directory is available as an identity provider option for B2B collaboration by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account.
+
+## Guest sign-in using Azure Active Directory accounts
+
+Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a self-service sign-up user flow.
+
+![Azure AD account in the identity providers list](media/azure-ad-account/azure-ad-account-identity-provider.png)
+
+### Azure AD account in the invitation flow
+
+When you [invite a guest user](add-users-administrator.md) to B2B collaboration, you can specify their Azure AD account as the email address they'll use to sign in.
+
+![Invite using a Azure AD account](media/azure-ad-account/azure-ad-account-invite.png)
+
+### Azure AD account in self-service sign-up user flows
+
+Azure AD account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Azure AD accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Azure Active Directory as one of the sign-in options.
+
+![Azure AD account in a self-service sign-up user flow](media/azure-ad-account/azure-ad-account-user-flow.png)
+
+## Next steps
+
+- [Add Azure Active Directory B2B collaboration users](add-users-administrator.md)
+- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)
active-directory Delegate Invitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/delegate-invitations.md
See the following articles on Azure AD B2B collaboration:
- [What is Azure AD B2B collaboration?](what-is-b2b.md) - [Add B2B collaboration guest users without an invitation](add-user-without-invite.md)-- [Adding a B2B collaboration user to a role](add-guest-to-role.md)-
+- [Adding a B2B collaboration user to a role](./add-users-administrator.md)
active-directory Direct Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/direct-federation.md
Previously updated : 04/28/2021 Last updated : 06/10/2021
Next, your partner organization needs to configure their IdP with the required c
Azure AD B2B can be configured to federate with IdPs that use the SAML protocol with specific requirements listed below. For more information about setting up a trust between your SAML IdP and Azure AD, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign-On](../hybrid/how-to-connect-fed-saml-idp.md). > [!NOTE]
-> The target domain for SAML/WS-Fed IdP federation must not be DNS-verified on Azure AD. The authentication URL domain must match the target domain or it must be the domain of an allowed IdP. See the [Limitations](#limitations) section for details.
+> The target domain for SAML/WS-Fed IdP federation must not be DNS-verified on Azure AD. See the [Limitations](#limitations) section for details.
#### Required SAML 2.0 attributes and claims The following tables show requirements for specific attributes and claims that must be configured at the third-party IdP. To set up federation, the following attributes must be received in the SAML 2.0 response from the IdP. These attributes can be configured by linking to the online security token service XML file or by entering them manually.
Required claims for the SAML 2.0 token issued by the IdP:
Azure AD B2B can be configured to federate with IdPs that use the WS-Fed protocol with some specific requirements as listed below. Currently, the two WS-Fed providers have been tested for compatibility with Azure AD include AD FS and Shibboleth. For more information about establishing a relying party trust between a WS-Fed compliant provider with Azure AD, see the "STS Integration Paper using WS Protocols" available in the [Azure AD Identity Provider Compatibility Docs](https://www.microsoft.com/download/details.aspx?id=56843). > [!NOTE]
-> The target domain for federation must not be DNS-verified on Azure AD. The authentication URL domain must match either the target domain or the domain of an allowed IdP. See the [Limitations](#limitations) section for details.
+> The target domain for federation must not be DNS-verified on Azure AD. See the [Limitations](#limitations) section for details.
#### Required WS-Fed attributes and claims
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/google-federation.md
You can also give Google guest users a direct link to an application or resource
Starting in the second half of 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using [self-service sign-up with Gmail](identity-providers.md), if your apps authenticate users with an embedded web-view, Google Gmail users won't be able to authenticate. The following are known scenarios that will impact Gmail users:-- Windows apps that use the [WebView](https://docs.microsoft.com/windows/communitytoolkit/controls/wpf-winforms/webview) control, [WebView2](https://docs.microsoft.com/microsoft-edge/webview2/), or the older WebBrowser control, for authentication. These apps should migrate to using the Web Account Manager (WAM) flow.
+- Windows apps that use the [WebView](/windows/communitytoolkit/controls/wpf-winforms/webview) control, [WebView2](/microsoft-edge/webview2/), or the older WebBrowser control, for authentication. These apps should migrate to using the Web Account Manager (WAM) flow.
- Android applications using the WebView UI element - iOS applications using UIWebView/WKWebview - Apps using ADAL
WeΓÇÖre confirming with Google whether this change affects the following:
WeΓÇÖre continuing to test various platforms and scenarios, and will update this article accordingly. ### Action needed for embedded web-views
-Modify your apps to use the system browser for sign-in. For details, see [Embedded vs System Web UI](https://docs.microsoft.com/azure/active-directory/develop/msal-net-web-browsers#embedded-vs-system-web-ui) in the MSAL.NET documentation. All MSAL SDKs use the system web-view by default.
+Modify your apps to use the system browser for sign-in. For details, see [Embedded vs System Web UI](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) in the MSAL.NET documentation. All MSAL SDKs use the system web-view by default.
### What to expect Before Google puts these changes into place in the second half of 2021, Microsoft will deploy a workaround for apps still using embedded web-views to ensure that authentication isn't blocked.
active-directory Hybrid Cloud To On Premises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md
You must do both of the following:
To provide B2B users access to on-premises applications that are secured with Integrated Windows Authentication and Kerberos constrained delegation, you need the following components: - **Authentication through Azure AD Application Proxy**. B2B users must be able to authenticate to the on-premises application. To do this, you must publish the on-premises app through the Azure AD Application Proxy. For more information, see [Tutorial: Add an on-premises application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md).-- **Authorization via a B2B user object in the on-premises directory**. The application must be able to perform user access checks, and grant access to the correct resources. IWA and KCD require a user object in the on-premises Windows Server Active Directory to complete this authorization. As described in [How single sign-on with KCD works](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md#how-single-sign-on-with-kcd-works), Application Proxy needs this user object to impersonate the user and get a Kerberos token to the app.
+- **Authorization via a B2B user object in the on-premises directory**. The application must be able to perform user access checks, and grant access to the correct resources. IWA and KCD require a user object in the on-premises Windows Server Active Directory to complete this authorization. As described in [How single sign-on with KCD works](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md#how-single-sign-on-with-kcd-works), Application Proxy needs this user object to impersonate the user and get a Kerberos token to the app.
> [!NOTE] > When you configure the Azure AD Application Proxy, ensure that **Delegated Logon Identity** is set to **User principal name** (default) in the single sign-on configuration for Integrated Windows Authentication (IWA).
active-directory O365 External User https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/o365-external-user.md
You can enable this feature by using the setting 'ShowPeoplePickerSuggestionsFor
## Next steps * [What is Azure AD B2B collaboration?](what-is-b2b.md)
-* [Adding a B2B collaboration user to a role](add-guest-to-role.md)
+* [Adding a B2B collaboration user to a role](./add-users-administrator.md)
* [Delegate B2B collaboration invitations](delegate-invitations.md) * [Dynamic groups and B2B collaboration](use-dynamic-groups.md)
-* [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)
+* [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
In your directory, the guest's **Invitation accepted** value changes to **Yes**.
- [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md) - [How do information workers add B2B collaboration users to Azure Active Directory?](add-users-information-worker.md) - [Add Azure Active Directory B2B collaboration users by using PowerShell](customize-invitation-api.md#powershell)-- [Leave an organization as a guest user](leave-the-organization.md)
+- [Leave an organization as a guest user](leave-the-organization.md)
active-directory Use Dynamic Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/use-dynamic-groups.md
The following image shows the rule syntax for a dynamic group modified to includ
## Next steps - [B2B collaboration user properties](user-properties.md)-- [Adding a B2B collaboration user to a role](add-guest-to-role.md)
+- [Adding a B2B collaboration user to a role](./add-users-administrator.md)
- [Conditional Access for B2B collaboration users](conditional-access.md)
active-directory Active Directory Compare Azure Ad To Ad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Most IT administrators are familiar with Active Directory Domain Services concep
| Credential management| Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](../authentication/concept-password-ban-bad.md) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](../authentication/concept-mfa-howitworks.md) and [passwordless](../authentication/concept-authentication-passwordless.md) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](../authentication/concept-sspr-howitworks.md) system. | | **Apps**||| | Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate[, Conditional access (CA)](../conditional-access/overview.md), will control which users, will have access to which apps under required conditions.|
-| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](../manage-apps/application-proxy.md) agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
+| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](../app-proxy/application-proxy.md) agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
| SaaS apps|Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS.|SaaS apps supporting OAuth2, SAML, and WS-\* authentication can be integrated to use Azure AD for authentication. | | Line of business (LOB) apps with modern authentication|Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.| LOB apps requiring modern authentication can be configured to use Azure AD for authentication. | | Mid-tier/Daemon services|Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](../managed-identities-azure-resources/index.yml) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
Most IT administrators are familiar with Active Directory Domain Services concep
- [What is Azure Active Directory?](./active-directory-whatis.md) - [Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services](../../active-directory-domain-services/compare-identity-solutions.md) - [Frequently asked questions about Azure Active Directory](./active-directory-faq.yml)-- [What's new in Azure Active Directory?](./whats-new.md)
+- [What's new in Azure Active Directory?](./whats-new.md)
active-directory Active Directory Deployment Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-deployment-plans.md
From any of the plan pages, use your browser's Print to PDF capability to create
| -| -| | [ADFS to Password Hash Sync](../hybrid/plan-migrate-adfs-password-hash-sync.md)| With Password Hash Synchronization, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD, letting Azure AD authenticate users with no interaction with the on-premises Active Directory | | [ADFS to Pass Through Authentication](../hybrid/plan-migrate-adfs-pass-through-authentication.md)| Azure AD Pass-through Authentication helps your users sign in to both on-premises and cloud-based applications using the same passwords. This feature provides users with a better experience - one less password to remember - and reduces IT helpdesk costs because users are less likely to forget how to sign in. When people sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory. |
-| [Azure AD Application Proxy](../manage-apps/application-proxy-deployment-plan.md) |Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs). |
+| [Azure AD Application Proxy](../app-proxy/application-proxy-deployment-plan.md) |Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs). |
| [Seamless SSO](../hybrid/how-to-connect-sso-quick-start.md)| Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. With this feature, users won't need to type in their passwords to sign in to Azure AD and usually won't need to enter their usernames. This feature provides authorized users with easy access to your cloud-based applications without needing any additional on-premises components. | ## Deploy user provisioning
A pilot allows you to test with a small group before turning a capability on for
In your first wave, target IT, usability, and other appropriate users who can test and provide feedback. This feedback should be used to further develop the communications and instructions you send to your users, and to give insights into the types of issues your support staff may see.
-Widening the rollout to larger groups of users should be carried out by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
+Widening the rollout to larger groups of users should be carried out by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
active-directory Active Directory Ops Guide Auth https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
If you would like to learn more about passwordless authentication, see [A world
### Single sign-on for apps
-Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance. If you are using applications that support SSO with Azure AD but are currently configured to use local accounts, you should reconfigure those applications to use SSO with Azure AD. Likewise, if you are using any applications that support SSO with Azure AD but are using another Identity Provider, you should reconfigure those applications to use SSO with Azure AD as well. For applications that don't support federation protocols but do support forms-based authentication, we recommend you configure the application to use [password vaulting](../manage-apps/application-proxy-configure-single-sign-on-password-vaulting.md) with Azure AD Application Proxy.
+Providing a standardized single sign-on mechanism to the entire enterprise is crucial for best user experience, reduction of risk, ability to report, and governance. If you are using applications that support SSO with Azure AD but are currently configured to use local accounts, you should reconfigure those applications to use SSO with Azure AD. Likewise, if you are using any applications that support SSO with Azure AD but are using another Identity Provider, you should reconfigure those applications to use SSO with Azure AD as well. For applications that don't support federation protocols but do support forms-based authentication, we recommend you configure the application to use [password vaulting](../app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md) with Azure AD Application Proxy.
![AppProxy Password-based Sign-on](./media/active-directory-ops-guide/active-directory-ops-img8.png)
On the other hand, if you find applications that have assignment to individual u
### Named locations
-With [named locations](../reports-monitoring/quickstart-configure-named-locations.md) in Azure AD, you can label trusted IP address ranges in your organization. Azure AD uses named locations to:
+With [named locations](../conditional-access/location-condition.md) in Azure AD, you can label trusted IP address ranges in your organization. Azure AD uses named locations to:
- Prevent false positives in risk events. Signing in from a trusted network location lowers a user's sign-in risk.-- Configure [location-based Conditional Access](../reports-monitoring/quickstart-configure-named-locations.md).
+- Configure [location-based Conditional Access](../conditional-access/location-condition.md).
![Named location](./media/active-directory-ops-guide/active-directory-ops-img10.png)
There are 12 aspects to a secure Identity infrastructure. This list will help yo
## Next steps
-Get started with the [Identity governance operational checks and actions](active-directory-ops-guide-govern.md).
+Get started with the [Identity governance operational checks and actions](active-directory-ops-guide-govern.md).
active-directory Active Directory Ops Guide Ops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-ops-guide-ops.md
Unless one has been established, you should define a process to upgrade these co
#### Hybrid management recommended reading - [Azure AD Connect: Automatic upgrade](../hybrid/how-to-connect-install-automatic-upgrade.md)-- [Understand Azure AD Application Proxy connectors | Automatic updates](../manage-apps/application-proxy-connectors.md#automatic-updates)
+- [Understand Azure AD Application Proxy connectors | Automatic updates](../app-proxy/application-proxy-connectors.md#automatic-updates)
### Azure AD Connect Health alert baseline
Some identity and access management services require on-premises agents to enabl
#### On-premises agents logs recommended reading -- [Troubleshoot Application Proxy](../manage-apps/application-proxy-troubleshoot.md)
+- [Troubleshoot Application Proxy](../app-proxy/application-proxy-troubleshoot.md)
- [Self-service password reset troubleshooting- Azure Active Directory](../authentication/troubleshoot-sspr.md)-- [Understand Azure AD Application Proxy connectors](../manage-apps/application-proxy-connectors.md)
+- [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md)
- [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md#collecting-pass-through-authentication-agent-logs) - [Troubleshoot error codes for the Azure AD MFA NPS extension](../authentication/howto-mfa-nps-extension-errors.md)
Adopting best practices can help the optimal operation of on-premises agents. Co
#### On-premises agents management recommended reading -- [Understand Azure AD Application Proxy connectors](../manage-apps/application-proxy-connectors.md)
+- [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md)
- [Azure AD Pass-through Authentication - quickstart](../hybrid/how-to-connect-pta-quick-start.md#step-4-ensure-high-availability) ## Management at scale
active-directory Active Directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-whatis.md
After you choose your Azure AD license, you'll get access to some or all of the
|Category|Description| |-|--|
-|Application management|Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps. For more information, see [How to provide secure remote access to on-premises applications](../manage-apps/application-proxy.md) and [Application Management documentation](../manage-apps/index.yml).|
+|Application management|Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps. For more information, see [How to provide secure remote access to on-premises applications](../app-proxy/application-proxy.md) and [Application Management documentation](../manage-apps/index.yml).|
|Authentication|Manage Azure Active Directory self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. For more information, see [Azure AD Authentication documentation](../authentication/index.yml).| |Azure Active Directory for developers|Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. For more information, see [Microsoft identity platform (Azure Active Directory for developers)](../develop/index.yml).| |Business-to-Business (B2B)|Manage your guest users and external partners, while maintaining control over your own corporate data. For more information, see [Azure Active Directory B2B documentation](../external-identities/index.yml).|
To better understand Azure AD and its documentation, we recommend reviewing the
- [Associate an Azure subscription to your Azure Active Directory](active-directory-how-subscriptions-associated-directory.md) -- [Azure Active Directory Premium P2 feature deployment checklist](active-directory-deployment-checklist-p2.md)
+- [Azure Active Directory Premium P2 feature deployment checklist](active-directory-deployment-checklist-p2.md)
active-directory Auth Header Based https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/auth-header-based.md
Remote users need to securely single sign-on (SSO) into to on-premises applicati
* [Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)
-* [Header-based authentication for single sign-on with Application Proxy and PingAccess](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md)
+* [Header-based authentication for single sign-on with Application Proxy and PingAccess](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md)
* [Secure legacy apps with app delivery controllers and networks](../manage-apps/secure-hybrid-access.md)
active-directory Auth Kcd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/auth-kcd.md
There is a need to provide remote access, protect with pre-authentication, and p
## Implement Windows authentication (KCD) with Azure AD
-* [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](../manage-apps/application-proxy-configure-single-sign-on-with-kcd.md)
-
-* [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)
+* [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md)
+* [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)
active-directory Auth Password Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/auth-password-based-sso.md
You need to protect with pre-authentication and provide SSO through password vau
* [Configure password based SSO for cloud applications ](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)
-* [Configure password-based SSO for on-premises applications with Application Proxy](../manage-apps/application-proxy-configure-single-sign-on-password-vaulting.md)
-
+* [Configure password-based SSO for on-premises applications with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md)
active-directory Auth Remote Desktop Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/auth-remote-desktop-gateway.md
You need to provide remote access and protect your Remote Desktop Services deplo
## Implement Remote Desktop Gateway services with Azure AD
-* [Publish remote desktop with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md)
-
-* [Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)
+* [Publish remote desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md)
+* [Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)
active-directory Customize Branding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/customize-branding.md
Your custom branding won't immediately appear when your users go to sites such a
You can customize the sign-in page text you entered. To begin a new paragraph, use the enter key twice. You can also change text formatting to include bold, italics, an underline or clickable link. Use the following syntax to add formatting to text:
- > Hyperlink: ```[text](link)```
+ > Hyperlink: `[text](link)`
- > Bold: ``` **text** ``` or ``` __text__ ```
+ > Bold: `**text**` or `__text__`
- > Italics: ``` *text* ``` or ``` _text_ ```
+ > Italics: `*text*` or `_text_`
- > Underline: ``` ++text++ ```
+ > Underline: `++text++`
+
+ > [!IMPORTANT]
+ > Hyperlinks that are added with sign-in page text render as text in native environments, like in desktop and mobile applications.
- **Advanced settings**
active-directory Five Steps To Full Application Integration With Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad.md
You can also migrate apps that use a different cloud-based identity provider to
## 4. Integrate on-premises applications
-Traditionally, applications were kept secure by allowing access only while connected to the corporate network. However, in an increasingly connected world we want to allow access to apps for customers, partners, and/or employees, regardless of where they are in the world. [Azure AD Application Proxy](../manage-apps/what-is-application-proxy.md) (AppProxy) is a feature of Azure AD that connects your existing on-premises apps to Azure AD and does not require that you maintain edge servers or other additional infrastructure to do so.
+Traditionally, applications were kept secure by allowing access only while connected to the corporate network. However, in an increasingly connected world we want to allow access to apps for customers, partners, and/or employees, regardless of where they are in the world. [Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) (AppProxy) is a feature of Azure AD that connects your existing on-premises apps to Azure AD and does not require that you maintain edge servers or other additional infrastructure to do so.
![A diagram shows the Application Proxy Service in action. A user accesses "https://sales.contoso.com" and their request is redirected through "https://sales-contoso.msappproxy.net" in Azure Active Directory to the on premises address "http://sales"](./media/five-steps-to-full-application-integration-with-azure-ad\app-proxy.png)
active-directory Protect M365 From On Premises Attacks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md
Use Azure AD capabilities to securely manage devices.
* **Legacy applications**
- * You can enable authentication, authorization, and remote access to legacy applications that don't support modern authentication. Use [Azure AD Application Proxy](../manage-apps/application-proxy.md). You can also enable them through a network or application delivery controller solution by using [secure hybrid access partner integrations](../manage-apps/secure-hybrid-access.md).
+ * You can enable authentication, authorization, and remote access to legacy applications that don't support modern authentication. Use [Azure AD Application Proxy](../app-proxy/application-proxy.md). You can also enable them through a network or application delivery controller solution by using [secure hybrid access partner integrations](../manage-apps/secure-hybrid-access.md).
* Choose a VPN vendor that supports modern authentication. Integrate its authentication with Azure AD. In an on-premises compromise, you can use Azure AD to disable or block access by disabling the VPN.
monitor access to your business-critical applications and resources.
Monitor all [Azure AD risk events](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation) for suspicious activity. [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center.
- Define the network [named locations](../reports-monitoring/quickstart-configure-named-locations.md) to avoid noisy detections on location-based signals.
+ Define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals.
* **User and Entity Behavioral Analytics (UEBA) alerts** Use UEBA
active-directory Resilience On Premises Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-on-premises-access.md
Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service in the cloud, and the Application Proxy connectors, which run on an on-premises server.
-Users access on-premises resources through a URL published via Application Proxy. They are redirected to the Azure AD sign in page. The Application Proxy service in Azure AD then sends a token to the Application Proxy connector in the corporate network, which passes the token to the on-premises Active Directory The authenticated user can then access the on-premises resource. In the diagram below, [connectors](../manage-apps/application-proxy-connectors.md) are shown in a [connector group](../manage-apps/application-proxy-connector-groups.md).
+Users access on-premises resources through a URL published via Application Proxy. They are redirected to the Azure AD sign in page. The Application Proxy service in Azure AD then sends a token to the Application Proxy connector in the corporate network, which passes the token to the on-premises Active Directory The authenticated user can then access the on-premises resource. In the diagram below, [connectors](../app-proxy/application-proxy-connectors.md) are shown in a [connector group](../app-proxy/application-proxy-connector-groups.md).
> [!IMPORTANT]
-> When you publish your applications via Application Proxy, you must implement [capacity planning and appropriate redundancy for the Application Proxy connectors](../manage-apps/application-proxy-connectors.md#capacity-planning).
+> When you publish your applications via Application Proxy, you must implement [capacity planning and appropriate redundancy for the Application Proxy connectors](../app-proxy/application-proxy-connectors.md#capacity-planning).
![Architecture diagram of Application y](./media/resilience-on-prem-access/admin-resilience-app-proxy.png))
Users access on-premises resources through a URL published via Application Proxy
To implement remote access with Azure AD Application Proxy, see the following resources.
-* [Planning an Application Proxy deployment](../manage-apps/application-proxy-deployment-plan.md)
+* [Planning an Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md)
-* [High availability and load balancing best practices](../manage-apps/application-proxy-high-availability-load-balancing.md)
+* [High availability and load balancing best practices](../app-proxy/application-proxy-high-availability-load-balancing.md)
-* [Configure proxy servers](../manage-apps/application-proxy-configure-connectors-with-proxy-servers.md)
+* [Configure proxy servers](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md)
* [Design a resilient access control strategy](../authentication/concept-resilient-controls.md)
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
Some common delegation scenarios:
**Service category:** App Proxy **Product capability:** Access Control
-Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. To learn more, see [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md)
+Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. To learn more, see [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md)
See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey?view=grap
Azure AD Application Proxy support for Remote Desktop Services (RDS) Web Client is now in General Availability. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, and so on. Users can interact with remote apps or desktops like they would with a local device from anywhere.
-By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. To learn more, see [Publish Remote Desktop with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md)
+By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. To learn more, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md)
There are corresponding updates to the Azure portal so you can update your SPA t
**Service category:** App Proxy **Product capability:** Access Control
-Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md).
+Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md).
To help avoid potentially negative impacts due to this change, we're updating Ap
>[!NOTE] > Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies.
-For more information about the Application Proxy cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../manage-apps/application-proxy-configure-cookie-settings.md).
+For more information about the Application Proxy cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../app-proxy/application-proxy-configure-cookie-settings.md).
For more information, see [Administrator role permissions in Azure Active Direct
New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server.
-For information about the Power BI Mobile app, including where to download the app, see the [Power BI site](https://powerbi.microsoft.com/mobile/). For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see [Enable remote access to Power BI Mobile with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-power-bi.md).
+For information about the Power BI Mobile app, including where to download the app, see the [Power BI site](https://powerbi.microsoft.com/mobile/). For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see [Enable remote access to Power BI Mobile with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-power-bi.md).
For more information, see [Restore expired or deleted groups](../enterprise-user
**Service category:** App Proxy **Product capability:** Access Control
-You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see [SAML single sign-on for on-premises applications with Application Proxy (Preview)](../manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md).
+You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see [SAML single sign-on for on-premises applications with Application Proxy (Preview)](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md).
You can now download large amounts of activity logs directly from the Azure port
- Determine your output format, either JSON or CSV.
-For more information about this feature, see [Quickstart: Download an audit report using the Azure portal](../reports-monitoring/quickstart-download-audit-report.md)
+For more information about this feature, see [Quickstart: Download an audit report using the Azure portal](../reports-monitoring/howto-download-logs.md)
We've introduced three new cookie settings, available for your apps that are pub
- **Use persistent cookie.** Prevents access cookies from expiring when the web browser is closed. These cookies last for the lifetime of the access token. However, the cookies are reset if the expiration time is reached or if the user manually deletes the cookie. We recommend you keep the default setting **No**, only turning on the setting for older apps that don't share cookies between processes.
-For more information about the new cookies, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../manage-apps/application-proxy-configure-cookie-settings.md).
+For more information about the new cookies, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../app-proxy/application-proxy-configure-cookie-settings.md).
The following fields are changing in the Sign-in schema:
|conditionalAccessStatus|Provides the result of the Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.|<ul><li>0</li><li>1</li><li>2</li><li>3</li></ul>|<ul><li>Success</li><li>Failure</li><li>Not Applied</li><li>Disabled</li></ul>| |appliedConditionalAccessPolicies: result|Provides the result of the individual Conditional Access Policy Status at sign-in. Previously, this was enumerated, but we now show the actual value.|<ul><li>0</li><li>1</li><li>2</li><li>3</li></ul>|<ul><li>Success</li><li>Failure</li><li>Not Applied</li><li>Disabled</li></ul>|
-For more information about the schema, see [Interpret the Azure AD audit logs schema in Azure Monitor (preview)](../reports-monitoring/reference-azure-monitor-audit-log-schema.md)
+For more information about the schema, see [Interpret the Azure AD audit logs schema in Azure Monitor (preview)](../reports-monitoring/overview-reports.md)
This connector version is gradually being rolled out through November. This new
- Improved connector health monitoring - Several bug fixes and stability improvements
-For more information, see [Understand Azure AD Application Proxy connectors](../manage-apps/application-proxy-connectors.md).
+For more information, see [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
For more information, see [Customizing claims issued in the SAML token for enter
To make application deployment easier and reduce your administrative overhead, we now support the ability to publish applications using wildcards. To publish a wildcard application, you can follow the standard application publishing flow, but use a wildcard in the internal and external URLs.
-For more information, see [Wildcard applications in the Azure Active Directory application proxy](../manage-apps/application-proxy-wildcard.md)
+For more information, see [Wildcard applications in the Azure Active Directory application proxy](../app-proxy/application-proxy-wildcard.md)
A hotfix roll-up package (build 4.4.1642.0) is available as of September 25, 201
For more information, see [Hotfix rollup package (build 4.4.1642.0) is available for Identity Manager 2016 Service Pack 1](https://support.microsoft.com/help/4021562). -+
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
This page is updated monthly, so revisit it regularly. If you're looking for ite
**Service category:** Other **Product capability:** User Authentication
-Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](https://docs.microsoft.com/azure/active-directory/verifiable-credentials).
+Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml).
Along with the public preview of attributed based access control for specific Az
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. [Learn more](https://docs.microsoft.com/azure/active-directory-b2c/conditional-access-identity-protection-overview).
+B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. [Learn more](../../active-directory-b2c/conditional-access-identity-protection-overview.md).
B2C now supports Conditional Access and Identity Protection for business-to-cons
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-The next generation of B2C user flows now supports [keep me signed in (KMSI)](https://docs.microsoft.com/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password
-' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](https://docs.microsoft.com/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow).
+The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password
+' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](../../active-directory-b2c/add-password-reset-policy.md?pivots=b2c-user-flow).
A new workbook has been added for surfacing audit events for application role as
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md).
+The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md).
Note that the information in [Enroll your Android enterprise device](https://sup
**Service category:** Authentications (Logins) **Product capability:** User Authentication
-The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is performed across organizations. This ensures that the user understands that the organization which owns the document will collect some information about the user as part of the document access. [Learn more](hhttps://docs.microsoft.com/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants).
+The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is performed across organizations. This ensures that the user understands that the organization which owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants).
For more information about how to better secure your organization by using autom
**Service category:** App Proxy **Product capability:** Access Control
-Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../manage-apps/application-proxy-configure-single-sign-on-with-headers.md).
+Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md).
An extra option is now available in the approval process in Entitlement Manageme
For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
-
-+
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/deploy-access-reviews.md
Go to [Use Azure AD access reviews to manage users excluded from Conditional Acc
### Review guest users' group memberships
-Go to [Manage guest access with Azure AD access reviews](https://docs.microsoft.com/azure/active-directory/governance/manage-guest-access-with-access-reviews) to learn how to review guest users' access to group memeberships.
+Go to [Manage guest access with Azure AD access reviews](./manage-guest-access-with-access-reviews.md) to learn how to review guest users' access to group memeberships.
### Review access to on-premises groups
Learn about the below related technologies.
* [What is Azure AD Entitlement Management?](entitlement-management-overview.md)
-* [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
+* [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
If you would like to know the oldest and newest audit events held in Azure Monit
AuditLogs | where TimeGenerated > ago(3653d) | summarize OldestAuditEvent=min(TimeGenerated), NewestAuditEvent=max(TimeGenerated) by Type ```
-For more information on the columns that are stored for audit events in Azure Monitor, see [Interpret the Azure AD audit logs schema in Azure Monitor](../reports-monitoring/reference-azure-monitor-audit-log-schema.md).
+For more information on the columns that are stored for audit events in Azure Monitor, see [Interpret the Azure AD audit logs schema in Azure Monitor](../reports-monitoring/overview-reports.md).
## Create custom Azure Monitor queries using Azure PowerShell
$bResponse.Results |ft
``` ## Next steps:-- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
+- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
active-directory Cloud Governed Management For On Premises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/cloud-governed-management-for-on-premises.md
Azure AD improves the management for an organization's on-premises Active Direct
* **Secure remote access and Conditional Access for on-premises applications**
-For many organizations, the first step in managing access from the cloud for on-premises AD-integrated web and remote desktop-based applications is to deploy the [application proxy](../manage-apps/application-proxy.md) in front of those applications to provide secure remote access.
+For many organizations, the first step in managing access from the cloud for on-premises AD-integrated web and remote desktop-based applications is to deploy the [application proxy](../app-proxy/application-proxy.md) in front of those applications to provide secure remote access.
After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy provides remote access and single sign-on to Remote Desktop, SharePoint, as well as apps such as Tableau and Qlik, and line of business (LOB) applications. Furthermore, Conditional Access policies can include displaying the [terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to them](../conditional-access/require-tou.md) before being able to access an application.
active-directory Four Steps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/four-steps.md
To learn more, see the [Migrating Your Applications to Azure Active Directory](h
### Enable secure remote access to apps
-[Azure AD Application Proxy](../manage-apps/what-is-application-proxy.md) provides a simple solution for organizations to publish on-premises apps to the cloud for remote users who need access to internal apps in a secure manner. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through external URLs or an internal application portal.
+[Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) provides a simple solution for organizations to publish on-premises apps to the cloud for remote users who need access to internal apps in a secure manner. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through external URLs or an internal application portal.
Azure AD Application Proxy offers the following benefits:
active-directory How To Connect Pta Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-pta-faq.md
No. Pass-through Authentication _does not_ automatically failover to password ha
When you use Azure AD Connect to switch the sign-in method from password hash synchronization to Pass-through Authentication, Pass-through Authentication becomes the primary sign-in method for your users in managed domains. Please note that all users' password hashes which were previously synchronized by password hash synchronization remain stored on Azure AD.
-## Can I install an [Azure AD Application Proxy](../manage-apps/application-proxy.md) connector on the same server as a Pass-through Authentication Agent?
+## Can I install an [Azure AD Application Proxy](../app-proxy/application-proxy.md) connector on the same server as a Pass-through Authentication Agent?
Yes. The rebranded versions of the Pass-through Authentication Agent, version 1.5.193.0 or later, support this configuration.
Tenants created after June 15th 2015 have the default behavior of synchronizing
- [Troubleshoot](tshoot-connect-pass-through-authentication.md): Learn how to resolve common problems with the Pass-through Authentication feature. - [Security deep dive](how-to-connect-pta-security-deep-dive.md): Get deep technical information on the Pass-through Authentication feature. - [Azure AD Seamless SSO](how-to-connect-sso.md): Learn more about this complementary feature.-- [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory/category/160611-directory-synchronization-aad-connect): Use the Azure Active Directory Forum to file new feature requests.
+- [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory/category/160611-directory-synchronization-aad-connect): Use the Azure Active Directory Forum to file new feature requests.
active-directory Plan Migrate Adfs Pass Through Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication.md
This section describes common AD FS customizations.
AD FS issues the **InsideCorporateNetwork** claim if the user who is authenticating is inside the corporate network. This claim can then be passed on to Azure AD. The claim is used to bypass multi-factor authentication based on the user's network location. To learn how to determine whether this functionality currently is available in AD FS, see [Trusted IPs for federated users](../authentication/howto-mfa-adfs.md).
-The **InsideCorporateNetwork** claim isn't available after your domains are converted to pass-through authentication. You can use [named locations in Azure AD](../reports-monitoring/quickstart-configure-named-locations.md) to replace this functionality.
+The **InsideCorporateNetwork** claim isn't available after your domains are converted to pass-through authentication. You can use [named locations in Azure AD](../conditional-access/location-condition.md) to replace this functionality.
After you configure named locations, you must update all Conditional Access policies that were configured to either include or exclude the network **All trusted locations** or **MFA Trusted IPs** values to reflect the new named locations.
For more information, see [Troubleshoot Azure Active Directory pass-through auth
* Learn about [Azure AD Connect design concepts](plan-connect-design-concepts.md). * Choose the [right authentication](./choose-ad-authn.md).
-* Learn about [supported topologies](plan-connect-design-concepts.md).
+* Learn about [supported topologies](plan-connect-design-concepts.md).
active-directory Plan Migrate Adfs Password Hash Sync https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/plan-migrate-adfs-password-hash-sync.md
This section describes common AD FS customizations.
AD FS issues the **InsideCorporateNetwork** claim if the user who is authenticating is inside the corporate network. This claim can then be passed on to Azure AD. The claim is used to bypass multi-factor authentication based on the user's network location. To learn how to determine whether this functionality currently is enabled in AD FS, see [Trusted IPs for federated users](../authentication/howto-mfa-adfs.md).
-The **InsideCorporateNetwork** claim isn't available after your domains are converted to password hash synchronization. You can use [named locations in Azure AD](../reports-monitoring/quickstart-configure-named-locations.md) to replace this functionality.
+The **InsideCorporateNetwork** claim isn't available after your domains are converted to password hash synchronization. You can use [named locations in Azure AD](../conditional-access/location-condition.md) to replace this functionality.
After you configure named locations, you must update all Conditional Access policies that were configured to either include or exclude the network **All trusted locations** or **MFA Trusted IPs** values to reflect the new named locations.
For more information, see [How do I roll over the Kerberos decryption key of the
* Learn about [Azure AD Connect design concepts](plan-connect-design-concepts.md). * Choose the [right authentication](./choose-ad-authn.md).
-* Learn about [supported topologies](plan-connect-design-concepts.md).
+* Learn about [supported topologies](plan-connect-design-concepts.md).
active-directory Reference Connect Accounts Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-accounts-permissions.md
Legend:
- Local account - Local user account on the server - Domain account - Domain user account - sMSA - [standalone Managed Service account](../../active-directory/fundamentals/service-accounts-on-premises.md)-- gMSA - [group Managed Service account](https://docs.microsoft.com/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
+- gMSA - [group Managed Service account](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
| | LocalDB</br>Express | LocalDB/LocalSQL</br>Custom | Remote SQL</br>Custom | | | | | |
The VSA is intended to be used with scenarios where the sync engine and SQL are
This feature requires Windows Server 2008 R2 or later. If you install Azure AD Connect on Windows Server 2008, then the installation falls back to using a [user account](#user-account) instead. #### Group managed service account
-If you use a remote SQL server, then we recommend to using a **group managed service account**. For more information on how to prepare your Active Directory for Group Managed Service account, see [Group Managed Service Accounts Overview](https://docs.microsoft.com/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
+If you use a remote SQL server, then we recommend to using a **group managed service account**. For more information on how to prepare your Active Directory for Group Managed Service account, see [Group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
To use this option, on the [Install required components](how-to-connect-install-custom.md#install-required-components) page, select **Use an existing service account**, and select **Managed Service Account**. ![VSA](./media/reference-connect-accounts-permissions/serviceaccount.png)
If you did not read the documentation on [Integrating your on-premises identitie
|After installation | [Verify the installation and assign licenses](how-to-connect-post-installation.md)| ## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Reference Connect Government Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-government-cloud.md
The following information describes implementation of Pass-through Authenticatio
Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections. > [!NOTE]
-> The following guidance also applies to installing the [Azure AD Application Proxy connector](../manage-apps/what-is-application-proxy.md) for Azure Government environments.
+> The following guidance also applies to installing the [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) for Azure Government environments.
|URL |How it's used| |--|--|
If you have overridden the `AuthNegotiateDelegateWhitelist` or `AuthServerWh
## Next steps - [Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)-- [Single Sign-On](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites)
+- [Single Sign-On](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites)
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
Please follow this link to read more about [auto upgrade](how-to-connect-install
- Added member attribute to the 'Out to AD - Group SOAInAAD - Exchange' rule to limit members in written back groups to 50k - Updated Sync Rules to support Group Writeback v2 -If the ΓÇ£In from AAD - Group SOAInAADΓÇ¥ rule is cloned and AADConnect is upgraded.
- -The updated rule will be disabled by default and so the targetWritebackType will be null.
+ - The updated rule will be disabled by default and so the targetWritebackType will be null.
- AADConnect will writeback all Cloud Groups (including Azure Active Directory Security Groups enabled for writeback) as Distribution Groups. -If the ΓÇ£Out to AD - Group SOAInAADΓÇ¥ rule is cloned and AADConnect is upgraded. - The updated rule will be disabled by default. However, a new sync rule ΓÇ£Out to AD - Group SOAInAAD - ExchangeΓÇ¥ which is added will be enabled. - Depending on the Cloned Custom Sync Rule's precedence, AADConnect will flow the Mail and Exchange attributes. - If the Cloned Custom Sync Rule does not flow some Mail and Exchange attributes, then new Exchange Sync Rule will add those attributes.
+ - Note that Group Writeback V2 is in private preview at this moment and not publicly available.
- Added support for [Selective Password hash Synchronization](./how-to-connect-selective-password-hash-synchronization.md) - Added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Azure AD Connect sync configuration. - Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service.
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
Set-AzureADMSAuthorizationPolicy `
## Risk-based step-up consent
-Risk-based step-up consent helps reduce user exposure to malicious apps that make [illicit consent requests](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants). For example, consent requests for newly registered multi-tenant apps that are not [publisher verified](/azure/active-directory/develop/publisher-verification-overview) and require non-basic permissions are considered risky. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
+Risk-based step-up consent helps reduce user exposure to malicious apps that make [illicit consent requests](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants). For example, consent requests for newly registered multi-tenant apps that are not [publisher verified](../develop/publisher-verification-overview.md) and require non-basic permissions are considered risky. If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed. If the [admin consent request workflow](configure-admin-consent-workflow.md) is enabled, the user can send the request to an admin for further review directly from the consent prompt. If it's not enabled, the following message will be displayed:
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
Specify MFA rules based on a user's location in Azure AD:
1. Create a [new conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json). 1. Set the **Assignments** to **All users**.
-1. [Configure named locations in Azure AD](../reports-monitoring/quickstart-configure-named-locations.md). Otherwise, federation from inside your corporate network is trusted.
+1. [Configure named locations in Azure AD](../conditional-access/location-condition.md). Otherwise, federation from inside your corporate network is trusted.
1. Configure the **Conditions rules** to specify the locations for which you would like to enforce MFA. ![Screenshot shows the Locations pane for Conditions rules.](media/migrate-adfs-apps-to-azure/mfa-location-1.png)
In this table, we've listed some useful Permit and Except options and how they m
| Option | How to configure Permit option in Azure AD?| How to configure Except option in Azure AD? | | - | - | - |
-| From specific network| Maps to [Named Location](../reports-monitoring/quickstart-configure-named-locations.md) in Azure AD| Use the **Exclude** option for [trusted locations](../conditional-access/location-condition.md) |
+| From specific network| Maps to [Named Location](../conditional-access/location-condition.md) in Azure AD| Use the **Exclude** option for [trusted locations](../conditional-access/location-condition.md) |
| From specific groups| [Set a User/Groups Assignment](assign-user-or-group-access-portal.md)| Use the **Exclude** option in Users and Groups | | From Devices with Specific Trust Level| Set this from the **Device State** control under Assignments -> Conditions| Use the **Exclude** option under Device State Condition and Include **All devices** | | With Specific Claims in the Request| This setting can't be migrated| This setting can't be migrated |
This group of users is usually the most critically impacted in case of issues. T
* Read [Migrating application authentication to Azure AD](https://aka.ms/migrateapps/whitepaper). * Set up [Conditional Access](../conditional-access/overview.md) and [MFA](../authentication/concept-mfa-howitworks.md).
-* Try a step-wise code sample:[AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook).
+* Try a step-wise code sample:[AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook).
active-directory Secure Hybrid Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/secure-hybrid-access.md
You can bridge the gap and strengthen your security posture across all applicati
## Secure hybrid access (SHA) through Azure AD Application Proxy
-Using [Application Proxy](../app-proxy/what-is-application-proxy.md) you can provide [secure remote access](../app-proxy/application-proxy.md) to your on-premises web applications. Your users donΓÇÖt require to use a VPN. Users benefit by easily connecting to their applications from any device after a [single sign-on](add-application-portal-setup-sso.md). Application Proxy provides remote access as a service and allows you to [easily publish your on-premise applications](../app-proxy/application-proxy-add-on-premises-application.md) to users outside the corporate network. It helps you scale your cloud access management without requiring you to modify your on-premises applications. [Plan an Azure AD Application Proxy deployment](application-proxy-deployment-plan.md) as a next step.
+Using [Application Proxy](../app-proxy/what-is-application-proxy.md) you can provide [secure remote access](../app-proxy/application-proxy.md) to your on-premises web applications. Your users donΓÇÖt require to use a VPN. Users benefit by easily connecting to their applications from any device after a [single sign-on](add-application-portal-setup-sso.md). Application Proxy provides remote access as a service and allows you to [easily publish your on-premise applications](../app-proxy/application-proxy-add-on-premises-application.md) to users outside the corporate network. It helps you scale your cloud access management without requiring you to modify your on-premises applications. [Plan an Azure AD Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md) as a next step.
## Azure AD partner integrations ### SHA through networking and delivery controllers
-In addition to [Azure AD Application Proxy](./what-is-application-proxy.md), to enable you to use the [Zero Trust framework](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/), Microsoft partners with third-party providers. You can use your existing networking and delivery controllers, and easily protect legacy applications that are critical to your business processes but that you couldnΓÇÖt protect before with Azure AD. ItΓÇÖs likely you already have everything you need to start protecting these applications.
+In addition to [Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md), to enable you to use the [Zero Trust framework](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/), Microsoft partners with third-party providers. You can use your existing networking and delivery controllers, and easily protect legacy applications that are critical to your business processes but that you couldnΓÇÖt protect before with Azure AD. ItΓÇÖs likely you already have everything you need to start protecting these applications.
![Image shows secure hybrid access with networking partners and app proxy](./media/secure-hybrid-access/secure-hybrid-access.png)
The following SDP vendors offer pre-built solutions and detailed guidance for in
- [Strata](../saas-apps/maverics-identity-orchestrator-saml-connector-tutorial.md) -- [Zscaler Private Access (ZPA)](../saas-apps/zscalerprivateaccess-tutorial.md)
+- [Zscaler Private Access (ZPA)](../saas-apps/zscalerprivateaccess-tutorial.md)
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/whats-new-docs.md
Welcome to what's new in Azure Active Directory application management documenta
### New articles -- [Active Directory (Azure AD) Application Proxy frequently asked questions](application-proxy-faq.yml)
+- [Active Directory (Azure AD) Application Proxy frequently asked questions](../app-proxy/application-proxy-faq.yml)
### Updated articles
Welcome to what's new in Azure Active Directory application management documenta
- [Grant tenant-wide admin consent to an application](grant-admin-consent.md) - [Moving application authentication from Active Directory Federation Services to Azure Active Directory](migrate-adfs-apps-to-azure.md) - [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)-- [Use tenant restrictions to manage access to SaaS cloud applications](tenant-restrictions.md)
+- [Use tenant restrictions to manage access to SaaS cloud applications](tenant-restrictions.md)
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
User-assigned managed identities are more efficient in a broader range of scenarios than system-assigned managed identities. See the table below for some scenarios and the recommendations for user-assigned or system-assigned.
-User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resourcesΓÇÖ life cycles with which theyΓÇÖre associated. [Read which resources support managed identities](https://aka.ms/managedidentitystatus).
+User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resourcesΓÇÖ life cycles with which theyΓÇÖre associated. [Read which resources support managed identities](./services-support-managed-identities.md).
This life cycle allows you to separate your resource creation and identity administration responsibilities. User-assigned identities and their role assignments can be configured in advance of the resources that require them. Users who create the resources only require the access to assign a user-assigned identity, without the need to create new identities or role assignments.
Role assignments aren't automatically deleted when either system-assigned or use
Role assignments that are associated with deleted managed identities will be displayed with ΓÇ£Identity not foundΓÇ¥ when viewed in the portal. [Read more](../../role-based-access-control/troubleshooting.md#role-assignments-with-identity-not-found).
active-directory Concept Activity Logs Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md
This section answers frequently asked questions and discusses known issues with
**Q: Which logs are included?**
-**A**: The sign-in activity logs and audit logs are both available for routing through this feature, although B2C-related audit events are currently not included. To find out which types of logs and which feature-based logs are currently supported, see [Audit log schema](reference-azure-monitor-audit-log-schema.md) and [Sign-in log schema](reference-azure-monitor-sign-ins-log-schema.md).
+**A**: The sign-in activity logs and audit logs are both available for routing through this feature, although B2C-related audit events are currently not included. To find out which types of logs and which feature-based logs are currently supported, see [Audit log schema](./overview-reports.md) and [Sign-in log schema](reference-azure-monitor-sign-ins-log-schema.md).
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-sign-ins.md
The **Location** - The location the connection was initiated from:
## Download sign-in activities
-Click the **Download** option to create a CSV or JSON file of the most recent 250,000 records. Start with [download the sign-ins data](quickstart-download-sign-in-report.md) if you want to work with it outside the Azure portal.
+Click the **Download** option to create a CSV or JSON file of the most recent 250,000 records. Start with [download the sign-ins data](./howto-download-logs.md) if you want to work with it outside the Azure portal.
![Download](./media/concept-sign-ins/71.png "Download")
You can also access the Microsoft 365 activity logs programmatically by using th
* [Sign-in activity report error codes]() * [Azure AD data retention policies](reference-reports-data-retention.md) * [Azure AD report latencies](reference-reports-latencies.md)
-* [First party Microsoft applications in sign-ins report](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-for-commonly-used-microsoft-applications)
+* [First party Microsoft applications in sign-ins report](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-for-commonly-used-microsoft-applications)
active-directory Howto Integrate Activity Logs With Splunk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-splunk.md
To use this feature, you need:
## Next steps
-* [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) * [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)
active-directory Howto Integrate Activity Logs With Sumologic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-sumologic.md
To use this feature, you need:
## Next steps
-* [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) * [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)
active-directory Plan Monitoring And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md
Depending on the decisions you have made earlier using the design guidance above
[Analyze Azure AD activity logs with Azure Monitor logs](./howto-analyze-activity-logs-log-analytics.md)
-* [Interpret audit logs schema in Azure Monitor](./reference-azure-monitor-audit-log-schema.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
* [Interpret sign in logs schema in Azure Monitor](./reference-azure-monitor-sign-ins-log-schema.md)
Depending on the decisions you have made earlier using the design guidance above
Consider implementing [Privileged Identity Management](../privileged-identity-management/pim-configure.md)
-Consider implementing [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)
+Consider implementing [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)
active-directory Quickstart Azure Monitor Route Logs To Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md
To use this feature, you need:
## Next steps
-* [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) * [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)
active-directory Reference Azure Monitor Sign Ins Log Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md
This article describes the Azure Active Directory (Azure AD) sign-in log schema
## Next steps
-* [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
-* [Read more about Azure platform logs](../../azure-monitor/essentials/platform-logs-overview.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
+* [Read more about Azure platform logs](../../azure-monitor/essentials/platform-logs-overview.md)
active-directory Tutorial Azure Monitor Stream Logs To Event Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md
After data is displayed in the event hub, you can access and read the data in tw
* [Integrate Azure Active Directory logs with ArcSight using Azure Monitor](howto-integrate-activity-logs-with-arcsight.md) * [Integrate Azure AD logs with Splunk by using Azure Monitor](./howto-integrate-activity-logs-with-splunk.md) * [Integrate Azure AD logs with SumoLogic by using Azure Monitor](howto-integrate-activity-logs-with-sumologic.md)
-* [Interpret audit logs schema in Azure Monitor](reference-azure-monitor-audit-log-schema.md)
-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)
+* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)
+* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)
active-directory 10000Ftplans Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/10000ftplans-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to 10,000ft Plans Sign on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the 10,000ft Plans tile in the My Apps, this will redirect to 10,000ft Plans Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the 10,000ft Plans tile in the My Apps, this will redirect to 10,000ft Plans Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure 10,000ft Plans you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure 10,000ft Plans you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory 4Me Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/4me-tutorial.md
Previously updated : 04/06/2021 Last updated : 06/09/2021
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * 4me single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory Alacritylaw Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alacritylaw-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Go to AlacrityLaw Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the AlacrityLaw tile in the My Apps, this will redirect to AlacrityLaw Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the AlacrityLaw tile in the My Apps, this will redirect to AlacrityLaw Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure AlacrityLaw you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure AlacrityLaw you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Ardoq Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ardoq-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
| mail | user.mail | > [!NOTE]
- > Ardoq expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Ardoq expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Ardoq for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Ardoq tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Ardoq for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Ardoq tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Ardoq for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Ardoq you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Ardoq you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Ares For Enterprise Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ares-for-enterprise-tutorial.md
Previously updated : 01/16/2019 Last updated : 06/10/2021 # Tutorial: Azure Active Directory integration with ARES for Enterprise
-In this tutorial, you learn how to integrate ARES for Enterprise with Azure Active Directory (Azure AD).
-Integrating ARES for Enterprise with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate ARES for Enterprise with Azure Active Directory (Azure AD). When you integrate ARES for Enterprise with Azure AD, you can:
-* You can control in Azure AD who has access to ARES for Enterprise.
-* You can enable your users to be automatically signed-in to ARES for Enterprise (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ARES for Enterprise.
+* Enable your users to be automatically signed-in to ARES for Enterprise with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with ARES for Enterprise, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* ARES for Enterprise single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ARES for Enterprise single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* ARES for Enterprise supports **SP** initiated SSO
-
-* ARES for Enterprise supports **Just In Time** user provisioning
-
-## Adding ARES for Enterprise from the gallery
-
-To configure the integration of ARES for Enterprise into Azure AD, you need to add ARES for Enterprise from the gallery to your list of managed SaaS apps.
-
-**To add ARES for Enterprise from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+* ARES for Enterprise supports **SP** initiated SSO.
-3. To add new application, click **New application** button on the top of dialog.
+* ARES for Enterprise supports **Just In Time** user provisioning.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **ARES for Enterprise**, select **ARES for Enterprise** from result panel then click **Add** button to add the application.
+## Add ARES for Enterprise from the gallery
- ![ARES for Enterprise in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with ARES for Enterprise based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in ARES for Enterprise needs to be established.
-
-To configure and test Azure AD single sign-on with ARES for Enterprise, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ARES for Enterprise Single Sign-On](#configure-ares-for-enterprise-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ARES for Enterprise test user](#create-ares-for-enterprise-test-user)** - to have a counterpart of Britta Simon in ARES for Enterprise that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of ARES for Enterprise into Azure AD, you need to add ARES for Enterprise from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ARES for Enterprise** in the search box.
+1. Select **ARES for Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for ARES for Enterprise
-To configure Azure AD single sign-on with ARES for Enterprise, perform the following steps:
+Configure and test Azure AD SSO with ARES for Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ARES for Enterprise.
-1. In the [Azure portal](https://portal.azure.com/), on the **ARES for Enterprise** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with ARES for Enterprise, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ARES for Enterprise SSO](#configure-ares-for-enterprise-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ARES for Enterprise test user](#create-ares-for-enterprise-test-user)** - to have a counterpart of B.Simon in ARES for Enterprise that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **ARES for Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following step:
- ![ARES for Enterprise Domain and URLs single sign-on information](common/sp-intiated.png)
-
- In the **Sign on URL** text box, type a URL:
+ In the **Sign on URL** text box, type the URL:
`https://login.graebert.com` 5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure ARES for Enterprise Single Sign-On
-
-To configure single sign-on on **ARES for Enterprise** side, you need to send the **App Federation Metadata Url** to [ARES for Enterprise support team](mailto:support@graebert.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ARES for Enterprise.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ARES for Enterprise.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ARES for Enterprise**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ARES for Enterprise**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure ARES for Enterprise SSO
-2. In the applications list, select **ARES for Enterprise**.
-
- ![The ARES for Enterprise link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **ARES for Enterprise** side, you need to send the **App Federation Metadata Url** to [ARES for Enterprise support team](mailto:support@graebert.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create ARES for Enterprise test user In this section, a user called Britta Simon is created in ARES for Enterprise. ARES for Enterprise supports **just-in-time provisioning**, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ARES for Enterprise, a new one is created when you attempt to access ARES for Enterprise.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the ARES for Enterprise tile in the Access Panel, you should be automatically signed in to the ARES for Enterprise for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to ARES for Enterprise Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to ARES for Enterprise Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the ARES for Enterprise tile in the My Apps, this will redirect to ARES for Enterprise Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ARES for Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Auditboard Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/auditboard-provisioning-tutorial.md
# Tutorial: Configure AuditBoard for automatic user provisioning
-This tutorial describes the steps you need to perform in both AuditBoard and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [AuditBoard](https://www.auditboard.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both AuditBoard and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [AuditBoard](https://www.auditboard.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
This tutorial describes the steps you need to perform in both AuditBoard and Azu
> * Create users in AuditBoard > * Remove users in AuditBoard when they do not require access anymore > * Keep user attributes synchronized between Azure AD and AuditBoard
-> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/auditboard-tutorial) to AuditBoard (recommended)
+> * [Single sign-on](./auditboard-tutorial.md) to AuditBoard (recommended)
## Prerequisites The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* An AuditBoard Site (Live). ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and AuditBoard](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and AuditBoard](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure AuditBoard to support provisioning with Azure AD
The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add AuditBoard from the Azure AD application gallery
-Add AuditBoard from the Azure AD application gallery to start managing provisioning to AuditBoard. If you have previously setup AuditBoard for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add AuditBoard from the Azure AD application gallery to start managing provisioning to AuditBoard. If you have previously setup AuditBoard for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users to AuditBoard, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users to AuditBoard, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to AuditBoard
This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to AuditBoard**.
-9. Review the user attributes that are synchronized from Azure AD to AuditBoard in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AuditBoard for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the AuditBoard API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to AuditBoard in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AuditBoard for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the AuditBoard API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| ||||
This section guides you through the steps to configure the Azure AD provisioning
|name.familyName|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for AuditBoard, change the **Provisioning Status** to **On** in the **Settings** section.
This operation starts the initial synchronization cycle of all users defined in
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Banyan Command Center Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/banyan-command-center-tutorial.md
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Zero Trust Remote Access Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Banyan Command Center you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Beekeeper Azure Ad Data Connector Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/beekeeper-azure-ad-data-connector-tutorial.md
Previously updated : 02/14/2020 Last updated : 06/10/2021
In this tutorial, you'll learn how to integrate Beekeeper Azure AD SSO with Azur
* Enable your users to be automatically signed-in to Beekeeper Azure AD SSO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Beekeeper Azure AD SSO supports **SP and IDP** initiated SSO
-* Beekeeper Azure AD SSO supports **Just In Time** user provisioning
-* Once you configure Beekeeper Azure AD SSO you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Beekeeper Azure AD SSO supports **SP and IDP** initiated SSO.
+* Beekeeper Azure AD SSO supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Beekeeper Azure AD SSO from the gallery
+## Add Beekeeper Azure AD SSO from the gallery
To configure the integration of Beekeeper Azure AD SSO into Azure AD, you need to add Beekeeper Azure AD SSO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Beekeeper Azure AD SSO** in the search box. 1. Select **Beekeeper Azure AD SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Beekeeper Azure AD SSO
+## Configure and test Azure AD SSO for Beekeeper Azure AD SSO
Configure and test Azure AD SSO with Beekeeper Azure AD SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Beekeeper Azure AD SSO.
-To configure and test Azure AD SSO with Beekeeper Azure AD SSO, complete the following building blocks:
+To configure and test Azure AD SSO with Beekeeper Azure AD SSO, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Beekeeper Azure AD SSO](#configure-beekeeper-azure-ad-sso)** - to configure the single sign-on settings on application side.
- * **[Create Beekeeper Azure AD SSO test user](#create-beekeeper-azure-ad-sso-test-user)** - to have a counterpart of B.Simon in Beekeeper Azure AD SSO that is linked to the Azure AD representation of user.
+ 1. **[Create Beekeeper Azure AD SSO test user](#create-beekeeper-azure-ad-sso-test-user)** - to have a counterpart of B.Simon in Beekeeper Azure AD SSO that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Beekeeper Azure AD SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Beekeeper Azure AD SSO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- > [!Note]
- > If the **Identifier** and **Reply URL** values do not get auto polulated, then fill in the values manually according to your requirement.
+ > If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<your_company>.beekeeper.io/login`
+ `https://<YOUR_COMPANY>.beekeeper.io/login`
> [!NOTE] > The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [Beekeeper Azure AD SSO Client support team](mailto:support@beekeeper.io) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Beekeeper Azure AD SSO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Beekeeper Azure AD SSO
In this section, a user called Britta Simon is created in Beekeeper Azure AD SSO
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the Beekeeper Azure AD SSO tile in the Access Panel, you should be automatically signed in to the Beekeeper Azure AD SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Beekeeper Azure AD SSO Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to Beekeeper Azure AD SSO Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Beekeeper Azure AD SSO for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Beekeeper Azure AD SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Beekeeper Azure AD SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Beekeeper Azure AD SSO with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Beekeeper Azure AD SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Browserstack Single Sign On Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/browserstack-single-sign-on-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the BrowserStack Single Sign-on for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the BrowserStack Single Sign-on tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BrowserStack Single Sign-on for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the BrowserStack Single Sign-on tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BrowserStack Single Sign-on for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure BrowserStack Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure BrowserStack Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Carbonite Endpoint Backup Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/carbonite-endpoint-backup-tutorial.md
In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Carbonite Endpoint Backup for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Carbonite Endpoint Backup tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Carbonite Endpoint Backup for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Carbonite Endpoint Backup tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Carbonite Endpoint Backup for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Carbonite Endpoint Backup you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Carbonite Endpoint Backup you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Citrix Netscaler Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on integration with Citrix ADC (Kerberos-based authentication) | Microsoft Docs'
-description: Learn how to configure single sign-on (SSO) between Azure Active Directory and Citrix ADC by using Kerberos-based authentication.
+ Title: 'Tutorial: Azure Active Directory single sign-on integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication) | Microsoft Docs'
+description: Learn how to configure single sign-on (SSO) between Azure Active Directory and Citrix ADC SAML Connector for Azure AD by using Kerberos-based authentication.
Previously updated : 12/15/2020 Last updated : 06/08/2021
-# Tutorial: Azure Active Directory single sign-on integration with Citrix ADC (Kerberos-based authentication)
+# Tutorial: Azure Active Directory single sign-on integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)
-In this tutorial, you'll learn how to integrate Citrix ADC with Azure Active Directory (Azure AD). When you integrate Citrix ADC with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Citrix ADC SAML Connector for Azure AD with Azure Active Directory (Azure AD). When you integrate Citrix ADC SAML Connector for Azure AD with Azure AD, you can:
-* Control in Azure AD who has access to Citrix ADC.
-* Enable your users to be automatically signed in to Citrix ADC with their Azure AD accounts.
+* Control in Azure AD who has access to Citrix ADC SAML Connector for Azure AD.
+* Enable your users to be automatically signed in to Citrix ADC SAML Connector for Azure AD with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate Citrix ADC with Azure Active Dir
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Citrix ADC single sign-on (SSO) enabled subscription.
+* Citrix ADC SAML Connector for Azure AD single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment. The tutorial includes these scenarios:
-* **SP-initiated** SSO for Citrix ADC
+* **SP-initiated** SSO for Citrix ADC SAML Connector for Azure AD.
-* **Just in time** user provisioning for Citrix ADC
+* **Just in time** user provisioning for Citrix ADC SAML Connector for Azure AD.
-* [Kerberos-based authentication for Citrix ADC](#publish-the-web-server)
+* [Kerberos-based authentication for Citrix ADC SAML Connector for Azure AD](#publish-the-web-server).
-* [Header-based authentication for Citrix ADC](header-citrix-netscaler-tutorial.md#publish-the-web-server)
+* [Header-based authentication for Citrix ADC SAML Connector for Azure AD](header-citrix-netscaler-tutorial.md#publish-the-web-server).
-## Add Citrix ADC from the gallery
+## Add Citrix ADC SAML Connector for Azure AD from the gallery
-To integrate Citrix ADC with Azure AD, first add Citrix ADC to your list of managed SaaS apps from the gallery:
+To integrate Citrix ADC SAML Connector for Azure AD with Azure AD, first add Citrix ADC SAML Connector for Azure AD to your list of managed SaaS apps from the gallery:
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
To integrate Citrix ADC with Azure AD, first add Citrix ADC to your list of mana
1. To add a new application, select **New application**.
-1. In the **Add from the gallery** section, enter **Citrix ADC** in the search box.
+1. In the **Add from the gallery** section, enter **Citrix ADC SAML Connector for Azure AD** in the search box.
-1. In the results, select **Citrix ADC**, and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the results, select **Citrix ADC SAML Connector for Azure AD**, and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Citrix ADC
+## Configure and test Azure AD SSO for Citrix ADC SAML Connector for Azure AD
-Configure and test Azure AD SSO with Citrix ADC by using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix ADC.
+Configure and test Azure AD SSO with Citrix ADC SAML Connector for Azure AD by using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix ADC SAML Connector for Azure AD.
-To configure and test Azure AD SSO with Citrix ADC, perform the following steps:
+To configure and test Azure AD SSO with Citrix ADC SAML Connector for Azure AD, perform the following steps:
1. [Configure Azure AD SSO](#configure-azure-ad-sso) - to enable your users to use this feature.
To configure and test Azure AD SSO with Citrix ADC, perform the following steps:
1. [Assign the Azure AD test user](#assign-the-azure-ad-test-user) - to enable B.Simon to use Azure AD SSO.
-1. [Configure Citrix ADC SSO](#configure-citrix-adc-sso) - to configure the SSO settings on the application side.
+1. [Configure Citrix ADC SAML Connector for Azure AD SSO](#configure-citrix-adc-saml-connector-for-azure-ad-sso) - to configure the SSO settings on the application side.
- * [Create a Citrix ADC test user](#create-a-citrix-adc-test-user) - to have a counterpart of B.Simon in Citrix ADC that is linked to the Azure AD representation of the user.
+ 1. [Create Citrix ADC SAML Connector for Azure AD test user](#create-citrix-adc-saml-connector-for-azure-ad-test-user) - to have a counterpart of B.Simon in Citrix ADC SAML Connector for Azure AD that is linked to the Azure AD representation of the user.
1. [Test SSO](#test-sso) - to verify whether the configuration works.
To configure and test Azure AD SSO with Citrix ADC, perform the following steps:
To enable Azure AD SSO by using the Azure portal, complete these steps:
-1. In the Azure portal, on the **Citrix ADC** application integration pane, under **Manage**, select **Single sign-on**.
+1. In the Azure portal, on the **Citrix ADC SAML Connector for Azure AD** application integration pane, under **Manage**, select **Single sign-on**.
1. On the **Select a single sign-on method** pane, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** pane, select the pen **Edit** icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** pane, select the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. In the **Basic SAML Configuration** section, to configure the application in **IDP-initiated** mode:
+1. In the **Basic SAML Configuration** section, to configure the application in **IDP-initiated** mode, perform the following steps:
1. In the **Identifier** text box, enter a URL that has the following pattern:
- `https://<Your FQDN>`
+ `https://<YOUR_FQDN>`
1. In the **Reply URL** text box, enter a URL that has the following pattern:
- `http(s)://<Your FQDN>.of.vserver/cgi/samlauth`
+ `http(s)://<YOUR_FQDN>.of.vserver/cgi/samlauth`
-1. To configure the application in **SP-initiated** mode, select **Set additional URLs** and complete the following step:
+1. To configure the application in **SP-initiated** mode, select **Set additional URLs** and perform the following step:
* In the **Sign-on URL** text box, enter a URL that has the following pattern:
- `https://<Your FQDN>/CitrixAuthService/AuthService.asmx`
+ `https://<YOUR_FQDN>/CitrixAuthService/AuthService.asmx`
> [!NOTE]
- > * The URLs that are used in this section aren't real values. Update these values with the actual values for Identifier, Reply URL, and Sign-on URL. Contact the [Citrix ADC client support team](https://www.citrix.com/contact/technical-support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- > * To set up SSO, the URLs must be accessible from public websites. You must enable the firewall or other security settings on the Citrix ADC side to enble Azure AD to post the token at the configured URL.
+ > * The URLs that are used in this section aren't real values. Update these values with the actual values for Identifier, Reply URL, and Sign-on URL. Contact the [Citrix ADC SAML Connector for Azure AD client support team](https://www.citrix.com/contact/technical-support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > * To set up SSO, the URLs must be accessible from public websites. You must enable the firewall or other security settings on the Citrix ADC SAML Connector for Azure AD side to enble Azure AD to post the token at the configured URL.
1. On the **Set up Single Sign-On with SAML** pane, in the **SAML Signing Certificate** section, for **App Federation Metadata Url**, copy the URL and save it in Notepad. ![The Certificate download link](common/certificatebase64.png)
-1. In the **Set up Citrix ADC** section, copy the relevant URLs based on your requirements.
+1. In the **Set up Citrix ADC SAML Connector for Azure AD** section, copy the relevant URLs based on your requirements.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you enable the user B.Simon to use Azure SSO by granting the user access to Citrix ADC.
+In this section, you enable the user B.Simon to use Azure SSO by granting the user access to Citrix ADC SAML Connector for Azure AD.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Citrix ADC**.
+1. In the applications list, select **Citrix ADC SAML Connector for Azure AD**.
1. On the app overview, under **Manage**, select **Users and groups**. 1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
In this section, you enable the user B.Simon to use Azure SSO by granting the us
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog box, select **Assign**.
-## Configure Citrix ADC SSO
+## Configure Citrix ADC SAML Connector for Azure AD SSO
Select a link for steps for the kind of authentication you want to configure: -- [Configure Citrix ADC SSO for Kerberos-based authentication](#publish-the-web-server)
+- [Configure Citrix ADC SAML Connector for Azure AD SSO for Kerberos-based authentication](#publish-the-web-server)
-- [Configure Citrix ADC SSO for header-based authentication](header-citrix-netscaler-tutorial.md#publish-the-web-server)
+- [Configure Citrix ADC SAML Connector for Azure AD SSO for header-based authentication](header-citrix-netscaler-tutorial.md#publish-the-web-server)
### Publish the web server
To create a virtual server:
1. Select **Add**.
- ![Citrix ADC configuration - Services pane](./media/citrix-netscaler-tutorial/web01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Services pane](./media/citrix-netscaler-tutorial/web01.png)
1. Set the following values for the web server that's running the applications:
To configure the load balancer:
1. Select **OK**.
- ![Citrix ADC configuration - Basic Settings pane](./media/citrix-netscaler-tutorial/load01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Basic Settings pane](./media/citrix-netscaler-tutorial/load01.png)
### Bind the virtual server
To bind the load balancer with the virtual server:
1. In the **Services and Service Groups** pane, select **No Load Balancing Virtual Server Service Binding**.
- ![Citrix ADC configuration - Load Balancing Virtual Server Service Binding pane](./media/citrix-netscaler-tutorial/bind01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Load Balancing Virtual Server Service Binding pane](./media/citrix-netscaler-tutorial/bind01.png)
1. Verify the settings as shown in the following screenshot, and then select **Close**.
- ![Citrix ADC configuration - Verify the virtual server services binding](./media/citrix-netscaler-tutorial/bind02.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Verify the virtual server services binding](./media/citrix-netscaler-tutorial/bind02.png)
### Bind the certificate
To publish this service as TLS, bind the server certificate, and then test your
1. Under **Certificate**, select **No Server Certificate**.
- ![Citrix ADC configuration - Server Certificate pane](./media/citrix-netscaler-tutorial/bind03.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Server Certificate pane](./media/citrix-netscaler-tutorial/bind03.png)
1. Verify the settings as shown in the following screenshot, and then select **Close**.
- ![Citrix ADC configuration - Verify the certificate](./media/citrix-netscaler-tutorial/bind04.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Verify the certificate](./media/citrix-netscaler-tutorial/bind04.png)
-## Citrix ADC SAML profile
+## Citrix ADC SAML Connector for Azure AD SAML profile
-To configure the Citrix ADC SAML profile, complete the following sections.
+To configure the Citrix ADC SAML Connector for Azure AD SAML profile, complete the following sections.
### Create an authentication policy
To create an authentication policy:
* **Action**: Enter **SAML**, and then select **Add**. * **Expression**: Enter **true**.
- ![Citrix ADC configuration - Create Authentication Policy pane](./media/citrix-netscaler-tutorial/policy01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Create Authentication Policy pane](./media/citrix-netscaler-tutorial/policy01.png)
1. Select **Create**.
To create an authentication SAML server, go to the **Create Authentication SAML
1. Select **Create**.
-![Citrix ADC configuration - Create Authentication SAML Server pane](./media/citrix-netscaler-tutorial/server01.png)
+![Citrix ADC SAML Connector for Azure AD configuration - Create Authentication SAML Server pane](./media/citrix-netscaler-tutorial/server01.png)
### Create an authentication virtual server
Modify two sections for the authentication virtual server:
1. On the **Advanced Authentication Policies** pane, select **No Authentication Policy**.
- ![Citrix ADC configuration - Advanced Authentication Policies pane](./media/citrix-netscaler-tutorial/virtual01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Advanced Authentication Policies pane](./media/citrix-netscaler-tutorial/virtual01.png)
1. On the **Policy Binding** pane, select the authentication policy, and then select **Bind**.
- ![Citrix ADC configuration - Policy Binding pane](./media/citrix-netscaler-tutorial/virtual02.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Policy Binding pane](./media/citrix-netscaler-tutorial/virtual02.png)
1. On the **Form Based Virtual Servers** pane, select **No Load Balancing Virtual Server**.
- ![Citrix ADC configuration - Form Based Virtual Servers pane](./media/citrix-netscaler-tutorial/virtual03.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Form Based Virtual Servers pane](./media/citrix-netscaler-tutorial/virtual03.png)
1. For **Authentication FQDN**, enter a fully qualified domain name (FQDN) (required).
Modify two sections for the authentication virtual server:
1. Select **Bind**.
- ![Citrix ADC configuration - Load Balancing Virtual Server Binding pane](./media/citrix-netscaler-tutorial/virtual04.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Load Balancing Virtual Server Binding pane](./media/citrix-netscaler-tutorial/virtual04.png)
> [!NOTE] > Be sure to select **Done** on the **Authentication Virtual Server Configuration** pane. 1. To verify your changes, in a browser, go to the application URL. You should see your tenant sign-in page instead of the unauthenticated access that you would have seen previously.
- ![Citrix ADC configuration - A sign-in page in a web browser](./media/citrix-netscaler-tutorial/virtual05.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - A sign-in page in a web browser](./media/citrix-netscaler-tutorial/virtual05.png)
-## Configure Citrix ADC SSO for Kerberos-based authentication
+## Configure Citrix ADC SAML Connector for Azure AD SSO for Kerberos-based authentication
-### Create a Kerberos delegation account for Citrix ADC
+### Create a Kerberos delegation account for Citrix ADC SAML Connector for Azure AD
1. Create a user account (in this example, we use _AppDelegation_).
- ![Citrix ADC configuration - Properties pane](./media/citrix-netscaler-tutorial/kerberos01.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Properties pane](./media/citrix-netscaler-tutorial/kerberos01.png)
1. Set up a HOST SPN for this account.
Modify two sections for the authentication virtual server:
1. Configure delegation for the web server as shown in the following screenshot:
- ![Citrix ADC configuration - Delegation under Properties pane](./media/citrix-netscaler-tutorial/kerberos02.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Delegation under Properties pane](./media/citrix-netscaler-tutorial/kerberos02.png)
> [!NOTE] > In the screenshot example, the internal web server name running the Windows Integrated Authentication (WIA) site is _CWEB2_.
-### Citrix ADC AAA KCD (Kerberos delegation accounts)
+### Citrix ADC SAML Connector for Azure AD AAA KCD (Kerberos delegation accounts)
-To configure the Citrix ADC AAA KCD account:
+To configure the Citrix ADC SAML Connector for Azure AD AAA KCD account:
1. Go to **Citrix Gateway** > **AAA KCD (Kerberos Constrained Delegation) Accounts**.
To configure the Citrix ADC AAA KCD account:
1. Select **OK**.
- ![Citrix ADC configuration - Configure KCD Account pane](./media/citrix-netscaler-tutorial/kerberos03.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Configure KCD Account pane](./media/citrix-netscaler-tutorial/kerberos03.png)
### Citrix traffic policy and traffic profile
To configure the Citrix traffic policy and traffic profile:
1. Select **OK**.
- ![Citrix ADC configuration - Configure Traffic Profile pane](./media/citrix-netscaler-tutorial/kerberos04.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Configure Traffic Profile pane](./media/citrix-netscaler-tutorial/kerberos04.png)
1. Select **Traffic Policy**.
To configure the Citrix traffic policy and traffic profile:
1. Select **OK**.
- ![Citrix ADC configuration - Configure Traffic Policy pane](./media/citrix-netscaler-tutorial/kerberos05.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Configure Traffic Policy pane](./media/citrix-netscaler-tutorial/kerberos05.png)
### Bind a traffic policy to a virtual server in Citrix
To bind a traffic policy to a virtual server by using the GUI:
1. On the **Load Balancing Virtual Server** pane, under **Advanced Settings**, select **Policies**. All policies that are configured for your NetScaler instance appear in the list.
- ![Citrix ADC configuration - Load Balancing Virtual Server pane](./media/citrix-netscaler-tutorial/kerberos06.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Load Balancing Virtual Server pane](./media/citrix-netscaler-tutorial/kerberos06.png)
- ![Citrix ADC configuration - Policies dialog box](./media/citrix-netscaler-tutorial/kerberos07.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Policies dialog box](./media/citrix-netscaler-tutorial/kerberos07.png)
1. Select the check box next to the name of the policy you want to bind to this virtual server.
- ![Citrix ADC configuration - Load Balancing Virtual Server Traffic Policy Binding pane](./media/citrix-netscaler-tutorial/kerberos09.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Load Balancing Virtual Server Traffic Policy Binding pane](./media/citrix-netscaler-tutorial/kerberos09.png)
1. In the **Choose Type** dialog box:
To bind a traffic policy to a virtual server by using the GUI:
1. For **Choose Type**, select **Request**.
- ![Citrix ADC configuration - Choose Type pane](./media/citrix-netscaler-tutorial/kerberos08.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Choose Type pane](./media/citrix-netscaler-tutorial/kerberos08.png)
1. When the policy is bound, select **Done**.
- ![Citrix ADC configuration - Policies pane](./media/citrix-netscaler-tutorial/kerberos10.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - Policies pane](./media/citrix-netscaler-tutorial/kerberos10.png)
1. Test the binding by using the WIA website.
- ![Citrix ADC configuration - A test page in a web browser](./media/citrix-netscaler-tutorial/kerberos11.png)
+ ![Citrix ADC SAML Connector for Azure AD configuration - A test page in a web browser](./media/citrix-netscaler-tutorial/kerberos11.png)
-### Create a Citrix ADC test user
+### Create Citrix ADC SAML Connector for Azure AD test user
-In this section, a user called B.Simon is created in Citrix ADC. Citrix ADC supports just-in-time user provisioning, which is enabled by default. There is no action for you to take in this section. If a user doesn't already exist in Citrix ADC, a new one is created after authentication.
+In this section, a user called B.Simon is created in Citrix ADC SAML Connector for Azure AD. Citrix ADC SAML Connector for Azure AD supports just-in-time user provisioning, which is enabled by default. There is no action for you to take in this section. If a user doesn't already exist in Citrix ADC SAML Connector for Azure AD, a new one is created after authentication.
> [!NOTE]
-> If you need to create a user manually, contact the [Citrix ADC client support team](https://www.citrix.com/contact/technical-support.html).
+> If you need to create a user manually, contact the [Citrix ADC SAML Connector for Azure AD client support team](https://www.citrix.com/contact/technical-support.html).
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Citrix ADC Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Citrix ADC SAML Connector for Azure AD Sign-on URL where you can initiate the login flow.
-* Go to Citrix ADC Sign-on URL directly and initiate the login flow from there.
+* Go to Citrix ADC SAML Connector for Azure AD Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Citrix ADC tile in the My Apps, this will redirect to Citrix ADC Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Citrix ADC SAML Connector for Azure AD tile in the My Apps, this will redirect to Citrix ADC SAML Connector for Azure AD Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Citrix ADC you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Citrix ADC SAML Connector for Azure AD you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Filecloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/filecloud-tutorial.md
Previously updated : 02/12/2019 Last updated : 06/10/2021 # Tutorial: Azure Active Directory integration with FileCloud
-In this tutorial, you learn how to integrate FileCloud with Azure Active Directory (Azure AD).
-Integrating FileCloud with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate FileCloud with Azure Active Directory (Azure AD). When you integrate FileCloud with Azure AD, you can:
-* You can control in Azure AD who has access to FileCloud.
-* You can enable your users to be automatically signed-in to FileCloud (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to FileCloud.
+* Enable your users to be automatically signed-in to FileCloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with FileCloud, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* FileCloud single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* FileCloud single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* FileCloud supports **SP** initiated SSO
+* FileCloud supports **SP** initiated SSO.
-* FileCloud supports **Just In Time** user provisioning
+* FileCloud supports **Just In Time** user provisioning.
-## Adding FileCloud from the gallery
+## Add FileCloud from the gallery
To configure the integration of FileCloud into Azure AD, you need to add FileCloud from the gallery to your list of managed SaaS apps.
-**To add FileCloud from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **FileCloud**, select **FileCloud** from result panel then click **Add** button to add the application.
-
- ![FileCloud in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with FileCloud based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in FileCloud needs to be established.
-
-To configure and test Azure AD single sign-on with FileCloud, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **FileCloud** in the search box.
+1. Select **FileCloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure FileCloud Single Sign-On](#configure-filecloud-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create FileCloud test user](#create-filecloud-test-user)** - to have a counterpart of Britta Simon in FileCloud that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for FileCloud
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with FileCloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FileCloud.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with FileCloud, perform the following steps:
-To configure Azure AD single sign-on with FileCloud, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure FileCloud SSO](#configure-filecloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create FileCloud test user](#create-filecloud-test-user)** - to have a counterpart of B.Simon in FileCloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **FileCloud** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **FileCloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![FileCloud Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.filecloudonline.com`
+ `https://<SUBDOMAIN>.filecloudonline.com`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.filecloudonline.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`
+ `https://<SUBDOMAIN>.filecloudonline.com/simplesaml/module.php/saml/sp/metadata.php/default-sp`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [FileCloud Client support team](mailto:support@codelathe.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with FileCloud, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure Ad Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure FileCloud Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FileCloud.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **FileCloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure FileCloud SSO
1. In a different web browser window, sign-on to your FileCloud tenant as an administrator. 2. On the left navigation pane, click **Settings**.
- ![Screenshot that shows "Settings" highlighted in the left navigation pane.](./media/filecloud-tutorial/tutorial_filecloud_000.png)
+ ![Screenshot that shows "Settings" highlighted in the left navigation pane.](./media/filecloud-tutorial/setting.png)
3. Click **SSO** tab on Settings section.
- ![Screenshot that shows the "Settings" section with the "S S O" tab selected.](./media/filecloud-tutorial/tutorial_filecloud_001.png)
+ ![Screenshot that shows the "Settings" section with the "S S O" tab selected.](./media/filecloud-tutorial/tab.png)
4. Select **SAML** as **Default SSO Type** on **Single Sign On (SSO) Settings** panel.
- ![Screenshot that shows the "Single Sign On (S S O) Settings" panel with "S A M L" selected.](./media/filecloud-tutorial/tutorial_filecloud_002.png)
+ ![Screenshot that shows the "Single Sign On (S S O) Settings" panel with "S A M L" selected.](./media/filecloud-tutorial/panel.png)
5. In the **IdP End Point URL** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure portal.
- ![Screenshot that shows the "S A M L Settings" section with "I d P End Point U R L" highlighted.](./media/filecloud-tutorial/tutorial_filecloud_003.png)
+ ![Screenshot that shows the "S A M L Settings" section with "I d P End Point U R L" highlighted.](./media/filecloud-tutorial/identifier.png)
6. Open your downloaded metadata file in notepad, copy the content of it into your clipboard, and then paste it to the **IdP Meta Data** textbox on **SAML Settings** panel.
- ![Configure Single Sign-On On App side](./media/filecloud-tutorial/tutorial_filecloud_004.png)
+ ![Configure Single Sign-On On App side](./media/filecloud-tutorial/metadata.png)
7. Click **Save** button.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to FileCloud.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **FileCloud**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **FileCloud**.
-
- ![The FileCloud link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create FileCloud test user In this section, a user called Britta Simon is created in FileCloud. FileCloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in FileCloud, a new one is created after authentication.
In this section, a user called Britta Simon is created in FileCloud. FileCloud s
>[!NOTE] >If you need to create a user manually, you need to contact the [FileCloud Client support team](mailto:support@codelathe.com).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the FileCloud tile in the Access Panel, you should be automatically signed in to the FileCloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to FileCloud Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to FileCloud Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the FileCloud tile in the My Apps, this will redirect to FileCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure FileCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Finvari Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/finvari-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Finvari | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Finvari.
++++++++ Last updated : 06/10/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Finvari
+
+In this tutorial, you'll learn how to integrate Finvari with Azure Active Directory (Azure AD). When you integrate Finvari with Azure AD, you can:
+
+* Control in Azure AD who has access to Finvari.
+* Enable your users to be automatically signed-in to Finvari with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Finvari single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Finvari supports **SP** initiated SSO.
+
+* Finvari supports **Just In Time** user provisioning.
+
+## Add Finvari from the gallery
+
+To configure the integration of Finvari into Azure AD, you need to add Finvari from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Finvari** in the search box.
+1. Select **Finvari** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Finvari
+
+Configure and test Azure AD SSO with Finvari using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Finvari.
+
+To configure and test Azure AD SSO with Finvari, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Finvari SSO](#configure-finvari-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Finvari test user](#create-finvari-test-user)** - to have a counterpart of B.Simon in Finvari that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Finvari** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://us.finvari.com/<CUSTOMER>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://us.finvari.com/<CUSTOMER>/auth/handler`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://us.finvari.com/?program=<CUSTOMER>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier,Reply URL and Sign on URL. Contact [Finvari Client support team](mailto:support@finvari.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Finvari** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Finvari.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Finvari**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Finvari SSO
+
+To configure single sign-on on **Finvari** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Finvari support team](mailto:support@finvari.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Finvari test user
+
+In this section, a user called Britta Simon is created in Finvari. Finvari supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Finvari, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Finvari Sign-on URL where you can initiate the login flow.
+
+* Go to Finvari Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Finvari tile in the My Apps, this will redirect to Finvari Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Finvari you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Github Enterprise Managed User Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-enterprise-managed-user-tutorial.md
In this section, you'll take the information provided from AAD above and enter t
1. Go to https://github.com 1. Click on Sign In at the top-right corner 1. Enter the credentials for the first administrator user account. The login handle should be in the format: `<your enterprise short code>_admin`
-1. Navigate to https://github.com/enterprises/ `<your enterprise name>`. This information should be provided by your Solutions Engineering contact.
+1. Navigate to `https://github.com/enterprises/` `<your enterprise name>`. This information should be provided by your Solutions Engineering contact.
1. On the navigation menu on the left, select **Settings**, then **Security**. 1. Click on the checkbox **Enable SAML authentication** 1. Enter the Sign on URL. This URL is the Login URL that you copied from AAD above.
active-directory Hcaptcha Enterprise Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hcaptcha-enterprise-tutorial.md
Previously updated : 03/10/2021 Last updated : 06/09/2021
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * hCaptcha Enterprise single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory Iprova Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iprova-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with iProva | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and iProva.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Zenya | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Zenya.
Previously updated : 05/17/2021 Last updated : 06/08/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with iProva
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Zenya
-In this tutorial, you'll learn how to integrate iProva with Azure Active Directory (Azure AD). When you integrate iProva with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Zenya with Azure Active Directory (Azure AD). When you integrate Zenya with Azure AD, you can:
-* Control in Azure AD who has access to iProva.
-* Enable your users to be automatically signed-in to iProva with their Azure AD accounts.
+* Control in Azure AD who has access to Zenya.
+* Enable your users to be automatically signed-in to Zenya with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate iProva with Azure Active Directo
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* iProva single sign-on (SSO) enabled subscription.
+* Zenya single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* iProva supports **SP** initiated SSO.
+* Zenya supports **SP** initiated SSO.
-## Add iProva from the gallery
+## Add Zenya from the gallery
-To configure the integration of iProva into Azure AD, you need to add iProva from the gallery to your list of managed SaaS apps.
+To configure the integration of Zenya into Azure AD, you need to add Zenya from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **iProva** in the search box.
-1. Select **iProva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Zenya** in the search box.
+1. Select **Zenya** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for iProva
+## Configure and test Azure AD SSO for Zenya
-Configure and test Azure AD SSO with iProva using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iProva.
+Configure and test Azure AD SSO with Zenya using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zenya.
-To configure and test Azure AD SSO with iProva, perform the following steps:
+To configure and test Azure AD SSO with Zenya, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure iProva SSO](#configure-iprova-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create iProva test user](#create-iprova-test-user)** - to have a counterpart of B.Simon in iProva that is linked to the Azure AD representation of user.
+1. **[Configure Zenya SSO](#configure-zenya-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Zenya test user](#create-zenya-test-user)** - to have a counterpart of B.Simon in Zenya that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-## Retrieve configuration information from iProva
+## Retrieve configuration information from Zenya
-In this section, you retrieve information from iProva to configure Azure AD single sign-on.
+In this section, you retrieve information from Zenya to configure Azure AD single sign-on.
-1. Open a web browser, and go to the **SAML2 info** page in iProva by using the following URL patterns:
+1. Open a web browser, and go to the **SAML2 info** page in Zenya by using the following URL patterns:
`https://<SUBDOMAIN>.iprova.nl/saml2info`
- `https://<SUBDOMAIN>.iprova.be/saml2info`
+ `https://<SUBDOMAIN>.iprova.be/saml2info`
+ `https://<SUBDOMAIN>.iprova.eu/saml2info`
- ![View the iProva SAML2 info page](media/iprova-tutorial/information.png)
+ ![View the Zenya SAML2 info page](media/iprova-tutorial/information.png)
1. Leave the browser tab open while you proceed with the next steps in another browser tab.
In this section, you retrieve information from iProva to configure Azure AD sing
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **iProva** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Zenya** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, perform the following steps:
- a. Fill the **Sign-on URL** box with the value that's displayed behind the label **Sign-on URL** on the **iProva SAML2 info** page. This page is still open in your other browser tab.
+ a. Fill the **Sign-on URL** box with the value that's displayed behind the label **Sign-on URL** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
- b. Fill the **Identifier** box with the value that's displayed behind the label **EntityID** on the **iProva SAML2 info** page. This page is still open in your other browser tab.
+ b. Fill the **Identifier** box with the value that's displayed behind the label **EntityID** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
- c. Fill the **Reply-URL** box with the value that's displayed behind the label **Reply URL** on the **iProva SAML2 info** page. This page is still open in your other browser tab.
+ c. Fill the **Reply-URL** box with the value that's displayed behind the label **Reply URL** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
-1. iProva application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. Zenya application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![image](common/default-attributes.png)
-1. In addition to above, iProva application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. In addition to above, Zenya application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
| Name | Source Attribute| Namespace | | | -- | --|
In this section, you'll create a test user in the Azure portal called B.Simon.
## Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to iProva.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zenya.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **iProva**.
+1. In the applications list, select **Zenya**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure iProva SSO
+## Configure Zenya SSO
-1. Sign in to iProva by using the **Administrator** account.
+1. Sign in to Zenya by using the **Administrator** account.
2. Open the **Go to** menu.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
6. Scroll down to **Access control**.
- ![iProva Access control settings](media/iprova-tutorial/access-control.png)
+ ![Zenya Access control settings](media/iprova-tutorial/access-control.png)
7. Find the setting **Users are automatically logged on with their network accounts**, and change it to **Yes, authentication via SAML**. Additional options now appear.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
9. Select **Next**.
-10. iProva asks if you want to download federation data from a URL or upload it from a file. Select the **From URL** option.
+10. Zenya asks if you want to download federation data from a URL or upload it from a file. Select the **From URL** option.
![Download Azure AD metadata](media/iprova-tutorial/metadata.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
18. You now return to the **Edit general settings** screen. Scroll down to the bottom of the page, and select **OK** to save your configuration.
-## Create iProva test user
+## Create Zenya test user
-1. Sign in to iProva by using the **Administrator** account.
+1. Sign in to Zenya by using the **Administrator** account.
2. Open the **Go to** menu.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to iProva Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Zenya Sign-on URL where you can initiate the login flow.
-* Go to iProva Sign-on URL directly and initiate the login flow from there.
+* Go to Zenya Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the iProva tile in the My Apps, this will redirect to iProva Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Zenya tile in the My Apps, this will redirect to Zenya Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure iProva you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Zenya you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Isams Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/isams-tutorial.md
Previously updated : 08/04/2020 Last updated : 06/10/2021
In this tutorial, you'll learn how to integrate iSAMS with Azure Active Director
* Enable your users to be automatically signed-in to iSAMS with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
+* iSAMS supports **SP and IDP** initiated SSO.
-* iSAMS supports **SP and IDP** initiated SSO
-* Once you configure iSAMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-
-## Adding iSAMS from the gallery
+## Add iSAMS from the gallery
To configure the integration of iSAMS into Azure AD, you need to add iSAMS from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **iSAMS** in the search box. 1. Select **iSAMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for iSAMS Configure and test Azure AD SSO with iSAMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iSAMS.
-To configure and test Azure AD SSO with iSAMS, complete the following building blocks:
+To configure and test Azure AD SSO with iSAMS, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with iSAMS, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **iSAMS** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **iSAMS** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.isams.cloud/main/sso/saml2`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **iSAMS**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure iSAMS SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Log in to iSAMS as an Administrator. 1. Navigate to the Control Panel and open the **Authentication** module.+ 1. From the right-hand menu, select **Identity Providers** ![Screenshot shows Active Directory Configuration with Identity Providers selected.](./media/isams-tutorial/click-identity-provider.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![Screenshot shows Identity Providers with Add Providers selected.](./media/isams-tutorial/add-identity-provider.png) - 1. Perform the following steps in the following page: ![Screenshot shows the Identity Providers Wizard where you can do the steps described.](./media/isams-tutorial/configure-isams.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Log in to iSAMS as an Administrator.
-2. Go to the **Control Panel Home** -> **Security & Permissions** -> **User Accounts** -> **User Options & Tasks** -> **Modify User Properties**
+2. Go to the **Control Panel Home** -> **Security & Permissions** -> **User Accounts** -> **User Options & Tasks** -> **Modify User Properties**.
![Screenshot shows the User Accounts page with Modify User Properties selected.](./media/isams-tutorial/modify-user-properties.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the iSAMS tile in the Access Panel, you should be automatically signed in to the iSAMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to iSAMS Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to iSAMS Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the iSAMS for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the iSAMS tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the iSAMS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try iSAMS with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure iSAMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Jitbit Helpdesk Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jitbit-helpdesk-tutorial.md
Previously updated : 03/02/2021 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with Jitbit Helpdesk
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Jitbit Helpdesk single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
active-directory Mobi Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mobi-tutorial.md
Previously updated : 02/25/2019 Last updated : 06/10/2021 # Tutorial: Azure Active Directory integration with MOBI
-In this tutorial, you learn how to integrate MOBI with Azure Active Directory (Azure AD).
-Integrating MOBI with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate MOBI with Azure Active Directory (Azure AD). When you integrate MOBI with Azure AD, you can:
-* You can control in Azure AD who has access to MOBI.
-* You can enable your users to be automatically signed-in to MOBI (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to MOBI.
+* Enable your users to be automatically signed-in to MOBI with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with MOBI, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* MOBI single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* MOBI single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* MOBI supports **SP** and **IDP** initiated SSO
+* MOBI supports **SP** and **IDP** initiated SSO.
-## Adding MOBI from the gallery
+## Add MOBI from the gallery
To configure the integration of MOBI into Azure AD, you need to add MOBI from the gallery to your list of managed SaaS apps.
-**To add MOBI from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **MOBI**, select **MOBI** from result panel then click **Add** button to add the application.
-
- ![MOBI in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **MOBI** in the search box.
+1. Select **MOBI** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with MOBI based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in MOBI needs to be established.
+## Configure and test Azure AD SSO for MOBI
-To configure and test Azure AD single sign-on with MOBI, you need to complete the following building blocks:
+Configure and test Azure AD SSO with MOBI using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MOBI.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure MOBI Single Sign-On](#configure-mobi-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create MOBI test user](#create-mobi-test-user)** - to have a counterpart of Britta Simon in MOBI that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with MOBI, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure MOBI SSO](#configure-mobi-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create MOBI test user](#create-mobi-test-user)** - to have a counterpart of B.Simon in MOBI that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with MOBI, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **MOBI** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **MOBI** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<subdomain>.thefutureis.mobi`
+ `https://<SUBDOMAIN>.thefutureis.mobi`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.thefutureis.mobi/saml_consume`
+ `https://<SUBDOMAIN>.thefutureis.mobi/saml_consume`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.thefutureis.mobi/login`
+ `https://<SUBDOMAIN>.thefutureis.mobi/login`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [MOBI Client support team](mailto:sso@mobiwm.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with MOBI, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure MOBI Single Sign-On
-
-To configure single sign-on on **MOBI** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [MOBI support team](mailto:sso@mobiwm.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to MOBI.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MOBI.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **MOBI**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **MOBI**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure MOBI SSO
-2. In the applications list, select **MOBI**.
-
- ![The MOBI link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **MOBI** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [MOBI support team](mailto:sso@mobiwm.com). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create MOBI test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in MOBI. Work with [MOBI support team](mailto:sso@mobiwm.com) to add the users in the MOBI platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create MOBI test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in MOBI. Work with [MOBI support team](mailto:sso@mobiwm.com) to add the users in the MOBI platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to MOBI Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to MOBI Sign-on URL directly and initiate the login flow from there.
-When you click the MOBI tile in the Access Panel, you should be automatically signed in to the MOBI for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MOBI for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the MOBI tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MOBI for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure MOBI you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Promapp Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/promapp-tutorial.md
Previously updated : 01/30/2020 Last updated : 06/10/2021
In this tutorial, you'll learn how to integrate Nintex Promapp with Azure Active
* Enable your users to be automatically signed-in to Nintex Promapp with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Nintex Promapp supports **SP and IDP** initiated SSO
-* Nintex Promapp supports **Just In Time** user provisioning
+* Nintex Promapp supports **SP and IDP** initiated SSO.
+* Nintex Promapp supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Nintex Promapp from the gallery
+## Add Nintex Promapp from the gallery
To configure the integration of Nintex Promapp into Azure AD, you need to add Nintex Promapp from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Nintex Promapp** in the search box. 1. Select **Nintex Promapp** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Nintex Promapp
+## Configure and test Azure AD SSO for Nintex Promapp
Configure and test Azure AD SSO with Nintex Promapp using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Nintex Promapp.
-To configure and test Azure AD SSO with Nintex Promapp, complete the following building blocks:
+To configure and test Azure AD SSO with Nintex Promapp, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Nintex Promapp SSO](#configure-nintex-promapp-sso)** - to configure the single sign-on settings on application side.
- * **[Create Nintex Promapp test user](#create-nintex-promapp-test-user)** - to have a counterpart of B.Simon in Nintex Promapp that is linked to the Azure AD representation of user.
+ 1. **[Create Nintex Promapp test user](#create-nintex-promapp-test-user)** - to have a counterpart of B.Simon in Nintex Promapp that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Nintex Promapp** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Nintex Promapp** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- 1. In the **Identifier** box, enter a URL in this pattern:
-
- ```https
- https://go.promapp.com/TENANTNAME/
- https://au.promapp.com/TENANTNAME/
- https://us.promapp.com/TENANTNAME/
- https://eu.promapp.com/TENANTNAME/
- https://ca.promapp.com/TENANTNAME/
- ```
+ 1. In the **Identifier** box, type one of the following URLs:
+
+ | Identifier URL |
+ |--|
+ |`https://go.promapp.com/TENANTNAME/`|
+ |`https://au.promapp.com/TENANTNAME/`|
+ |`https://us.promapp.com/TENANTNAME/`|
+ |`https://eu.promapp.com/TENANTNAME/`|
+ |`https://ca.promapp.com/TENANTNAME/`|
> [!NOTE] > Azure AD integration with Nintex Promapp is currently configured only for service-initiated authentication. (That is, going to a Nintex Promapp URL initiates the authentication process.) But the **Reply URL** field is a required field.
- 1. In the **Reply URL** box, enter a URL in this pattern:
-
- `https://<DOMAINNAME>.promapp.com/TENANTNAME/saml/authenticate.aspx`
+ 1. In the **Reply URL** box, type a URL using the following pattern:
+ `https://<DOMAIN_NAME>.promapp.com/TENANTNAME/saml/authenticate.aspx`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign on URL** box, enter a URL in this pattern: `https://<DOMAINNAME>.promapp.com/TENANTNAME/saml/authenticate`
+ In the **Sign on URL** box, type a URL using the following pattern: `https://<DOMAIN_NAME>.promapp.com/TENANTNAME/saml/authenticate`
> [!NOTE] > These values are placeholders. You need to use the actual identifier, reply URL, and sign-on URL. Contact the [Nintex Promapp support team](https://www.promapp.com/about-us/contact-us/) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Nintex Promapp**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Nintex Promapp SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the menu at the top of the window, select **Admin**:
- ![Select Admin][12]
+ ![Select Admin](./media/promapp-tutorial/admin.png)
3. Select **Configure**:
- ![Select Configure][13]
+ ![Select Configure](./media/promapp-tutorial/configuration.png)
4. In the **Security** dialog box, take the following steps.
- ![Security dialog box][14]
+ ![Security dialog box](./media/promapp-tutorial/certificate.png)
1. Paste the **Login URL** that you copied from the Azure portal into the **SSO-Login URL** box.
In this section, a user called B.Simon is created in Nintex Promapp. Nintex Prom
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Nintex Promapp tile in the Access Panel, you should be automatically signed in to the Nintex Promapp for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Nintex Promapp Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Nintex Promapp Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Nintex Promapp for which you set up the SSO.
-- [Try Nintex Promapp with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Nintex Promapp tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Nintex Promapp for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-<!--Image references-->
+## Next steps
-[12]: ./media/promapp-tutorial/tutorial_promapp_05.png
-[13]: ./media/promapp-tutorial/tutorial_promapp_06.png
-[14]: ./media/promapp-tutorial/tutorial_promapp_07.png
+Once you configure Nintex Promapp you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Resource Central Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/resource-central-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Resource Central | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Resource Central.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Resource Central ΓÇô SAML SSO for Meeting Room Booking System | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Resource Central ΓÇô SAML SSO for Meeting Room Booking System.
Previously updated : 01/13/2021 Last updated : 06/07/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Resource Central
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Resource Central ΓÇô SAML SSO for Meeting Room Booking System
-In this tutorial, you'll learn how to integrate Resource Central with Azure Active Directory (Azure AD). When you integrate Resource Central with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Resource Central ΓÇô SAML SSO for Meeting Room Booking System with Azure Active Directory (Azure AD). When you integrate Resource Central ΓÇô SAML SSO for Meeting Room Booking System with Azure AD, you can:
-* Control in Azure AD who has access to Resource Central.
-* Enable your users to be automatically signed-in to Resource Central with their Azure AD accounts.
+* Control in Azure AD who has access to Resource Central ΓÇô SAML SSO for Meeting Room Booking System.
+* Enable your users to be automatically signed-in to Resource Central ΓÇô SAML SSO for Meeting Room Booking System with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate Resource Central with Azure Acti
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Resource Central single sign-on (SSO) enabled subscription.
+* Resource Central ΓÇô SAML SSO for Meeting Room Booking System single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Resource Central supports **SP** initiated SSO
+* Resource Central ΓÇô SAML SSO for Meeting Room Booking System supports **SP** initiated SSO
-* Resource Central supports **Just In Time** user provisioning
+* Resource Central ΓÇô SAML SSO for Meeting Room Booking System supports **Just In Time** user provisioning
-## Add Resource Central from the gallery
+## Add Resource Central ΓÇô SAML SSO for Meeting Room Booking System from the gallery
-To configure the integration of Resource Central into Azure AD, you need to add Resource Central from the gallery to your list of managed SaaS apps.
+To configure the integration of Resource Central ΓÇô SAML SSO for Meeting Room Booking System into Azure AD, you need to add Resource Central ΓÇô SAML SSO for Meeting Room Booking System from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add a new application, select **New application**.
-1. In the **Add from the gallery** section, in the search box, enter **Resource Central**.
-1. Select **Resource Central** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, in the search box, enter **Resource Central ΓÇô SAML SSO for Meeting Room Booking System**.
+1. Select **Resource Central ΓÇô SAML SSO for Meeting Room Booking System** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Resource Central
+## Configure and test Azure AD SSO for Resource Central ΓÇô SAML SSO for Meeting Room Booking System
-Configure and test Azure AD SSO with Resource Central using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Resource Central.
+Configure and test Azure AD SSO with Resource Central ΓÇô SAML SSO for Meeting Room Booking System using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Resource Central ΓÇô SAML SSO for Meeting Room Booking System.
-To configure and test Azure AD SSO with Resource Central, perform the following steps:
+To configure and test Azure AD SSO with Resource Central ΓÇô SAML SSO for Meeting Room Booking System, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
- 1. **[Create Resource Central test user](#create-resource-central-test-user)** - to have a counterpart of B.Simon in Resource Central that is linked to the Azure AD representation of user.
-1. **[Configure Resource Central SSO](#configure-resource-central-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Resource Central SAML SSO for Meeting Room Booking System test user](#create-resource-central-saml-sso-for-meeting-room-booking-system-test-user)** - to have a counterpart of B.Simon in Resource Central ΓÇô SAML SSO for Meeting Room Booking System that is linked to the Azure AD representation of user.
+1. **[Configure Resource Central SAML SSO for Meeting Room Booking System SSO](#configure-resource-central-saml-sso-for-meeting-room-booking-system-sso)** - to configure the single sign-on settings on application side.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Resource Central** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Resource Central ΓÇô SAML SSO for Meeting Room Booking System** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the **Reply URL** text box, type a URL using the following pattern: `https://<DOMAIN_NAME>/ResourceCentral/ExAuth/Saml2Authentication/Acs` > [!NOTE]
- > These values are not literal values. Update these values with the actual Sign-on URL, Identifier, and Reply URL values. Contact [Resource Central Client support team](mailto:st@aod.vn) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not literal values. Update these values with the actual Sign-on URL, Identifier, and Reply URL values. Contact [Resource Central ΓÇô SAML SSO for Meeting Room Booking System Client support team](mailto:st@aod.vn) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in **SAML Signing Certificate**, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/certificatebase64.png)
-1. In **Set up Resource Central**, copy the appropriate URL(s) based on your requirement.
+1. In **Set up Resource Central ΓÇô SAML SSO for Meeting Room Booking System**, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user called B.Simon in the Azure portal.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Resource Central.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Resource Central ΓÇô SAML SSO for Meeting Room Booking System.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Resource Central**.
+1. In the applications list, select **Resource Central ΓÇô SAML SSO for Meeting Room Booking System**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** pane. 1. In the **Users and groups** pane, select **B.Simon** from the **Users** list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it in **Select a role**. If no role has been set up for this app, you see **Default Access** role selected. 1. In the **Add Assignment** pane, click the **Assign** button.
-### Create Resource Central test user
+### Create Resource Central SAML SSO for Meeting Room Booking System test user
-In this section, a user called **B.Simon** is created in **Resource Central**.
+In this section, a user called **B.Simon** is created in **Resource Central ΓÇô SAML SSO for Meeting Room Booking System**.
-1. In Resource Central, select **Security** > **Persons** > **New**.
+1. In Resource Central ΓÇô SAML SSO for Meeting Room Booking System, select **Security** > **Persons** > **New**.
:::image type="content" source="./media/resource-central/new-person.png" alt-text="Screenshot that shows the Persons pane in Resource Central, with the New button highlighted.":::
In this section, a user called **B.Simon** is created in **Resource Central**.
:::image type="content" source="./media/resource-central/person.png" alt-text="Screenshot that shows the Person Details pane in Resource Central.":::
-## Configure Resource Central SSO
+## Configure Resource Central SAML SSO for Meeting Room Booking System SSO
In this section, you'll configure single sign-on in **Resource Central System Administrator**.
-1. In Resource Central System Administrator, select **External Authentication**.
+1. In Resource Central ΓÇô SAML SSO for Meeting Room Booking System System Administrator, select **External Authentication**.
1. For **Enable Configuration**, select **Yes**.
- ![Screenshot that shows the Enable Configuration option selected in the External Authentication pane in Resource Central.](./media/resource-central/enable.png)
+ ![Screenshot that shows the Enable Configuration option selected in the External Authentication pane in Resource Central ΓÇô SAML SSO for Meeting Room Booking System.](./media/resource-central/enable.png)
1. In **Authentication Protocol**, select **SAML2**.
In this section, you'll configure single sign-on in **Resource Central System Ad
:::image type="content" source="./media/resource-central/auth.png" alt-text="Screenshot of the SAML2 Configuration pane in Resource Central.":::
- Copy the URLs from the **Set up Resource Central** pane:
+ Copy the URLs from the **Set up Resource Central ΓÇô SAML SSO for Meeting Room Booking System** pane:
:::image type="content" source="./media/resource-central/setup.png" alt-text="Screenshot of the Set up Resource Central pane in Resource Central.":::
In this section, you'll configure single sign-on in **Resource Central System Ad
1. For **Certificate**, upload your certificate and enter your password.
- ![Screenshot of the certificate section in Resource Central.](./media/resource-central/cert.png)
+ ![Screenshot of the certificate section in Resource Central ΓÇô SAML SSO for Meeting Room Booking System.](./media/resource-central/cert.png)
1. Select **Save**.
In this section, you'll configure single sign-on in **Resource Central System Ad
In this section, you test your Azure AD single sign-on configuration. To test single sign-on, you have three options:
-* In the Azure portal, select **Test this application**. The link redirects to the Resource Central sign-on URL, where you can initiate login.
+* In the Azure portal, select **Test this application**. The link redirects to the Resource Central ΓÇô SAML SSO for Meeting Room Booking System sign-on URL, where you can initiate login.
-* Go to the Resource Central sign-on URL directly and initiate login.
+* Go to the Resource Central ΓÇô SAML SSO for Meeting Room Booking System sign-on URL directly and initiate login.
:::image type="content" source="./media/resource-central/test.png" alt-text="Screenshot of the Resource Central single sign-on test webpage.":::
-* Use the My Apps portal from Microsoft. In the My Apps portal, select the **Resource Central** tile to redirect to the Resource Central sign-on URL. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+* Use the My Apps portal from Microsoft. In the My Apps portal, select the **Resource Central ΓÇô SAML SSO for Meeting Room Booking System** tile to redirect to the Resource Central ΓÇô SAML SSO for Meeting Room Booking System sign-on URL. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-After you set up Resource Central for single sign-on with Azure AD, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+After you set up Resource Central ΓÇô SAML SSO for Meeting Room Booking System for single sign-on with Azure AD, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Samanage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samanage-tutorial.md
Previously updated : 05/13/2021 Last updated : 06/09/2021 # Tutorial: Azure Active Directory integration with SolarWinds Service Desk (previously Samanage)
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * SolarWinds single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
active-directory Spotinst Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/spotinst-tutorial.md
Previously updated : 01/03/2020 Last updated : 06/10/2021
In this tutorial, you'll learn how to integrate Spotinst with Azure Active Direc
* Enable your users to be automatically signed-in to Spotinst with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Spotinst supports **SP and IDP** initiated SSO
+* Spotinst supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Spotinst from the gallery
+## Add Spotinst from the gallery
To configure the integration of Spotinst into Azure AD, you need to add Spotinst from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Spotinst** in the search box. 1. Select **Spotinst** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Spotinst
+## Configure and test Azure AD SSO for Spotinst
Configure and test Azure AD SSO with Spotinst using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Spotinst.
-To configure and test Azure AD SSO with Spotinst, complete the following building blocks:
+To configure and test Azure AD SSO with Spotinst, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Spotinst SSO](#configure-spotinst-sso)** - to configure the single sign-on settings on application side.
- * **[Create Spotinst test user](#create-spotinst-test-user)** - to have a counterpart of B.Simon in Spotinst that is linked to the Azure AD representation of user.
+ 1. **[Create Spotinst test user](#create-spotinst-test-user)** - to have a counterpart of B.Simon in Spotinst that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Spotinst** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Spotinst** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. In the **Basic SAML Configuration** section, if you want to configure the application in IDP initiated mode, complete these steps:
+1. In the **Basic SAML Configuration** section, if you want to configure the application in IDP initiated mode, perform the following steps:
1. Make sure **Reply URL** is set to: https://console.spotinst.com/auth/saml. 1. In **Relay State**, enter your Spotinst Organization ID, which you can also confirm on the **SSO** tab.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Spotinst**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Spotinst SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. Click on the **user icon** on the top right side of the screen and click **Settings**.
- ![Screenshot shows Settings selected from the User icon.](./media/spotinst-tutorial/tutorial_spotinst_settings.png)
+ ![Screenshot shows Settings selected from the User icon.](./media/spotinst-tutorial/settings.png)
3. Click on the **SECURITY** tab on the top and then select **Identity Providers** and perform the following steps:
- ![Spotinst security](./media/spotinst-tutorial/tutorial_spotinst_security.png)
+ ![Spotinst security](./media/spotinst-tutorial/security.png)
a. Copy the **Relay State** value for your instance and paste it in **Relay State** textbox in **Basic SAML Configuration** section on Azure portal.
The objective of this section is to create a user called Britta Simon in Spotins
b. Click on the **user icon** on the top right side of the screen and click **Settings**.
- ![Screenshot shows Settings selected from the User icon.](./media/spotinst-tutorial/tutorial_spotinst_settings.png)
+ ![Screenshot shows Settings selected from the User icon.](./media/spotinst-tutorial/settings.png)
c. Click **Users** and select **ADD USER**.
- ![Screenshot shows ADD USER selected from Users.](./media/spotinst-tutorial/adduser1.png)
+ ![Screenshot shows ADD USER selected from Users.](./media/spotinst-tutorial/add-user.png)
d. On the add user section, perform the following steps:
- ![Screenshot shows the Add user section where you can enter the values described.](./media/spotinst-tutorial/adduser2.png)
+ ![Screenshot shows the Add user section where you can enter the values described.](./media/spotinst-tutorial/new-user.png)
- * In the **Full Name** textbox, enter the full name of user like `BrittaSimon`.
+ 1. In the **Full Name** textbox, enter the full name of user like `BrittaSimon`.
- * In the **Email** textbox, enter the email address of the user like `brittasimon@contoso.com`.
+ 1. In the **Email** textbox, enter the email address of the user like `brittasimon@contoso.com`.
- * Select your organization-specific details for the **Organization Role, Account Role, and Accounts**.
+ 1. Select your organization-specific details for the **Organization Role, Account Role, and Accounts**.
2. If you have configured the application in the **IDP** initiated mode, There is no action item for you in this section. Spotinst supports just-in-time provisioning, which is by default enabled. A new user is created during an attempt to access Spotinst if it doesn't exist yet. ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Spotinst Sign on URL where you can initiate the login flow.
-When you click the Spotinst tile in the Access Panel, you should be automatically signed in to the Spotinst for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Spotinst Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Spotinst for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Spotinst tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Spotinst for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Spotinst with Azure AD](https://aad.portal.azure.com/)
+Once you configure Spotinst you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Styleflow Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/styleflow-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Styleflow | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Styleflow.
++++++++ Last updated : 06/10/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Styleflow
+
+In this tutorial, you'll learn how to integrate Styleflow with Azure Active Directory (Azure AD). When you integrate Styleflow with Azure AD, you can:
+
+* Control in Azure AD who has access to Styleflow.
+* Enable your users to be automatically signed-in to Styleflow with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Styleflow single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Styleflow supports **SP** initiated SSO.
+
+## Adding Styleflow from the gallery
+
+To configure the integration of Styleflow into Azure AD, you need to add Styleflow from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Styleflow** in the search box.
+1. Select **Styleflow** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Styleflow
+
+Configure and test Azure AD SSO with Styleflow using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Styleflow.
+
+To configure and test Azure AD SSO with Styleflow, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Styleflow SSO](#configure-styleflow-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Styleflow test user](#create-styleflow-test-user)** - to have a counterpart of B.Simon in Styleflow that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Styleflow** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Identifier** box, type a URL using the following pattern:
+ `https://www.styleflow.jp/kumade/services/trust/<DOMAIN_ID>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://www.styleflow.jp/kumade/saml@<DOMAIN_ID>?serviceid=cupflow`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ ` https://www.styleflow.jp/kumade/samls@<DOMAIN_ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-On URL. Contact [Styleflow Client support team](mailto:styleflow-support@tdc.co.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Styleflow** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Styleflow.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Styleflow**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Styleflow SSO
+
+To configure single sign-on on **Styleflow** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Styleflow support team](mailto:styleflow-support@tdc.co.jp). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Styleflow test user
+
+In this section, you create a user called Britta Simon in Styleflow. Work with [Styleflow support team](mailto:styleflow-support@tdc.co.jp) to add the users in the Styleflow platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal. This will redirect to Check Point Styleflow Sign-on URL where you can initiate the login flow.
+
+* Go to Check Point Styleflow Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Check Point Styleflow tile in the My Apps, this will redirect to Check Point Styleflow Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Styleflow you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Wan Sign Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wan-sign-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with WAN-Sign | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and WAN-Sign.
++++++++ Last updated : 06/09/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with WAN-Sign
+
+In this tutorial, you'll learn how to integrate WAN-Sign with Azure Active Directory (Azure AD). When you integrate WAN-Sign with Azure AD, you can:
+
+* Control in Azure AD who has access to WAN-Sign.
+* Enable your users to be automatically signed-in to WAN-Sign with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* WAN-Sign single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
++
+* WAN-Sign supports **IDP** initiated SSO.
+
+## Adding WAN-Sign from the gallery
+
+To configure the integration of WAN-Sign into Azure AD, you need to add WAN-Sign from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **WAN-Sign** in the search box.
+1. Select **WAN-Sign** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for WAN-Sign
+
+Configure and test Azure AD SSO with WAN-Sign using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in WAN-Sign.
+
+To configure and test Azure AD SSO with WAN-Sign, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure WAN-Sign SSO](#configure-wan-sign-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create WAN-Sign test user](#create-wan-sign-test-user)** - to have a counterpart of B.Simon in WAN-Sign that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **WAN-Sign** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://service10.wanbishi.ne.jp/saml/metadata/azuread/<CUSTOMER_ID>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://service10.wanbishi.ne.jp/saml/azuread/<CUSTOMER_ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [WAN-Sign Client support team](mailto:wansign-help@wanbishi.ne.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up WAN-Sign** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to WAN-Sign.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **WAN-Sign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure WAN-Sign SSO
+
+To configure single sign-on on **WAN-Sign** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [WAN-Sign support team](mailto:wansign-help@wanbishi.ne.jp). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create WAN-Sign test user
+
+In this section, you create a user called Britta Simon in WAN-Sign. Work with [WAN-Sign support team](mailto:wansign-help@wanbishi.ne.jp) to add the users in the WAN-Sign platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the WAN-Sign for which you set up the SSO
+
+* You can use Microsoft My Apps. When you click the WAN-Sign tile in the My Apps, you should be automatically signed in to the WAN-Sign for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
++
+## Next steps
+
+Once you configure WAN-Sign you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Wandera Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wandera-tutorial.md
Previously updated : 08/27/2020 Last updated : 06/10/2021
In this tutorial, you'll learn how to integrate Wandera RADAR Admin with Azure A
* Enable your users to be automatically signed-in to Wandera RADAR Admin with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Wandera RADAR Admin supports **IDP** initiated SSO
-* Once you configure Wandera RADAR Admin you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Wandera RADAR Admin supports **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Wandera RADAR Admin from the gallery
+## Add Wandera RADAR Admin from the gallery
To configure the integration of Wandera RADAR Admin into Azure AD, you need to add Wandera RADAR Admin from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Wandera RADAR Admin** in the search box. 1. Select **Wandera RADAR Admin** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Wandera RADAR Admin
Configure and test Azure AD SSO with Wandera RADAR Admin using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Wandera RADAR Admin.
-To configure and test Azure AD SSO with Wandera RADAR Admin, complete the following building blocks:
+To configure and test Azure AD SSO with Wandera RADAR Admin, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Wandera RADAR Admin SSO](#configure-wandera-radar-admin-sso)** - to configure the Single Sign-On settings on application side.
- * **[Create Wandera RADAR Admin test user](#create-wandera-radar-admin-test-user)** - to have a counterpart of B.Simon in Wandera RADAR Admin that is linked to the Azure AD representation of user.
+ 1. **[Create Wandera RADAR Admin test user](#create-wandera-radar-admin-test-user)** - to have a counterpart of B.Simon in Wandera RADAR Admin that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Wandera RADAR Admin** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Wandera RADAR Admin** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Reply URL** text box, type a URL using the following pattern:
- `https://radar.wandera.com/saml/acs/<tenant id>`
+ `https://radar.wandera.com/saml/acs/<TENANT_ID>`
> [!NOTE] > The value is not real. Update the value with the actual Reply URL. Contact [Wandera RADAR Admin Client support team](https://www.wandera.com/about-wandera/contact/#supportsection) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. Carefully replace the <tenant id> part of the above URL with the Tenant ID shown in the **Settings** > **Administration** > **Single Sign-On** page within your Wandera account. - 1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/metadataxml.png)
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **SAML Signing Certificate** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **SAML Signing Certificate** to edit the settings.
![Signing Option](common/signing-option.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Wandera RADAR Admin**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Wandera RADAR Admin SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. On the top-right corner of the page, click on **Settings** > **Administration** > **Single Sign-On** and then check the option **Enable SAML 2.0** to perform the following steps.
- ![Wandera RADAR Admin configuration](./media/wandera-tutorial/config01.png)
+ ![Wandera RADAR Admin configuration](./media/wandera-tutorial/configure.png)
a. Click on **Or manually enter the required fields**.
In this section, you create a user called B.Simon in Wandera RADAR Admin. Work w
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Wandera RADAR Admin tile in the Access Panel, you should be automatically signed in to the Wandera RADAR Admin for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Wandera RADAR Admin for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Wandera RADAR Admin tile in the My Apps, you should be automatically signed in to the Wandera RADAR Admin for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Wandera RADAR Admin you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Security Info Setup Auth App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/security-info-setup-auth-app.md
Previously updated : 02/13/2019 Last updated : 06/10/2021
If you no longer want to use your authenticator app as a security info method, y
If you want the authenticator app to be the default method used when you sign-in to your work or school account using two-factor verification or for password reset requests, you can set it from the Security **info** page.
+>[!NOTE]
+>If your default sign-in method is a text or call to your phone number, then the SMS code or voice call is sent automatically during multifactor authentication. As of June 2021, some apps will ask users to choose **Text** or **Call** first. This option prevents sending too many security codes for different apps. If your default sign-in method is the Microsoft Authenticator app ([which we highly recommend](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752)), then the app notification is sent automatically.
+ ### To change your default security info method 1. On the **Security info** page, select the **Change** link next to the **Default sign-in method** information.
active-directory Sms Sign In Explainer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/sms-sign-in-explainer.md
Previously updated : 01/21/2021 Last updated : 06/10/2021
api-management Api Management Howto Integrate Internal Vnet Appgateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
Title: How to use API Management in Virtual Network with Application Gateway
+ Title: How to use API Management in a virtual network with Azure Application Gateway
-description: Learn how to setup and configure Azure API Management in Internal Virtual Network with Application Gateway (WAF) as FrontEnd
+description: Set up and configure Azure API Management in an internal virtual network with Application Gateway (Web Application Firewall) as a front end
documentationcenter: '' - -- Previously updated : 11/04/2019--++ Last updated : 06/10/2021+
-# Integrate API Management in an internal VNET with Application Gateway
+# Integrate API Management in an internal virtual network with Application Gateway
-## <a name="overview"> </a> Overview
+You can configure the API Management service in a [virtual network in internal mode](api-management-using-with-internal-vnet.md), making it accessible only within the virtual network. [Azure Application Gateway](../application-gateway/overview.md) is a PaaS service, acting as a Layer-7 load balancer. It acts as a reverse-proxy service and provides among its offerings a Web Application Firewall (WAF).
-The API Management service can be configured in a Virtual Network in internal mode, which makes it accessible only from within the Virtual Network. Azure Application Gateway is a PAAS Service, which provides a Layer-7 load balancer. It acts as a reverse-proxy service and provides among its offering a Web Application Firewall (WAF).
-
-Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:
+By combining API Management provisioned in an internal virtual network with the Application Gateway front end, you can:
* Use the same API Management resource for consumption by both internal consumers and external consumers. * Use a single API Management resource and have a subset of APIs defined in API Management available for external consumers.
-* Provide a turn-key way to switch access to API Management from the public Internet on and off.
+* Provide a turnkey way to switch access to API Management from the public internet on and off.
+
+> [!NOTE]
+> This article has been updated to use the [Application Gateway WAF_v2 SKU](../application-gateway/application-gateway-autoscaling-zone-redundant.md).
[!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)]
To follow the steps described in this article, you must have:
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
-* Certificates - pfx and cer for the API hostname and pfx for the developer portal's hostname.
+* Certificates
+ - PFX files for the API Management service's custom hostnames: gateway, developer portal, and management endpoint.
+ - A CER file for the root certificate of the PFX certificates.
+
+ For more information, see [Certificates for the backend](../application-gateway/certificates-for-backend-authentication.md). For testing purposes, optionally generate [self-signed certificates](../application-gateway/self-signed-certificates.md).
+* The latest version of Azure PowerShell. If you haven't already, [install Azure PowerShell](/powershell/azure/install-az-ps).
-## <a name="scenario"> </a> Scenario
+## Scenario
-This article covers how to use a single API Management service for both internal and external consumers and make it act as a single frontend for both on premises and cloud APIs. You will also see how to expose only a subset of your APIs (in the example they are highlighted in green) for External Consumption using routing functionality available in Application Gateway.
+In this article, you learn how to Use a single API Management service for both internal and external consumers and make it act as a single front end for both on-premises and cloud APIs. You will also understand how to expose only a subset of your APIs (in the example they are highlighted in green) for external consumption using routing functionality available in Application Gateway.
-In the first setup example all your APIs are managed only from within your Virtual Network. Internal consumers (highlighted in orange) can access all your internal and external APIs. Traffic never goes out to the internet. High performance connectivity is delivered via Express Route circuits.
+In the first setup example, all your APIs are managed only from within your virtual network. Internal consumers (highlighted in orange) can access all your internal and external APIs. Traffic never goes out to the internet. High-performance connectivity can be delivered via Express Route circuits.
![url route](./media/api-management-howto-integrate-internal-vnet-appgateway/api-management-howto-integrate-internal-vnet-appgateway.png)
-## <a name="before-you-begin"> </a> Before you begin
-
-* Make sure that you are using the latest version of Azure PowerShell. See the installation instructions at [Install Azure PowerShell](/powershell/azure/install-az-ps).
-
-## What is required to create an integration between API Management and Application Gateway?
+### What is required to integrate API Management and Application Gateway?
-* **Back-end server pool:** This is the internal virtual IP address of the API Management service.
-* **Back-end server pool settings:** Every pool has settings like port, protocol, and cookie-based affinity. These settings are applied to all servers within the pool.
+* **Backend server pool:** This is the internal virtual IP address of the API Management service.
+* **Backend server pool settings:** Every pool has settings like port, protocol, and cookie-based affinity. These settings are applied to all servers within the pool.
* **Front-end port:** This is the public port that is opened on the application gateway. Traffic hitting it gets redirected to one of the back-end servers. * **Listener:** The listener has a front-end port, a protocol (Http or Https, these values are case-sensitive), and the TLS/SSL certificate name (if configuring TLS offload).
-* **Rule:** The rule binds a listener to a back-end server pool.
-* **Custom Health Probe:** Application Gateway, by default, uses IP address based probes to figure out which servers in the BackendAddressPool are active. The API Management service only responds to requests with the correct host header, hence the default probes fail. A custom health probe needs to be defined to help application gateway determine that the service is alive and it should forward requests.
-* **Custom domain certificates:** To access API Management from the internet, you need to create a CNAME mapping of its hostname to the Application Gateway front-end DNS name. This ensures that the hostname header and certificate sent to Application Gateway that is forwarded to API Management is one APIM can recognize as valid. In this example, we will use two certificates - for the backend and for the developer portal.
+* **Rule:** The rule binds a listener to a backend server pool.
+* **Custom health probe:** Application Gateway, by default, uses IP address-based probes to figure out which servers in the BackendAddressPool are active. The API Management service only responds to requests with the correct host header, hence the default probes fail. You define a custom health probe to help the application gateway determine that the service is alive and it should forward requests.
+* **Custom domain certificates:** To access API Management from the internet, you need to create a CNAME mapping of its hostname to the Application Gateway front-end DNS name. This ensures that the hostname header and certificate sent to Application Gateway and forwarded to API Management is one that API Management recognizes as valid. In this example, we will use three certificates - for the API Management service's gateway (the backend), the developer portal, and the management endpoint.
-## <a name="overview-steps"> </a> Steps required for integrating API Management and Application Gateway
+## Steps required to integrate API Management and Application Gateway
1. Create a resource group for Resource Manager.
-2. Create a Virtual Network, subnet, and public IP for the Application Gateway. Create another subnet for API Management.
-3. Create an API Management service inside the VNET subnet created above and ensure you use the Internal mode.
-4. Set up a custom domain name in the API Management service.
-5. Create an Application Gateway configuration object.
-6. Create an Application Gateway resource.
-7. Create a CNAME from the public DNS name of the Application Gateway to the API Management proxy hostname.
+1. Create a virtual network, subnet, and public IP for the Application Gateway. Create another subnet for API Management.
+1. Create an API Management service inside the virtual network subnet created in the previous step. Ensure you use the internal mode.
+1. Set up custom domain names in the API Management service.
+1. Configure a private DNS zone for DNS resolution in the virtual network
+1. Create an Application Gateway configuration object.
+1. Create an Application Gateway resource.
+1. Create a CNAME from the public DNS name of the Application Gateway to the API Management proxy hostname.
-## Exposing the developer portal externally through Application Gateway
+### Expose the developer portal and management endpoint externally through Application Gateway
-In this guide we will also expose the **developer portal** to external audiences through the Application Gateway. It requires additional steps to create developer portal's listener, probe, settings and rules. All details are provided in respective steps.
+In this guide, we also expose the **developer portal** and the **management endpoint** to external audiences through the application gateway. Extra steps are needed to create a listener, probe, settings, and rules for each endpoint. All details are provided in respective steps.
> [!WARNING]
-> If you use Azure AD or third party authentication, please enable [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway.
+> If you use Azure AD or third party authentication, please enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway.
> [!WARNING]
-> To prevent Application Gateway WAF from breaking the download of OpenAPI specification in the developer portal, you need to disable the firewall rule `942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination"`.
+> To prevent Application Gateway WAF from breaking the download of OpenAPI specifications in the developer portal, you need to disable the firewall rule `942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination"`.
>
-> Application Gateway WAF rules, which may break portal's functionality include:
+> Application Gateway WAF rules that may break portal's functionality include:
> > - `920300`, `920330`, `931130`, `942100`, `942110`, `942180`, `942200`, `942260`, `942340`, `942370` for the administrative mode > - `942200`, `942260`, `942370`, `942430`, `942440` for the published portal
New-AzResourceGroup -Name $resGroupName -Location $location
Azure Resource Manager requires that all resource groups specify a location. This is used as the default location for resources in that resource group. Make sure that all commands to create an application gateway use the same resource group.
-## Create a Virtual Network and a subnet for the application gateway
+## Create a virtual network and a subnet for the application gateway
-The following example shows how to create a Virtual Network using Resource Manager.
+The following example shows how to create a virtual network using Resource Manager. The virtual network in this example consists of separate subnets for Application Gateway and API Management.
### Step 1
-Assign the address range 10.0.0.0/24 to the subnet variable to be used for Application Gateway while creating a Virtual Network.
+Create network security groups and NSG rules for the Application Gateway and API Management subnets.
```powershell
-$appgatewaysubnet = New-AzVirtualNetworkSubnetConfig -Name "apim01" -AddressPrefix "10.0.0.0/24"
+$appGwRule1 = New-AzNetworkSecurityRuleConfig -Name appgw-in -Description "AppGw inbound" `
+ -Access Allow -Protocol * -Direction Inbound -Priority 100 -SourceAddressPrefix `
+ GatewayManager -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 65200-65535
+$appGwNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
+ "NSG-APPGW" -SecurityRules $appGwRule1
+
+$apimRule1 = New-AzNetworkSecurityRuleConfig -Name apim-in -Description "APIM inbound" `
+ -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `
+ ApiManagement -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443
+$apimNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
+ "NSG-APIM" -SecurityRules $apimRule1
``` ### Step 2
-Assign the address range 10.0.1.0/24 to the subnet variable to be used for API Management while creating a Virtual Network.
+Assign the address range 10.0.0.0/24 to the subnet variable to be used for Application Gateway while creating a virtual network.
```powershell
-$apimsubnet = New-AzVirtualNetworkSubnetConfig -Name "apim02" -AddressPrefix "10.0.1.0/24"
+$appGatewaySubnet = New-AzVirtualNetworkSubnetConfig -Name "appGatewaySubnet" -NetworkSecurityGroup $appGwNsg -AddressPrefix "10.0.0.0/24"
``` ### Step 3
-Create a Virtual Network named **appgwvnet** in resource group **apim-appGw-RG** for the West US region. Use the prefix 10.0.0.0/16 with subnets 10.0.0.0/24 and 10.0.1.0/24.
+Assign the address range 10.0.1.0/24 to the subnet variable to be used for API Management while creating a virtual network.
```powershell
-$vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName -Location $location -AddressPrefix "10.0.0.0/16" -Subnet $appgatewaysubnet,$apimsubnet
+$apimSubnet = New-AzVirtualNetworkSubnetConfig -Name "apimSubnet" -NetworkSecurityGroup $apimNsg -AddressPrefix "10.0.1.0/24"
``` ### Step 4
-Assign a subnet variable for the next steps
+Create a virtual network named **appgwvnet** in resource group **apim-appGw-RG** for the West US region. Use the prefix 10.0.0.0/16 with subnets 10.0.0.0/24 and 10.0.1.0/24.
```powershell
-$appgatewaysubnetdata = $vnet.Subnets[0]
-$apimsubnetdata = $vnet.Subnets[1]
+$vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName `
+ -Location $location -AddressPrefix "10.0.0.0/16" -Subnet $appGatewaySubnet,$apimSubnet
```
-## Create an API Management service inside a VNET configured in internal mode
+### Step 5
+
+Assign subnet variables for the next steps
+
+```powershell
+$appGatewaySubnetData = $vnet.Subnets[0]
+$apimSubnetData = $vnet.Subnets[1]
+```
-The following example shows how to create an API Management service in a VNET configured for internal access only.
+## Create an API Management service inside a virtual network configured in internal mode
+
+The following example shows how to create an API Management service in a virtual network configured for internal access only.
### Step 1
-Create an API Management Virtual Network object using the subnet $apimsubnetdata created above.
+Create an API Management virtual network object using the subnet `$apimSubnetData` created above.
```powershell
-$apimVirtualNetwork = New-AzApiManagementVirtualNetwork -SubnetResourceId $apimsubnetdata.Id
+$apimVirtualNetwork = New-AzApiManagementVirtualNetwork -SubnetResourceId $apimSubnetData.Id
``` ### Step 2
-Create an API Management service inside the Virtual Network.
+Create an API Management service inside the virtual network. This example creates the service in the Developer service tier. Substitute a unique name for your API Management service.
```powershell
-$apimServiceName = "ContosoApi" # API Management service instance name
+$apimServiceName = "ContosoApi" # API Management service instance name, must be globally unique
$apimOrganization = "Contoso" # organization name $apimAdminEmail = "admin@contoso.com" # administrator's email address $apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer" ```
-After the above command succeeds refer to [DNS Configuration required to access internal VNET API Management service](api-management-using-with-internal-vnet.md#apim-dns-configuration) to access it. This step may take more than half an hour.
-
-## Set-up a custom domain name in API Management
+It can take between 30 and 40 minutes to create and activate an API Management service in this tier. After the previous command succeeds, refer to [DNS Configuration required to access internal virtual network API Management service](api-management-using-with-internal-vnet.md#apim-dns-configuration) to confirm access it.
-> [!IMPORTANT]
-> The [new developer portal](api-management-howto-developer-portal.md) also requires enabling connectivity to the API Management's management endpoint in addition to the steps below.
+## Set up custom domain names in API Management
### Step 1
-Initialize the following variables with the details of the certificates with private keys for the domains. In this example, we will use `api.contoso.net` and `portal.contoso.net`.
+Initialize the following variables with the details of the certificates with private keys for the domains and the trusted root certificate. In this example, we use `api.contoso.net`, `portal.contoso.net`, and `management.contoso.net`.
```powershell $gatewayHostname = "api.contoso.net" # API gateway host $portalHostname = "portal.contoso.net" # API developer portal host
-$gatewayCertCerPath = "C:\Users\Contoso\gateway.cer" # full path to api.contoso.net .cer file
+$managementHostname = "management.contoso.net" # API management endpoint host
$gatewayCertPfxPath = "C:\Users\Contoso\gateway.pfx" # full path to api.contoso.net .pfx file $portalCertPfxPath = "C:\Users\Contoso\portal.pfx" # full path to portal.contoso.net .pfx file
+$managementCertPfxPath = "C:\Users\Contoso\management.pfx" # full path to management.contoso.net .pfx file
$gatewayCertPfxPassword = "certificatePassword123" # password for api.contoso.net pfx certificate $portalCertPfxPassword = "certificatePassword123" # password for portal.contoso.net pfx certificate
+$managementCertPfxPassword = "certificatePassword123" # password for management.contoso.net pfx certificate
+# Path to trusted root CER file used in Application Gateway HTTP settings
+$trustedRootCertCerPath = "C:\Users\Contoso\trustedroot.cer" # full path to contoso.net trusted root .cer file
-$certPwd = ConvertTo-SecureString -String $gatewayCertPfxPassword -AsPlainText -Force
+$certGatewayPwd = ConvertTo-SecureString -String $gatewayCertPfxPassword -AsPlainText -Force
$certPortalPwd = ConvertTo-SecureString -String $portalCertPfxPassword -AsPlainText -Force
+$certManagementPwd = ConvertTo-SecureString -String $managementCertPfxPassword -AsPlainText -Force
``` ### Step 2
-Create and set the hostname configuration objects for the proxy and for the portal.
+Create and set the hostname configuration objects for the API Management endpoints.
```powershell
-$proxyHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $gatewayHostname -HostnameType Proxy -PfxPath $gatewayCertPfxPath -PfxPassword $certPwd
-$portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname -HostnameType DeveloperPortal -PfxPath $portalCertPfxPath -PfxPassword $certPortalPwd
-
-$apimService.ProxyCustomHostnameConfiguration = $proxyHostnameConfig
+$gatewayHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $gatewayHostname `
+ -HostnameType Proxy -PfxPath $gatewayCertPfxPath -PfxPassword $certGatewayPwd
+$portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname `
+ -HostnameType DeveloperPortal -PfxPath $portalCertPfxPath -PfxPassword $certPortalPwd
+$managementHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $managementHostname `
+ -HostnameType Management -PfxPath $managementCertPfxPath -PfxPassword $certManagementPwd
+
+$apimService.ProxyCustomHostnameConfiguration = $gatewayHostnameConfig
$apimService.PortalCustomHostnameConfiguration = $portalHostnameConfig
+$apimService.ManagementCustomHostnameConfiguration = $managementHostnameConfig
+ Set-AzApiManagement -InputObject $apimService ``` > [!NOTE]
-> To configure the legacy developer portal connectivity you need to replace `-HostnameType DeveloperPortal` with `-HostnameType Portal`.
+> To configure connectivity to the legacy developer portal, you need to replace `-HostnameType DeveloperPortal` with `-HostnameType Portal`.
+
+## Configure a private zone for DNS resolution in the virtual network
+
+### Step 1
+
+Create a private DNS zone and link the virtual network.
+
+```powershell
+$myZone = New-AzPrivateDnsZone -Name "contoso.net" -ResourceGroupName $resGroupName
+$link = New-AzPrivateDnsVirtualNetworkLink -ZoneName contoso.net `
+ -ResourceGroupName $resGroupName -Name "mylink" `
+ -VirtualNetworkId $vnet.id
+```
+
+### Step 2
+
+Create A-records for the custom domain hostnames, mapping to the private IP address of the API Management service:
+
+```powershell
+$apimIP = $apimService.PrivateIPAddresses[0]
+
+New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName contoso.net `
+ -ResourceGroupName $resGroupName -Ttl 3600 `
+ -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
+New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName contoso.net `
+ -ResourceGroupName $resGroupName -Ttl 3600 `
+ -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
+New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName contoso.net `
+ -ResourceGroupName $resGroupName -Ttl 3600 `
+ -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
+```
## Create a public IP address for the front-end configuration
-Create a public IP resource **publicIP01** in the resource group.
+Create a Standard public IP resource **publicIP01** in the resource group.
```powershell
-$publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName -name "publicIP01" -location $location -AllocationMethod Dynamic
+$publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName `
+ -name "publicIP01" -location $location -AllocationMethod Static -Sku Standard
``` An IP address is assigned to the application gateway when the service starts.
All configuration items must be set up before creating the application gateway.
### Step 1
-Create an application gateway IP configuration named **gatewayIP01**. When Application Gateway starts, it picks up an IP address from the subnet configured and route network traffic to the IP addresses in the back-end IP pool. Keep in mind that each instance takes one IP address.
+Create an application gateway IP configuration named **gatewayIP01**. When Application Gateway starts, it picks up an IP address from the subnet configured and routes network traffic to the IP addresses in the backend IP pool. Keep in mind that each instance takes one IP address.
```powershell
-$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -Subnet $appgatewaysubnetdata
+$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -Subnet $appGatewaySubnetData
``` ### Step 2
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "frontend1" -Publi
Configure the certificates for the Application Gateway, which will be used to decrypt and re-encrypt the traffic passing through.
+> [!NOTE]
+> Application Gateway supports defining custom TLS options, disabling certain TLS protocol versions, and specifying cipher suites and the order of preference. To learn more about configurable TLS options, see the [TLS policy overview](../application-gateway/application-gateway-ssl-policy-overview.md).
+ ```powershell
-$cert = New-AzApplicationGatewaySslCertificate -Name "cert01" -CertificateFile $gatewayCertPfxPath -Password $certPwd
-$certPortal = New-AzApplicationGatewaySslCertificate -Name "cert02" -CertificateFile $portalCertPfxPath -Password $certPortalPwd
+$certGateway = New-AzApplicationGatewaySslCertificate -Name "gatewaycert" `
+ -CertificateFile $gatewayCertPfxPath -Password $certGatewayPwd
+$certPortal = New-AzApplicationGatewaySslCertificate -Name "portalcert" `
+ -CertificateFile $portalCertPfxPath -Password $certPortalPwd
+$certManagement = New-AzApplicationGatewaySslCertificate -Name "managementcert" `
+ -CertificateFile $managementCertPfxPath -Password $certManagementPwd
``` ### Step 5
$certPortal = New-AzApplicationGatewaySslCertificate -Name "cert02" -Certificate
Create the HTTP listeners for the Application Gateway. Assign the front-end IP configuration, port, and TLS/SSL certificates to them. ```powershell
-$listener = New-AzApplicationGatewayHttpListener -Name "listener01" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $gatewayHostname -RequireServerNameIndication true
-$portalListener = New-AzApplicationGatewayHttpListener -Name "listener02" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $certPortal -HostName $portalHostname -RequireServerNameIndication true
+$gatewayListener = New-AzApplicationGatewayHttpListener -Name "gatewaylistener" `
+ -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
+ -SslCertificate $certGateway -HostName $gatewayHostname -RequireServerNameIndication true
+$portalListener = New-AzApplicationGatewayHttpListener -Name "portallistener" `
+ -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
+ -SslCertificate $certPortal -HostName $portalHostname -RequireServerNameIndication true
+$managementListener = New-AzApplicationGatewayHttpListener -Name "managementlistener" `
+ -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
+ -SslCertificate $certManagement -HostName $managementHostname -RequireServerNameIndication true
``` ### Step 6
-Create custom probes to the API Management service `ContosoApi` proxy domain endpoint. The path `/status-0123456789abcdef` is a default health endpoint hosted on all the API Management services. Set `api.contoso.net` as a custom probe hostname to secure it with the TLS/SSL certificate.
+Create custom probes to the API Management service `ContosoApi` gateway domain endpoint. The path `/status-0123456789abcdef` is a default health endpoint hosted on all the API Management services. Set `api.contoso.net` as a custom probe hostname to secure it with the TLS/SSL certificate.
> [!NOTE] > The hostname `contosoapi.azure-api.net` is the default proxy hostname configured when a service named `contosoapi` is created in public Azure. > ```powershell
-$apimprobe = New-AzApplicationGatewayProbeConfig -Name "apimproxyprobe" -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8
-$apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" -Protocol "Https" -HostName $portalHostname -Path "/internal-status-0123456789abcdef" -Interval 60 -Timeout 300 -UnhealthyThreshold 8
+$apimGatewayProbe = New-AzApplicationGatewayProbeConfig -Name "apimgatewayprobe" `
+ -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" `
+ -Interval 30 -Timeout 120 -UnhealthyThreshold 8
+$apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" `
+ -Protocol "Https" -HostName $portalHostname -Path "/signin" `
+ -Interval 60 -Timeout 300 -UnhealthyThreshold 8
+$apimManagementProbe = New-AzApplicationGatewayProbeConfig -Name "apimmanagementprobe" `
+ -Protocol "Https" -HostName $managementHostname -Path "/ServiceStatus" `
+ -Interval 60 -Timeout 300 -UnhealthyThreshold 8
``` ### Step 7
-Upload the certificate to be used on the TLS-enabled backend pool resources. This is the same certificate which you provided in Step 4 above.
+Upload the trusted root certificate to be configured on the HTTP settings.
```powershell
-$authcert = New-AzApplicationGatewayAuthenticationCertificate -Name "whitelistcert1" -CertificateFile $gatewayCertCerPath
+$trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "whitelistcert1" -CertificateFile $trustedRootCertCerPath
``` ### Step 8
-Configure HTTP backend settings for the Application Gateway. This includes setting a time-out limit for backend request, after which they're canceled. This value is different from the probe time-out.
+Configure HTTP backend settings for the Application Gateway, including a timeout limit for backend requests, after which they're canceled. This value is different from the probe timeout.
```powershell
-$apimPoolSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimprobe -AuthenticationCertificates $authcert -RequestTimeout 180
-$apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe -AuthenticationCertificates $authcert -RequestTimeout 180
+$apimPoolGatewaySetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolGatewaySetting" `
+ -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimGatewayProbe `
+ -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
+$apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" `
+ -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe `
+ -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
+$apimPoolManagementSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolManagementSetting" `
+ -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimManagementProbe `
+ -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
``` ### Step 9
-Configure a back-end IP address pool named **apimbackend** with the internal virtual IP address of the API Management service created above.
+Configure a backend IP address pool for each API Management endpoint, using its respective domain name.
```powershell
-$apimProxyBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "apimbackend" -BackendIPAddresses $apimService.PrivateIPAddresses[0]
+$apimGatewayBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "gatewaybackend" `
+ -BackendFqdns $gatewayHostname
+$apimPortalBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "portalbackend" `
+ -BackendFqdns $portalHostname
+$apimManagementBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "managementbackend" `
+ -BackendFqdns $managementHostname
``` ### Step 10
-Create rules for the Application Gateway to use basic routing.
+Create rules for the application gateway to use basic routing.
```powershell
-$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType Basic -HttpListener $listener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting
-$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolPortalSetting
+$gatewayRule = New-AzApplicationGatewayRequestRoutingRule -Name "gatewayrule" `
+ -RuleType Basic -HttpListener $gatewayListener -BackendAddressPool $apimGatewayBackendPool `
+ -BackendHttpSettings $apimPoolGatewaySetting
+$portalRule = New-AzApplicationGatewayRequestRoutingRule -Name "portalrule" `
+ -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimPortalBackendPool `
+ -BackendHttpSettings $apimPoolPortalSetting
+$managementRule = New-AzApplicationGatewayRequestRoutingRule -Name "managementrule" `
+ -RuleType Basic -HttpListener $managementListener -BackendAddressPool $apimManagementBackendPool `
+ -BackendHttpSettings $apimPoolManagementSetting
``` > [!TIP]
-> Change the -RuleType and routing, to restrict access to certain pages of the developer portal.
+> Change the `-RuleType` and routing, to restrict access to certain pages of the developer portal.
### Step 11
-Configure the number of instances and size for the Application Gateway. In this example, we are using the [WAF SKU](../web-application-firewall/ag/ag-overview.md) for increased security of the API Management resource.
+Configure the number of instances and size for the application gateway. In this example, we are using the [WAF_v2 SKU](../web-application-firewall/ag/ag-overview.md) for increased security of the API Management resource.
```powershell
-$sku = New-AzApplicationGatewaySku -Name "WAF_Medium" -Tier "WAF" -Capacity 2
+$sku = New-AzApplicationGatewaySku -Name "WAF_v2" -Tier "WAF_v2" -Capacity 2
``` ### Step 12
Create an Application Gateway with all the configuration objects from the preced
```powershell $appgwName = "apim-app-gw"
-$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $apimPoolPortalSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener, $portalListener -RequestRoutingRules $rule01, $rule02 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert, $certPortal -AuthenticationCertificates $authcert -Probes $apimprobe, $apimPortalProbe
+$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location `
+ -BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool `
+ -BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting `
+ -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 `
+ -HttpListeners $gatewayListener,$portalListener,$managementListener `
+ -RequestRoutingRules $gatewayRule,$portalRule,$managementRule `
+ -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway,$certPortal,$certManagement `
+ -TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe,$apimPortalProbe,$apimManagementProbe
+```
+
+After deployment of the application gateway completes, confirm the health status of the API Management backends in the portal or by running the following command:
+
+```powershell
+Get-AzApplicationGatewayBackendHealth -Name $appgwName -ResourceGroupName $resGroupName
```
+Ensure that the health status of each backend pool is Healthy. If you need to troubleshoot an unhealthy backend or a backend with unknown health status, see [Troubleshoot backend health issues in Application Gateway](../application-gateway/application-gateway-backend-health-troubleshooting.md).
+ ## CNAME the API Management proxy hostname to the public DNS name of the Application Gateway resource
-Once the gateway is created, the next step is to configure the front end for communication. When using a public IP, Application Gateway requires a dynamically assigned DNS name, which may not be easy to use.
+Once the gateway is created, configure the front end for communication. When using a public IP address, Application Gateway requires a dynamically assigned DNS name, which may not be easy to use.
-The Application Gateway's DNS name should be used to create a CNAME record which points the APIM proxy host name (e.g. `api.contoso.net` in the examples above) to this DNS name. To configure the frontend IP CNAME record, retrieve the details of the Application Gateway and its associated IP/DNS name using the PublicIPAddress element. The use of A-records is not recommended since the VIP may change on restart of gateway.
+Use the Application Gateway's DNS name to create a CNAME record pointing the API Management gateway hostname (`api.contoso.net` in the preceding examples) to this DNS name. To configure the frontend IP CNAME record, retrieve the details of the Application Gateway and its associated IP/DNS name using the `PublicIPAddress` element. We don't recommend using A-records is not recommended, since the VIP may change when the gateway restarts.
```powershell Get-AzPublicIpAddress -ResourceGroupName $resGroupName -Name "publicIP01" ```
-## <a name="summary"> </a> Summary
-Azure API Management configured in a VNET provides a single gateway interface for all configured APIs, whether they are hosted on premises or in the cloud. Integrating Application Gateway with API Management provides the flexibility of selectively enabling particular APIs to be accessible on the Internet, as well as providing a Web Application Firewall as a frontend to your API Management instance.
+For testing purposes, you may update the hosts file on your local machine with entries mapping the Application Gateway's public IP address to each of the API Management endpoint hostnames that you configured (for example, `api.contoso.net`, `portal.contoso.net`, `management.contoso.net`).
+
+## Summary
+
+Azure API Management configured in a virtual network provides a single gateway interface for all configured APIs, whether hosted on-premises or in the cloud. Integrating Application Gateway with API Management provides the flexibility of selectively enabling particular APIs to be accessible on the internet, and providing a WAF as a front end to your API Management instance.
+
+## Next steps
-## <a name="next-steps"> </a> Next steps
* Learn more about Azure Application Gateway * [Application Gateway Overview](../application-gateway/overview.md) * [Application Gateway Web Application Firewall](../web-application-firewall/ag/ag-overview.md) * [Application Gateway using Path-based Routing](../application-gateway/tutorial-url-route-powershell.md)
-* Learn more about API Management and VNETs
- * [Using API Management available only within the VNET](api-management-using-with-internal-vnet.md)
- * [Using API Management in VNET](api-management-using-with-vnet.md)
+* Learn more about API Management and virtual network
+ * [Using API Management with an internal virtual network](api-management-using-with-internal-vnet.md)
+ * [How to use API Management with virtual networks](api-management-using-with-vnet.md)
app-service Quickstart Arc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arc.md
Title: 'Quickstart: Create a web app on Azure Arc' description: Get started with App Service on Azure Arc deploying your first web app. Previously updated : 05/11/2021 Last updated : 06/02/2021 # Create an App Service app on Azure Arc (Preview)
Run the following command.
az group create --name myResourceGroup --location eastus ```
-<!-- ## 2. Create an App Service plan
-
-Run the following command and replace `<environment-name>` with the name of the App Service Kubernetes environment (see [Prerequisites](#prerequisites)).
+## 2. Get the custom location
-```azurecli-interactive
-az appservice plan create --resource-group myResourceGroup --name myAppServicePlan --custom-location <environment-name> --kube-sku K1
-```
-Currently does not work
>
+## 3. Create an App Service plan
-## 2. Get the custom location
-
+Run the following command replacing `$customLocationId` obtained from the previous step.
+```azurecli-interactive
+az appservice plan create -g myResourceGroup -n myPlan \
+ --custom-location $customLocationId \
+ --per-site-scaling --is-linux --sku K1
+```
-## 3. Create an app
+## 4. Create an app
The following example creates a Node.js app. Replace `<app-name>` with a name that's unique within your cluster (valid characters are `a-z`, `0-9`, and `-`). To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp). ```azurecli-interactive az webapp create \
+ --plan myPlan
--resource-group myResourceGroup \ --name <app-name> \ --custom-location $customLocationId \ --runtime 'NODE|12-lts' ```
-## 4. Deploy some code
+## 5. Deploy some code
> [!NOTE] > `az webapp up` is not supported during the public preview.
zip -r package.zip .
az webapp deployment source config-zip --resource-group myResourceGroup --name <app-name> --src package.zip ```
-## 5. Get diagnostic logs using Log Analytics
+## 6. Get diagnostic logs using Log Analytics
> [!NOTE] > To use Log Analytics, you should've previously enabled it when [installing the App Service extension](manage-create-arc-environment.md#install-the-app-service-extension). If you installed the extension without Log Analytics, skip this step.
To update the image after the app is create, see [Change the Docker image of a c
- [Configure a Linux Python app](configure-language-python.md) - [Configure a Java app](configure-language-java.md?pivots=platform-linux) - [Configure a Linux Ruby app](configure-language-ruby.md)-- [Configure a custom container](configure-custom-container.md?pivots=container-linux)
+- [Configure a custom container](configure-custom-container.md?pivots=container-linux)
applied-ai-services What Are Applied Ai Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/what-are-applied-ai-services.md
Enhance reading comprehension and achievement with AI. Azure Immersive Reader is
Enable rapid creation of customizable, sophisticated, conversational experiences with pre-built conversational components enabling business value right out of the box. Azure Bot Service Composer is an open-source visual authoring canvas for developers and multidisciplinary teams to build bots. Composer integrates language understanding services such as LUIS and QnA Maker and allows sophisticated composition of bot replies using language generation. Azure Bot Service is built using Speech/Telephony, LUIS, and QnA Maker from Azure Cognitive Services.
-[Learn more about Azure Bot Service](https://docs.microsoft.com/composer/)ΓÇï
+[Learn more about Azure Bot Service](/composer/)ΓÇï
## Azure Video Analyzer Enabling businesses to build automated apps powered by video intelligence without being a video or AI expert. Azure Video Analyzer is a service for building AI-based video solutions and applications. You can generate real-time business insights from video streams, processing data near the source and applying the AI of your choice. Record videos of interest on the edge or in the cloud and combine them with other data to power your business decisions. Azure Video Analyzer is built using Spatial Analysis from Azure Cognitive Services. Azure Video Analyzer for Media is built using Face, Speech, Translation, Text analytics, Custom vision, and textual content moderation from Azure Cognitive Services.
-[Learn more about Azure Video Analytics](https://aka.ms/video-analyzer-hub)ΓÇïΓÇï
+[Learn more about Azure Video Analytics](../azure-video-analyzer/index.yml)ΓÇïΓÇï
## Certifications and compliance
-Applied AI Services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA. You can [download](https://aka.ms/applied-ai-download-certifications "download") certifications for your own audits and security reviews.
+Applied AI Services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA. You can [download](/samples/browse/?redirectedfrom=TechNet-Gallery "download") certifications for your own audits and security reviews.
To understand privacy and data management, go to the [Trust Center](https://servicetrust.microsoft.com/ "Trust Center").
To understand privacy and data management, go to the [Trust Center](https://serv
Applied AI Services provides several support options to help you move forward with creating intelligent applications. Applied AI Services also has a strong community of developers that can help answer your specific questions. For a full list of options available to you, see: - [Submit Feedback on UserVoice](https://aka.ms/AppliedAIUserVoice)-- [Ask Questions on Microsoft Q&A](https://aka.ms/AppliedAIMSFTQandA)-- [Troubleshoot on StackOverflow](https://aka.ms/AppliedAIStackOverflow)
+- [Ask Questions on Microsoft Q&A](/answers/topics/azure-applied-ai-services.html)
+- [Troubleshoot on StackOverflow](https://aka.ms/AppliedAIStackOverflow)
automation Automation Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-faq.md
description: This article gives answers to frequently asked questions about Azur
Previously updated : 12/17/2020 Last updated : 06/04/2021
When you deploy updates to a Linux machine, you can select update classification
Because Update Management performs update enrichment in the cloud, you can flag some updates in Update Management as having a security impact, even though the local machine doesn't have that information. If you apply critical updates to a Linux machine, there might be updates that aren't marked as having a security impact on that machine and therefore aren't applied. However, Update Management might still report that machine as noncompliant because it has additional information about the relevant update.
-Deploying updates by update classification doesn't work on RTM versions of CentOS. To properly deploy updates for CentOS, select all classifications to make sure updates are applied. For SUSE, selecting ONLY **Other updates** as the classification can install some other security updates if they are related to zypper (package manager) or its dependencies are required first. This behavior is a limitation of zypper. In some cases, you might be required to rerun the update deployment and then verify the deployment through the update log.
+Deploying updates by update classification doesn't work on RTM versions of CentOS. To properly deploy updates for CentOS, select all classifications to make sure updates are applied. For SUSE, selecting ONLY **Other updates** as the classification can install some other security updates if they're related to zypper (package manager) or its dependencies are required first. This behavior is a limitation of zypper. In some cases, you might be required to rerun the update deployment and then verify the deployment through the update log.
### Can I deploy updates across Azure tenants?
For cloud jobs, Python 3.8 is supported. Scripts and packages from any 3.x versi
For hybrid jobs on Windows Hybrid Runbook Workers, you can choose to install any 3.x version you want to use. For hybrid jobs on Linux Hybrid Runbook Workers, we depend on Python 3 version installed on the machine to run DSC OMSConfig and the Linux Hybrid Worker. We recommend installing version 3.6; however, different versions should also work if there are no breaking changes in method signatures or contracts between versions of Python 3.
-### Can Python 2 and Python 3 runbooks run in same automation account?
+### Can Python 2 and Python 3 runbooks run in same Automation account?
-Yes, there is no limitation for using Python 2 and Python 3 runbooks in same automation account.
+Yes, there's no limitation for using Python 2 and Python 3 runbooks in same Automation account.
### What is the plan for migrating existing Python 2 runbooks and packages to Python 3?
-Azure Automation does not plan to migrate Python 2 runbooks and packages to Python 3. You will have to perform this migration yourself. Existing and new Python 2 runbooks and packages will continue to work.
+Azure Automation doesn't plan to migrate Python 2 runbooks and packages to Python 3. You'll have to do this migration yourself. Existing and new Python 2 runbooks and packages will continue to work.
### What are the packages supported by default in Python 3 environment? Azure package 4.0.0 is installed by default in Python 3 Automation environment. You can manually import a higher version of Azure package to override the default version.
-### What if I run a Python 3 runbook that references a Python 2 package or vice-versa?
+### What if I run a Python 3 runbook that references a Python 2 package or the other way around?
Python 2 and Python 3 have different execution environments. While a Python 2 runbook is running, only Python 2 packages can be imported and similar for Python 3.
Python 2 and Python 3 have different execution environments. While a Python 2 ru
Python 3 is a new runbook definition, which distinguishes between Python 2 and Python 3 runbooks. Similarly, another package kind is introduced for Python 3 packages.
+### How does a Hybrid Runbook Worker know which version of Python to run when both Python2 and Python3 are installed?
+
+For a Windows Runbook Worker, when running a Python 2 runbook it looks for the environment variable `PYTHON_2_PATH` first and validates whether it points to a valid executable file. For example, if the installation folder is `C:\Python2`, it would check if `C:\Python2\python.exe` is a valid path. If not found, then it looks for the `PATH` environment variable to do a similar check.
+
+For Python 3, it looks for the `PYTHON_3_PATH` env variable first and then falls back to the `PATH` environment variable.
+
+When using only one version of Python, you can add the installation path to the `PATH` variable. If you want to use both versions on the Runbook Worker, set `PYTHON_2_PATH` and `PYTHON_3_PATH` to the location of the module for those versions.
+
+### How does a Hybrid Runbook Worker locate the Python interpreter?
+
+Locating the Python module is controlled by environment variables as explained earlier.
+
+### Is Python 3 supported in Source Control?
+
+No. Source Control isn't currently supported for Python 3. By default, Python runbooks are synced as Python 2 runbooks.
+
+### How can a runbook author know what Python packages are available in an Azure sandbox?
+
+Use the following code to list the default installed modules:
+
+```python
+#!/usr/bin/env python3
+
+import pkg_resources
+installed_packages = pkg_resources.working_set
+installed_packages_list = sorted(["%s==%s" % (i.key, i.version)
+ for i in installed_packages])
+
+for package in installed_packages_list:
+ print(package)
+```
+
+### How can a runbook author set which version of a package module to be used if there are multiple modules?
+
+The default version can be overridden by importing the Python packages in the Automation account. Preference is given to the imported version in the Automation account.
+ ## Next steps If your question isn't answered here, you can refer to the following sources for more questions and answers.
automation Automation Runbook Execution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-runbook-execution.md
The following table lists some runbook execution tasks with the recommended exec
|Execute long-running script|Hybrid Runbook Worker|Azure sandboxes have [resource limits](../azure-resource-manager/management/azure-subscription-service-limits.md#automation-limits).| |Interact with local services|Hybrid Runbook Worker|Directly access the host machine, or resources in other cloud environments or the on-premises environment. | |Require third-party software and executables|Hybrid Runbook Worker|You manage the operating system and can install software.|
-|Monitor a file or folder with a runbook|Hybrid Runbook Worker|Use a [Watcher task](automation-watchers-tutorial.md) on a Hybrid Runbook Worker.|
+|Monitor a file or folder with a runbook|Hybrid Runbook Worker|Use a [Watcher task](./automation-scenario-using-watcher-task.md) on a Hybrid Runbook Worker.|
|Run a resource-intensive script|Hybrid Runbook Worker| Azure sandboxes have [resource limits](../azure-resource-manager/management/azure-subscription-service-limits.md#automation-limits).| |Use modules with specific requirements| Hybrid Runbook Worker|Some examples are:</br> WinSCP - dependency on winscp.exe </br> IIS administration - dependency on enabling or managing IIS| |Install a module with an installer|Hybrid Runbook Worker|Modules for sandbox must support copying.|
Using child runbooks decreases the total amount of time for the parent runbook t
* To get started with a PowerShell runbook, see [Tutorial: Create a PowerShell runbook](learn/automation-tutorial-runbook-textual-powershell.md). * To work with runbooks, see [Manage runbooks in Azure Automation](manage-runbooks.md). * For details of PowerShell, see [PowerShell Docs](/powershell/scripting/overview).
-* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation#automation).
+* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation#automation).
automation Automation Runbook Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-runbook-types.md
Title: Azure Automation runbook types
description: This article describes the types of runbooks that you can use in Azure Automation and considerations for determining which type to use. Previously updated : 05/17/2021 Last updated : 06/10/2021
Python 3 runbooks are supported in the following Azure global infrastructures:
* You must be familiar with Python scripting. * To use third-party libraries, you must [import the packages](python-packages.md) into the Automation account.
-* Using **Start-AutomationRunbook** cmdlet in PowerShell/PowerShell Workflow to start a Python 3 runbook (preview) does not work. You can use **Start-AzAutomationRunbook** cmdlet from Az.Automation module or **Start-AzureRmAutomationRunbook** cmdlet from AzureRm.Automation module to work around this limitation. 
-* Azure Automation does not supportΓÇ»**sys.stderr**.
+* Using **Start-AutomationRunbook** cmdlet in PowerShell/PowerShell Workflow to start a Python 3 runbook (preview) doesn't work. You can use **Start-AzAutomationRunbook** cmdlet from Az.Automation module or **Start-AzureRmAutomationRunbook** cmdlet from AzureRm.Automation module to work around this limitation. 
+* Azure Automation doesn't supportΓÇ»**sys.stderr**.
### Known issues
-Python 3 jobs sometimes fails with an exception message *invalid interpreter executable path*. You might see this exception if a job is delayed, starting more than 10 minutes or using **Start-AutomationRunbook** to start Python 3 runbooks. If the job is delayed, restarting the runbook should be sufficient.
+For cloud jobs, Python 3 jobs sometimes fail with an exception message `invalid interpreter executable path`. You might see this exception if the job is delayed, starting more than 10 minutes, or using **Start-AutomationRunbook** to start Python 3 runbooks. If the job is delayed, restarting the runbook should be sufficient. Hybrid jobs should work without any issue if using the following steps:
+
+1. Create a new environment variable called `PYTHON_3_PATH` and specify the installation folder. For example, if the installation folder is `C:\Python3`, then this path needs to be added to the variable.
+1. Restart the machine after setting the environment variable.
## Next steps
automation Update Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-management.md
Title: Troubleshoot Azure Automation Update Management issues
description: This article tells how to troubleshoot and resolve issues with Azure Automation Update Management. Previously updated : 04/18/2021 Last updated : 06/10/2021 # Troubleshoot Update Management issues
-This article discusses issues that you might run into when deploying the Update Management feature on your machines. There's an agent troubleshooter for the Hybrid Runbook Worker agent to determine the underlying problem. To learn more about the troubleshooter, see [Troubleshoot Windows update agent issues](update-agent-issues.md) and [Troubleshoot Linux update agent issues](update-agent-issues-linux.md). For other feature deployment issues, see [Troubleshoot feature deployment issues](onboarding.md).
+This article discusses issues that you might run into when using the Update Management feature to assess and manage updates on your machines. There's an agent troubleshooter for the Hybrid Runbook Worker agent to help determine the underlying problem. To learn more about the troubleshooter, see [Troubleshoot Windows update agent issues](update-agent-issues.md) and [Troubleshoot Linux update agent issues](update-agent-issues-linux.md). For other feature deployment issues, see [Troubleshoot feature deployment issues](onboarding.md).
>[!NOTE] >If you run into problems when deploying Update Management on a Windows machine, open the Windows Event Viewer, and check the **Operations Manager** event log under **Application and Services Logs** on the local machine. Look for events with event ID 4502 and event details that contain `Microsoft.EnterpriseManagement.HealthService.AzureAutomation.HybridAgent`.
+## <a name="windows-defender-update-missing-status"></a>Scenario: Windows Defender update always show as missing
+
+### Issue
+
+Definition update for Windows Defender (**KB2267602**) always shows as missing in an assessment when it's installed and shows as up to date when verified from Windows Update history.
+
+### Cause
+
+Definition updates are published multiple times in a single day. As a result, you could see multiple releases of KB2267602 published in a single day, but with a different update ID and version.
+
+Update Management assessment runs once in 11 hours. In this example, at 10:00 AM an assessment ran and version 1.237.316.0 was available at the time. When you search the **Update** table in your Log Analytics workspace, the Definition update 1.237.316.0 is shown with an **UpdateState** of **Needed**. If a scheduled deployment runs a few hours later, let's say 1:00 PM and version 1.237.316.0 is still available or a newer version is, the newer version is installed and this is reflected in the record written to the **UpdateRunProgress** table. However, in the **Update** table, it would still show version 1.237.316.0 as **Needed** until the next assessment is run. When the assessment runs again, there may not be a newer definition update available, so the **Update** table would not show the definition update version 1.237.316.0 as missing or a newer version available as needed. Because of the frequency of definition updates, there could be multiple versions returned in the log search.
+
+### Resolution
+
+Run the following log query to confirm definition updates installed are being properly reported. This query returns the time generated, version, and update ID of KB2267602 in the **Updates** table. Replace the value for *Computer* with the fully qualified name of the machine.
+
+```kusto
+Update
+| where TimeGenerated > ago(14h) and OSType != "Linux" and (Optional == false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((
+ Heartbeat
+ | where TimeGenerated > ago(12h) and OSType =~ "Windows" and notempty(Computer)
+ | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
+ | where Solutions has "updates"
+ | distinct SourceComputerId))
+| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID
+| where UpdateState =~ "Needed" and Approved != false and Computer == "<computerName>"
+| render table
+```
+
+Your query results should return something similar to the following:
++
+Run the following log query to get the time generated, version, and update ID of KB2267602 in the **UpdatesRunProgress** table. This query helps us understand if it was installed from Update Management or if it was auto-installed on the machine from Microsoft Update. You need to replace the value for *CorrelationId* with the runbook job GUID (that is, the **MasterJOBID** property value from the **Patch-MicrosoftOMSComputer** runbook job) for the update, and *SourceComputerId* with the GUID of the machine.
+
+```kusto
+UpdateRunProgress
+| where OSType!="Linux" and CorrelationId=="<master job id>" and SourceComputerId=="<source computer id>"
+| summarize arg_max(TimeGenerated, Title, InstallationStatus) by UpdateId
+| project TimeGenerated, id=UpdateId, displayName=Title, InstallationStatus
+```
+
+Your query results should return something similar to the following:
++
+If the **TimeGenerated** value for the log query results from the **Updates** table is earlier than the timestamp (that is, value of **TimeGenerated**) of the update installation on machine or from the log query results from the **UpdateRunProgress** table, then wait for the next assessment. Afterwards, run the log query against the **Updates** table again. Either an update for KB2267602 won't appear or it appears with a newer version. However, even after the most recent assessment if same version shows up as **Needed** in the **Updates** table but it is already installed, you should open an Azure support incident.
+ ## <a name="updates-linux-installed-different"></a>Scenario: Linux updates shown as pending and those installed vary ### Issue
If you don't see your problem or can't resolve your issue, try one of the follow
* Get answers from Azure experts through [Azure Forums](https://azure.microsoft.com/support/forums/). * Connect with [@AzureSupport](https://twitter.com/azuresupport), the official Microsoft Azure account for improving customer experience.
-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/) and select **Get Support**.
+* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/) and select **Get Support**.
automation Enable From Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-template.md
# Enable Update Management using Azure Resource Manager template
-You can use an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) to enable the Azure Automation Update Management feature in your resource group. This article provides a sample template that automates the following:
+You can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to enable the Azure Automation Update Management feature in your resource group. This article provides a sample template that automates the following:
* Automates the creation of an Azure Monitor Log Analytics workspace. * Automates the creation of an Azure Automation account.
When you no longer need them, delete the **Updates** solution in the Log Analyti
* If you no longer want to use Update Management and wish to remove it, see instructions in [Remove Update Management feature](remove-feature.md).
-* To delete VMs from Update Management, see [Remove VMs from Update Management](remove-vms.md).
+* To delete VMs from Update Management, see [Remove VMs from Update Management](remove-vms.md).
automation View Update Assessments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/view-update-assessments.md
Title: View Azure Automation update assessments
description: This article tells how to view update assessments for Update Management deployments. Previously updated : 09/17/2020 Last updated : 06/10/2021
Under **Information link**, select the link for an update to open the support ar
[ ![View update status](./media/view-update-assessments/missing-updates.png)](./media/view-update-assessments/missing-updates-expanded.png#lightbox)
+> [!NOTE]
+> Information that is displayed about the Windows Defender definition update status is based on the last data that was summarized from the Log Analytics workspace and might not be current. Review [Windows Defender update always show as missing](../troubleshoot/update-management.md#windows-defender-update-missing-status) to learn more about this behavior.
+
Click anywhere else on the update to open the Log Search pane. The query for the log search is predefined for that specific update. You can modify this query or create your own query to view detailed information. [ ![View log query results](./media/view-update-assessments/logsearch-results.png)](./media/view-update-assessments/logsearch-results-expanded.png#lightbox)
automation Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/whats-new.md
Title: What's new in Azure Automation description: Significant updates to Azure Automation updated each month.+ Previously updated : 05/19/2021 Last updated : 06/09/2021
Azure Automation receives improvements on an ongoing basis. To stay up to date w
This page is updated monthly, so revisit it regularly.
+## June 2021
+
+### Support for Automation and State Configuration available in West US 3
+
+**Type:** New feature
+
+For more information, see [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/) and select your geography from the drop-down list.
+ ## May 2021 ### Start/Stop VMs during off-hours (v1) **Type:** Plan for change
-Start/Stop VMs during off-hours (v1) will deprecate on 5/21/2022. Customers should evaluate and plan for migration to the Start/Stop VMs v2 (preview), and for further guidance please refer to [Start/Stop v2 overview](../azure-functions/start-stop-vms/overview.md) (preview).
+Start/Stop VMs during off-hours (v1) will deprecate on May 21, 2022. Customers should evaluate and plan for migration to the Start/Stop VMs v2 (preview). For more information, see [Start/Stop v2 overview](../azure-functions/start-stop-vms/overview.md) (preview).
+
+## April 2021
+
+### Support for Update Management and Change Tracking
+
+**Type:** New feature
+
+Region mapping have been updated to support Update Management & Change Tracking in Norway East, UAE North, North Central US, Brazil South, and Korea Central. For more information, see [Supported mappings](./how-to/region-mappings.md#supported-mappings).
+
+### Support for System Assigned Managed Identities
+
+**Type:** New feature
+
+Azure Automation now supports [System Assigned Managed Identities](./automation-security-overview.md#managed-identities-preview) for cloud and Hybrid jobs in Azure public and Gov regions. Read the [announcement](https://azure.microsoft.com/updates/azure-automation-system-assigned-managed-identities/) for more information.
## March 2021
Start/Stop VMs during off-hours (v1) will deprecate on 5/21/2022. Customers shou
**Type:** New feature
-Azure Automation has added 5 new built-in policies:
+Azure Automation has added five new built-in policies:
- Automation accounts should disable public network access, - Azure Automation accounts should use customer-managed keys to encrypt data at rest
Azure Automation has added 5 new built-in policies:
- Configure private endpoint connections on Azure Automation accounts - Private endpoint connections on Automation Accounts should be enabled.
-See the [policy reference](./policy-reference.md) article for more details.
+For more information, see [policy reference](./policy-reference.md).
### Support for Automation and State Configuration declared GA in South India
Use Process Automation and State configuration capabilities in UK West. For more
Use Process Automation and State configuration capabilities in UAE Central. Read the [announcement](https://azure.microsoft.com/updates/azure-automation-in-uae-central-region/) for more information.
-### Support for Automation and State Configuration available in Australia Central 2 , Norway West and France South
+### Support for Automation and State Configuration available in Australia Central 2, Norway West, and France South
**Type:** New feature
Two new scripts have been added to the Azure Automation [GitHub repository](http
**Type:** New feature
-See [Use a webhook from an ARM template](./automation-webhooks.md#use-a-webhook-from-an-arm-template) for more details.
+For more information, see [Use a webhook from an ARM template](./automation-webhooks.md#use-a-webhook-from-an-arm-template).
### Azure Update Management now supports Centos 8.x, Red Hat Enterprise Linux Server 8.x, and SUSE Linux Enterprise Server 15
See the [full list](./update-management/operating-system-requirements.md) of sup
**Type:** New feature
-In all regions except Brazil South and Southeast Asia, Azure Automation data is stored in a different region (Azure paired region) for providing Business Continuity and Disaster Recovery (BCDR). For the Brazil and Southeast Asia regions only, we now store Azure Automation data in the same region to accommodate data-residency requirements for these regions. See [Geo-replication in Azure Automation](./automation-managing-data.md#geo-replication-in-azure-automation) for more details.
+In all regions except Brazil South and Southeast Asia, Azure Automation data is stored in a different region (Azure paired region) for providing Business Continuity and Disaster Recovery (BCDR). For the Brazil and Southeast Asia regions only, we now store Azure Automation data in the same region to accommodate data-residency requirements for these regions. For more information, see [Geo-replication in Azure Automation](./automation-managing-data.md#geo-replication-in-azure-automation).
## February 2021
Automation account and State Configuration availability in Japan West region. Fo
**Type :** New feature
-You can use the new Azure Policy compliance rule to allow creation of jobs, webhooks and job schedules to run only on Hybrid Worker groups.
+You can use the new Azure Policy compliance rule to allow creation of jobs, webhooks, and job schedules to run only on Hybrid Worker groups.
### Update Management availability in East US, France Central, and North Europe regions
The script is available for download from our [GitHub repository](https://github
The Hybrid Runbook Worker feature supports CentOS 8.x, REHL 8.x, and SLES 15 distributions for only process automation on Hybrid Runbook Workers. See [Supported operating systems](automation-linux-hrw-install.md#supported-linux-operating-systems) for updates to the documentation to reflect these changes.
-### Update Management and Change Tracking availability in Australia East, East Asia, West US and Central US regions
+### Update Management and Change Tracking availability in Australia East, East Asia, West US, and Central US regions
**Type:** New feature
-Automation account, Change Tracking and Inventory, and Update Management are available in Australia East, East Asia, West US and Central US regions.
+Automation account, Change Tracking and Inventory, and Update Management are available in Australia East, East Asia, West US, and Central US regions.
### Introduced public preview of Python 3 runbooks in US Government cloud
Manage Oracle Linux 6 and 7 machines with Automation State Configuration. See [S
**Type:** New feature
-Azure Automation now supports Python 3 cloud and hybrid runbook execution in public preview in all regions in Azure global cloud. See the [announcement]((https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/) for more details.
+Azure Automation now supports Python 3 cloud and hybrid runbook execution in public preview in all regions in Azure global cloud. For more information, see the [announcement]((https://azure.microsoft.com/updates/azure-automation-python-3-public-preview/).
## November 2020
Azure Automation DNS records have been updated to support Private Links. For mor
**Type:** New feature
-In addition to improve security of assets, runbooks and DSC scripts are also encrypted to enhance Azure Automation security.
+In addition to improve security of assets, runbooks, and DSC scripts are also encrypted to enhance Azure Automation security.
## April 2020
Customers can manage and secure encryption of Azure Automation assets using thei
**Type:** Retire
-Azure Service Management (ASM) REST APIs for Azure Automation will be retired and no longer supported after 30th January 2020. To learn more, see the [announcement](https://azure.microsoft.com/updates/azure-automation-service-management-rest-apis-are-being-retired-april-30-2019/).
+Azure Service Management (ASM) REST APIs for Azure Automation will be retired and no longer supported after January 30, 2020. To learn more, see the [announcement](https://azure.microsoft.com/updates/azure-automation-service-management-rest-apis-are-being-retired-april-30-2019/).
## Next steps
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
To achieve comprehensive business continuity on Azure, build your application ar
| [Azure Backup](../backup/backup-create-rs-vault.md#set-storage-redundancy) | :large_blue_diamond: | | [Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) | :large_blue_diamond: | | [Azure Data Lake Storage Gen 2](../storage/blobs/data-lake-storage-introduction.md) | :large_blue_diamond: |
-| [Azure DNS: Azure DNS Private Zones](https://docs.microsoft.com/azure/dns/private-dns-getstarted-portal) | :large_blue_diamond: |
+| [Azure DNS: Azure DNS Private Zones](../dns/private-dns-getstarted-portal.md) | :large_blue_diamond: |
| [Azure Express Route](../expressroute/designing-for-high-availability-with-expressroute.md) | :large_blue_diamond: | | [Azure Public IP](../virtual-network/public-ip-addresses.md) | :large_blue_diamond: | | Azure SQL Database ([General Purpose Tier](../azure-sql/database/high-availability-sla.md)) | :large_blue_diamond: |
To achieve comprehensive business continuity on Azure, build your application ar
| [Azure Cognitive Search](../search/search-performance-optimization.md#availability-zones) | :large_blue_diamond: | | Azure Cognitive | [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | :large_blue_diamond: |
-| [Azure Data Factory](https://docs.microsoft.com/azure/data-factory) | :large_blue_diamond: |
+| [Azure Data Factory](../data-factory/index.yml) | :large_blue_diamond: |
| Azure Database for MySQL ΓÇô [Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :large_blue_diamond: | | Azure Database for PostgreSQL ΓÇô [Flexible Server](../postgresql/flexible-server/overview.md) | :large_blue_diamond: | | [Azure DDoS Protection](../ddos-protection/ddos-faq.md) | :large_blue_diamond: |
Azure Availability Zones are available with your Azure subscription. Learn more
## Next steps > [!div class="nextstepaction"]
-> [Regions and Availability Zones in Azure](az-overview.md)
+> [Regions and Availability Zones in Azure](az-overview.md)
azure-app-configuration Monitor App Configuration Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/monitor-app-configuration-reference.md
Last updated 05/05/2021
This article is a reference for the monitoring data collected by App Configuration. See [Monitoring App Configuration](monitor-app-configuration.md) for a walk through on to collect and analyze monitoring data for App Configuration. ## Metrics
-Resource Provider and Type: [App Configuration Platform Metrics](/azure/azure-monitor/essentials/metrics-supported#microsoftappconfigurationconfigurationstores)
+Resource Provider and Type: [App Configuration Platform Metrics](../azure-monitor/essentials/metrics-supported.md#microsoftappconfigurationconfigurationstores)
| Metric | Unit | Description | |-|--| -- |
Resource Provider and Type: [App Configuration Platform Metrics](/azure/azure-mo
|Http Incoming Request Duration | Milliseconds | Server side duration of an Http Request | | Throttled Http Request Count | Count | Throttled requests are Http Requests that return a 429 Status Code (too many requests) |
-For more information, see a list of [all platform metrics supported in Azure Monitor](/azure/azure-monitor/platform/metrics-supported).
+For more information, see a list of [all platform metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
## Metric Dimensions
App Configuration has the following dimensions associated with its metr
| Http Incoming Request Duration | The server side duration of each request. The supported dimensions are the using the **HttpStatusCode** or **AuthenticationScheme** of each request. **AuthenticationScheme** can be filtered by AAD or HMAC authentication. | | Throttled Http Request Count | This metric does not have any dimensions |
- For more information on what metric dimensions are, see [Multi-dimensional metrics](/azure/azure-monitor/platform/data-platform-metrics#multi-dimensional-metrics).
+ For more information on what metric dimensions are, see [Multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics).
## Resource logs This section lists the category types of resource log collected for App Configuration.  | Resource log type | Further information| |-|--|
-| HttpRequest | [App Configuration Resource Log Category Information](/azure/azure-monitor/platform/resource-logs-categories) |
+| HttpRequest | [App Configuration Resource Log Category Information](../azure-monitor/essentials/resource-logs-categories.md) |
-For more information, see a list of [all resource logs category types supported in Azure Monitor](/azure/azure-monitor/platform/resource-logs-schema).
+For more information, see a list of [all resource logs category types supported in Azure Monitor](../azure-monitor/essentials/resource-logs-schema.md).
  ## Azure Monitor Logs tables
App Configuration uses the [AACHttpRequest Table](/azure/azure-monitor/refere
## See Also * See [Monitoring Azure App Configuration](monitor-app-configuration.md) for a description of monitoring Azure App Configuration.
-* See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
-
+* See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
azure-app-configuration Monitor App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/monitor-app-configuration.md
Last updated 05/05/2021
# Monitoring App Configuration When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.
-This article describes the monitoring data generated by App Configuration. App Configuration uses [Azure Monitor](/azure/azure-monitor/overview). If you are unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource).
+This article describes the monitoring data generated by App Configuration. App Configuration uses [Azure Monitor](../azure-monitor/overview.md). If you are unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).
## Monitoring overview page in Azure portal The **Overview** page in the Azure portal includes a brief view of the resource usage, such as the total number of requests, number of throttled requests, and request duration per configuration store. This information is useful, but only displays a small amount of the monitoring data available. Some of this monitoring data is collected automatically and is available for analysis as soon as you create the resource. You can enable additional types of data collection with some configuration.
The **Overview** page in the Azure portal includes a brief view of the resource
> ![Monitoring on the Overview Page](./media/monitoring-overview-page.png) ## Monitoring data 
-App Configuration collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](/azure/azure-monitor/insights/monitor-azure-resource#monitoring-data-from-Azure-resources). See [Monitoring App Configuration data reference](/azure/azure-app-configuration/monitor-app-configuration-reference) for detailed information on the metrics and logs metrics created by App Configuration.
+App Configuration collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data). See [Monitoring App Configuration data reference](./monitor-app-configuration-reference.md) for detailed information on the metrics and logs metrics created by App Configuration.
## Collection and routing Platform metrics and the activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.
-Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. For example, to view logs and metrics for a configuration store in near real-time in Azure Monitor, collect the resource logs in a Log Analytics workspace. If you do not already have one, create a [Log Analytics Workspace](/azure/azure-monitor/logs/quick-create-workspace#:~:text=Create%20a%20Log%20Analytics%20workspace%20in%20the%20Azure,and%20add%20a%20management%20solution%20to%20provide%20) and follow these steps to create and enable a diagnostic setting.
+Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. For example, to view logs and metrics for a configuration store in near real-time in Azure Monitor, collect the resource logs in a Log Analytics workspace. If you do not already have one, create a [Log Analytics Workspace](../azure-monitor/logs/quick-create-workspace.md) and follow these steps to create and enable a diagnostic setting.
#### [Portal](#tab/portal)
Resource Logs are not collected and stored until you create a diagnostic setting
Get-AzureRmDiagnosticSetting -ResourceId <app-configuration-resource-id> ```
-For more information on creating a diagnostic setting using the Azure portal, CLI, or PowerShell, see [create a diagnostic setting to collect platform logs and metrics in Azure](/azure/azure-monitor/platform/diagnostic-settings).
+For more information on creating a diagnostic setting using the Azure portal, CLI, or PowerShell, see [create a diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md).
-When you create a diagnostic setting, you specify which categories of logs to collect. For further information on the categories of logs for App Configuration, reference [App Configuration monitoring data reference](/azure/azure-app-configuration/monitor-app-configuration-reference#resource-logs).
+When you create a diagnostic setting, you specify which categories of logs to collect. For further information on the categories of logs for App Configuration, reference [App Configuration monitoring data reference](./monitor-app-configuration-reference.md#resourcelogs).
## Analyzing metrics
-You can analyze metrics for App Configuration with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](/azure/azure-monitor/platform/metrics-getting-started) for details on using this tool. For App Configuration, the following metrics are collected:
+You can analyze metrics for App Configuration with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool. For App Configuration, the following metrics are collected:
* Http Incoming Request Count * Http Incoming Request Duration
In the portal, navigate to the **Metrics** section and select the **Metric Names
> [!div class="mx-imgBorder"] > ![How to use App Config Metrics](./media/monitoring-analyze-metrics.png)
-For a list of the platform metrics collected for App Configuration, see [Monitoring App Configuration data reference metrics](/azure/azure-app-configuration/monitor-app-configuration-reference#metrics). For reference, you can also see a list of [all resource metrics supported in Azure Monitor](/azure/azure-monitor/platform/metrics-supported).
+For a list of the platform metrics collected for App Configuration, see [Monitoring App Configuration data reference metrics](./monitor-app-configuration-reference.md#metrics). For reference, you can also see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
## Analyzing logs
-Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties. The common schema is outlined in [Azure Monitor resource log schema](/azure/azure-monitor/platform/diagnostic-logs-schema#top-level-resource-logs-schema).
+Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema).
-The [Activity log](/azure/azure-monitor/platform/activity-log) is a platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.
-For a list of the types of resource logs collected for App Configuration, see [Monitoring App Configuration data reference](/azure/azure-app-configuration/monitor-app-configuration-reference#logs). For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see [Monitoring App Configuration data reference](/azure/azure-app-configuration/monitor-app-configuration-reference#azuremonitorlogstables)
+The [Activity log](../azure-monitor/essentials/activity-log.md) is a platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.
+For a list of the types of resource logs collected for App Configuration, see [Monitoring App Configuration data reference](./monitor-app-configuration-reference.md#resourcelogs). For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see [Monitoring App Configuration data reference](./monitor-app-configuration-reference.md#azuremonitorlogstables)
>[!IMPORTANT] > When you select **Logs** from the App Configuration menu, Log Analytics is opened with the query scope set to the current app configuration resource. This means that log queries will only include data from that resource.
Following are sample queries that you can use to help you monitor your App Confi
## Alerts
-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](/azure/azure-monitor/platform/alerts-metric-overview), [logs](/azure/azure-monitor/platform/alerts-unified-log), and the [activity log](/azure/azure-monitor/platform/activity-log-alerts). Different types of alerts have benefits and drawbacks.
+Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](../azure-monitor/alerts/alerts-metric-overview.md), [logs](../azure-monitor/alerts/alerts-unified-log.md), and the [activity log](../azure-monitor/alerts/activity-log-alerts.md). Different types of alerts have benefits and drawbacks.
The following table lists common and recommended alert rules for App Configuration. | Alert type | Condition | Description  | |:|:|:|
-|Rate Limit on Http Requests | Status Code = 429  | The configuration store has exceeded the [hourly request quota](/azure/azure-app-configuration/faq#are-there-any-limits-on-the-number-of-requests-made-to-app-configuration). Upgrade to a standard store or follow the [best practices](/azure/azure-app-configuration/howto-best-practices#reduce-requests-made-to-app-configuration) to optimize your usage. |
+|Rate Limit on Http Requests | Status Code = 429  | The configuration store has exceeded the [hourly request quota](./faq.yml#are-there-any-limits-on-the-number-of-requests-made-to-app-configuration). Upgrade to a standard store or follow the [best practices](./howto-best-practices.md#reduce-requests-made-to-app-configuration) to optimize your usage. |
## Next steps
-* See [Monitoring App Configuration data reference](/azure/azure-app-configuration/monitor-app-configuration-reference) for a reference of the metrics, logs, and other important values created by App Configuration.
-
-* See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/insights/monitor-azure-resource) for details on monitoring Azure resources.
--
+* See [Monitoring App Configuration data reference](./monitor-app-configuration-reference.md) for a reference of the metrics, logs, and other important values created by App Configuration.
+* See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
azure-app-configuration Quickstart Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-resource-manager.md
description: Learn how to create an Azure App Configuration store by using Azure Resource Manager template (ARM template). Previously updated : 05/26/2021 Last updated : 06/09/2021
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/custom-locations.md
If you are logged into Azure CLI using a service principal, to enable this featu
az k8s-extension create --name <extensionInstanceName> --extension-type 'Microsoft.Web.Appservice' --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace appservice-ns --configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" --configuration-settings "appsNamespace=appservice-ns" ```
- * [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview)
+ * [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md)
```azurecli az k8s-extension create --name <extensionInstanceName> --extension-type Microsoft.EventGrid --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace eventgrid-ext --configuration-protected-settings-file protected-settings-extension.json --configuration-settings-file settings-extension.json
If you are logged into Azure CLI using a service principal, to enable this featu
- Securely connect to the cluster using [Cluster Connect](cluster-connect.md). - Continue with [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) for end-to-end instructions on installing extensions, creating custom locations, and creating the App Service Kubernetes environment. -- Create an Event Grid topic and an event subscription for [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview).-- Learn more about currently available [Azure Arc enabled Kubernetes extensions](extensions.md#currently-available-extensions).-
+- Create an Event Grid topic and an event subscription for [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).
+- Learn more about currently available [Azure Arc enabled Kubernetes extensions](extensions.md#currently-available-extensions).
azure-arc Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/extensions.md
A conceptual overview of this feature is available in [Cluster extensions - Azur
| [Azure Arc enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) | Deploys Open Service Mesh on the cluster and enables capabilities like mTLS security, fine grained access control, traffic shifting, monitoring with Azure Monitor or with open source add-ons of Prometheus and Grafana, tracing with Jaeger, integration with external certification management solution. | | [Azure Arc enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-prem, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. | | [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) | Allows you to provision an App Service Kubernetes environment on top of Azure Arc enabled Kubernetes clusters. |
-| [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc enabled Kubernetes clusters. |
-| [Azure API Management on Azure Arc](/azure/api-management/how-to-deploy-self-hosted-gateway-azure-arc) | Deploy and manage API Management gateway on Azure Arc enabled Kubernetes clusters. |
+| [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc enabled Kubernetes clusters. |
+| [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) | Deploy and manage API Management gateway on Azure Arc enabled Kubernetes clusters. |
## Usage of cluster extensions
Learn more about the cluster extensions currently available for Azure Arc enable
> [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) > > [!div class="nextstepaction"]
-> [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview)
+> [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md)
> > [!div class="nextstepaction"]
-> [Azure API Management on Azure Arc](/azure/api-management/how-to-deploy-self-hosted-gateway-azure-arc)
+> [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md)
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/overview.md
Azure Arc enabled Kubernetes supports the following scenarios:
* Apply policies using Azure Policy for Kubernetes.
-* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc enabled Data Services, [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps) and [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview).
+* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc enabled Data Services, [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps) and [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md).
[!INCLUDE [azure-lighthouse-supported-service](../../../includes/azure-lighthouse-supported-service.md)]
Azure Arc enabled Kubernetes is currently supported in these regions:
Learn how to connect a cluster to Azure Arc. > [!div class="nextstepaction"]
-> [Connect a cluster to Azure Arc](./quickstart-connect-cluster.md)
+> [Connect a cluster to Azure Arc](./quickstart-connect-cluster.md)
azure-arc Tutorial Gitops Ci Cd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/tutorial-gitops-ci-cd.md
The CD pipeline uses the security token of the running build to authenticate to
1. For the `<Project Name> Build Service (<Organization Name>)`, allow `Contribute`, `Contribute to pull requests`, and `Create branch`. For more information, see:-- [Grant VC Permissions to the Build Service](https://docs.microsoft.com/azure/devops/pipelines/scripts/git-commands?view=azure-devops&tabs=yaml&preserve-view=true#version-control )-- [Manage Build Service Account Permissions](https://docs.microsoft.com/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml&preserve-view=true#manage-build-service-account-permissions)
+- [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control )
+- [Manage Build Service Account Permissions](/azure/devops/pipelines/process/access-tokens?preserve-view=true&tabs=yaml&view=azure-devops#manage-build-service-account-permissions)
## Deploy the dev environment for the first time
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/overview.md
Key features of Azure Arc include:
* Run [Azure data services](../azure-arc/kubernetes/custom-locations.md) on any Kubernetes environment as if it runs in Azure (specifically Azure SQL Managed Instance and Azure Database for PostgreSQL Hyperscale, with benefits such as upgrades, updates, security, and monitoring). Use elastic scale and apply updates without any application downtime, even without continuous connection to Azure.
-* Create [custom locations](./kubernetes/custom-locations.md) on top of your [Azure Arc enabled Kubernetes](./kubernetes/overview.md) clusters, using them as target locations for deploying Azure services instances. Deploy your Azure service cluster extensions for [Azure Arc enabled Data Services](./dat) (including web, function, and logic apps) and [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview).
+* Create [custom locations](./kubernetes/custom-locations.md) on top of your [Azure Arc enabled Kubernetes](./kubernetes/overview.md) clusters, using them as target locations for deploying Azure services instances. Deploy your Azure service cluster extensions for [Azure Arc enabled Data Services](./dat).
* A unified experience viewing your Azure Arc enabled resources whether you are using the Azure portal, the Azure CLI, Azure PowerShell, or Azure REST API.
In the current preview phase, Azure Arc enabled data services are offered at no
* To learn more about Arc enabled data services, see the following [overview](https://azure.microsoft.com/services/azure-arc/hybrid-data-services/)
-* Experience Arc enabled services from the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/)
+* Experience Arc enabled services from the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/)
azure-australia Azure Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/azure-policy.md
Azure Blueprints extend the capability of Azure Policy by combining them with:
* Azure RBAC * Azure Resource Groups
-* [Azure Resource Manager Templates](../azure-resource-manager/templates/template-syntax.md)
+* [Azure Resource Manager Templates](../azure-resource-manager/templates/syntax.md)
Blueprints allow for the creation of environment designs that deploy Azure resources from Resource Manager templates, configure Azure RBAC, and enforce and audit configuration by assigning Azure Policy. Blueprints form an editable and redeployable environment template. Once the Blueprint has been created, it can then be assigned to an Azure Subscription. Once assigned, all of the Azure resources defined within the Blueprint will be created and the Azure Policies applied. The deployment and configuration of resources defined in an Azure Blueprint can be monitored from the Azure Blueprint console in the Azure portal.
azure-cache-for-redis Cache How To Zone Redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-zone-redundancy.md
To create a cache, follow these steps:
### Why can't I enable zone redundancy when creating a Premium cache?
-Zone redundancy is available only in Azure regions that have Availability Zones. See [Azure regions with Availability Zones](/azure/availability-zones/az-region#azure-services-supporting-availability-zones) for the latest list.
+Zone redundancy is available only in Azure regions that have Availability Zones. See [Azure regions with Availability Zones](../availability-zones/az-region.md#azure-services-supporting-availability-zones) for the latest list.
### Why can't I select all three zones during cache create?
azure-cache-for-redis Cache Ml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-ml.md
Title: Deploy a machine learning model to Azure Functions with Azure Cache for Redis
-description: In this article, you will deploy a model from Azure Machine Learning as a function app in Azure Functions using an Azure Cache for Redis instance. Azure Cache for Redis is extremely performant and scalable ΓÇô when paired with an Azure Machine Learning model, you gain low latency and high throughput in your application.
+description: In this article, you deploy a model from Azure Machine Learning as a function app in Azure Functions using an Azure Cache for Redis instance. Azure Cache for Redis is performant and scalable ΓÇô when paired with an Azure Machine Learning model, you gain low latency and high throughput in your application.
Last updated 09/30/2020
-# Deploy a machine learning model to Azure Functions with Azure Cache for Redis
+# Deploy a machine learning model to Azure Functions with Azure Cache for Redis
-In this article, you will deploy a model from Azure Machine Learning as a function app in Azure Functions using an Azure Cache for Redis instance.
+In this article, you deploy a model from Azure Machine Learning as a function app in Azure Functions using an Azure Cache for Redis instance.
-Azure Cache for Redis is extremely performant and scalable ΓÇô when paired with an Azure Machine Learning model, you gain low latency and high throughput in your application. A couple scenarios where a cache is particularly beneficial is when inferencing the data and for the actual model inference results. In either scenario, the meta data or results are stored in-memory, which leads to increased performance.
+Azure Cache for Redis is performant and scalable. When paired with an Azure Machine Learning model, you gain low latency and high throughput in your application. A couple scenarios where a cache is beneficial: when inferencing the data and for the actual model inference results. In either scenario, the meta data or results are stored in-memory, which leads to increased performance.
> [!NOTE] > While both Azure Machine Learning and Azure Functions are generally available, the ability to package a model from the Machine Learning service for Functions is in preview. > ## Prerequisites+ * Azure subscription - [create one for free](https://azure.microsoft.com/free/). * An Azure Machine Learning workspace. For more information, see the [Create a workspace](../machine-learning/how-to-manage-workspace.md) article. * [Azure CLI](/cli/azure/install-azure-cli).
Azure Cache for Redis is extremely performant and scalable ΓÇô when paired with
> > For more information on setting these variables, see [Deploy models with Azure Machine Learning](../machine-learning/how-to-deploy-and-where.md).
-## Create an Azure Cache for Redis instance
+## Create an Azure Cache for Redis instance
+ YouΓÇÖll be able to deploy a machine learning model to Azure Functions with any Basic, Standard, or Premium cache instance. To create a cache instance, follow these steps.
-1. Go to the Azure portal homepage or open the sidebar menu, then select **Create a resource**.
-
+1. Go to the Azure portal homepage or open the sidebar menu, then select **Create a resource**.
+ 1. On the **New** page, select **Databases** and then select **Azure Cache for Redis**. :::image type="content" source="media/cache-private-link/2-select-cache.png" alt-text="Select Azure Cache for Redis.":::
-
+ 1. On the **New Redis Cache** page, configure the settings for your new cache.
-
+ | Setting | Suggested value | Description | | | - | -- |
- | **DNS name** | Enter a globally unique name. | The cache name must be a string between 1 and 63 characters that contains only numbers, letters, or hyphens. The name must start and end with a number or letter, and can't contain consecutive hyphens. Your cache instance's *host name* will be *\<DNS name>.redis.cache.windows.net*. |
- | **Subscription** | Drop down and select your subscription. | The subscription under which to create this new Azure Cache for Redis instance. |
- | **Resource group** | Drop down and select a resource group, or select **Create new** and enter a new resource group name. | Name for the resource group in which to create your cache and other resources. By putting all your app resources in one resource group, you can easily manage or delete them together. |
+ | **DNS name** | Enter a globally unique name. | The cache name must be a string between 1 and 63 characters. The string can contain only numbers, letters, or hyphens. The name must start and end with a number or letter, and can't contain consecutive hyphens. Your cache instance's *host name* will be *\<DNS name>.redis.cache.windows.net*. |
+ | **Subscription** | Drop down and select your subscription. | The subscription under which to create this new Azure Cache for Redis instance. |
+ | **Resource group** | Drop down and select a resource group, or select **Create new** and enter a new resource group name. | Name for the resource group in which to create your cache and other resources. By putting all your app resources in one resource group, you can easily manage or delete them together. |
| **Location** | Drop down and select a location. | Select a [region](https://azure.microsoft.com/regions/) near other services that will use your cache. | | **Pricing tier** | Drop down and select a [Pricing tier](https://azure.microsoft.com/pricing/details/cache/). | The pricing tier determines the size, performance, and features that are available for the cache. For more information, see [Azure Cache for Redis Overview](cache-overview.md). |
-1. Select the **Networking** tab or click the **Networking** button at the bottom of the page.
+1. Select the **Networking** tab or select the **Networking** button at the bottom of the page.
1. In the **Networking** tab, select your connectivity method.
-1. Select the **Next: Advanced** tab or click the **Next: Advanced** button on the bottom of the page.
+1. Select the **Next: Advanced** tab or select the **Next: Advanced** button on the bottom of the page.
1. In the **Advanced** tab for a basic or standard cache instance, select the enable toggle if you want to enable a non-TLS port. 1. In the **Advanced** tab for premium cache instance, configure the settings for non-TLS port, clustering, and data persistence.
-1. Select the **Next: Tags** tab or click the **Next: Tags** button at the bottom of the page.
+1. Select the **Next: Tags** tab or select the **Next: Tags** button at the bottom of the page.
-1. Optionally, in the **Tags** tab, enter the name and value if you wish to categorize the resource.
+1. Optionally, in the **Tags** tab, enter the name and value if you wish to categorize the resource.
1. Select **Review + create**. You're taken to the Review + create tab where Azure validates your configuration. 1. After the green Validation passed message appears, select **Create**.
-It takes a while for the cache to create. You can monitor progress on the Azure Cache for Redis **Overview** page. When **Status** shows as **Running**, the cache is ready to use.
+It takes a while for the cache to create. You can monitor progress on the Azure Cache for Redis **Overview** page. When **Status** shows as **Running**, the cache is ready to use.
## Prepare for deployment
pip install azureml-contrib-functions
## Create the image
-To create the Docker image that is deployed to Azure Functions, use [azureml.contrib.functions.package](/python/api/azureml-contrib-functions/azureml.contrib.functions) or the specific package function for the trigger you are interested in using. The following code snippet demonstrates how to create a new package with a HTTP trigger from the model and inference configuration:
+To create the Docker image that is deployed to Azure Functions, use [azureml.contrib.functions.package](/python/api/azureml-contrib-functions/azureml.contrib.functions) or the specific package function for the trigger you want to use. The following code snippet demonstrates how to create a new package with an HTTP trigger from the model and inference configuration:
> [!NOTE] > The code snippet assumes that `model` contains a registered model, and that `inference_config` contains the configuration for the inference environment. For more information, see [Deploy models with Azure Machine Learning](../machine-learning/how-to-deploy-and-where.md).
When `show_output=True`, the output of the Docker build process is shown. Once t
## Deploy image as a web app
-1. Use the following command to get the login credentials for the Azure Container Registry that contains the image. Replace `<myacr>` with the value returned previously from `package.location`:
+1. Use the following command to get the login credentials for the Azure Container Registry that contains the image. Replace `<myacr>` with the value returned previously from `package.location`:
```azurecli-interactive az acr credential show --name <myacr>
When `show_output=True`, the output of the Docker build process is shown. Once t
Save the value for __username__ and one of the __passwords__.
-1. If you do not already have a resource group or app service plan to deploy the service, the following commands demonstrate how to create both:
+1. If you don't already have a resource group or app service plan to deploy the service, the these commands demonstrate how to create both:
```azurecli-interactive az group create --name myresourcegroup --location "West Europe"
When `show_output=True`, the output of the Docker build process is shown. Once t
```azurecli-interactive az storage account create --name <webjobStorage> --location westeurope --resource-group myresourcegroup --sku Standard_LRS ```+ ```azurecli-interactive az storage account show-connection-string --resource-group myresourcegroup --name <webJobStorage> --query connectionString --output tsv ```
When `show_output=True`, the output of the Docker build process is shown. Once t
``` > [!IMPORTANT]
- > At this point, the function app has been created. However, since you haven't provided the connection string for the HTTP trigger or credentials to the Azure Container Registry that contains the image, the function app is not active. In the next steps, you provide the connection string and the authentication information for the container registry.
+ > At this point, the function app has been created. However, since you haven't provided the connection string for the HTTP trigger or credentials to the Azure Container Registry that contains the image, the function app is not active. In the next steps, you provide the connection string and the authentication information for the container registry.
1. To provide the function app with the credentials needed to access the container registry, use the following command. Replace `<app-name>` with the name of the function app. Replace `<acrinstance>` and `<imagetag>` with the values from the AZ CLI call in the previous step. Replace `<username>` and `<password>` with the ACR login information retrieved earlier:
At this point, the function app begins loading the image.
> [!IMPORTANT] > It may take several minutes before the image has loaded. You can monitor progress using the Azure portal.
-## Test Azure Functions HTTP trigger
+## Test Azure Functions HTTP trigger
-We will now run and test our Azure Functions HTTP trigger.
+We'll now run and test our Azure Functions HTTP trigger.
1. Go to your function app in the Azure portal.
-1. Under developer, select **Code + Test**.
-1. On the right hand side, select the **Input** tab.
-1. Click on the **Run** button to test the Azure Functions HTTP trigger.
+1. Under developer, select **Code + Test**.
+1. On the right-hand side, select the **Input** tab.
+1. Select on the **Run** button to test the Azure Functions HTTP trigger.
-You have now successfully deployed a model from Azure Machine Learning as a function app using an Azure Cache for Redis instance. Learn more about Azure Cache for Redis by navigating to the links in the section below.
+You've now successfully deployed a model from Azure Machine Learning as a function app using an Azure Cache for Redis instance. Learn more about Azure Cache for Redis by navigating to the links in the section below.
## Clean up resources If you're continuing to the next tutorial, you can keep the resources that you created in this quickstart and reuse them.
-Otherwise, if you're finished with the quickstart, you can delete the Azure resources that you created in this quickstart to avoid charges.
+Otherwise, if you're finished with the quickstart, you can delete the Azure resources that you created in this quickstart to avoid charges.
> [!IMPORTANT] > Deleting a resource group is irreversible. When you delete a resource group, all the resources in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the resources for hosting this sample inside an existing resource group that contains resources you want to keep, you can delete each resource individually from their respective blades instead of deleting the resource group.
You're asked to confirm the deletion of the resource group. Type the name of you
After a few moments, the resource group and all of its resources are deleted.
-## Next steps
+## Next steps
* Learn more about [Azure Cache for Redis](./cache-overview.md) * Learn to configure your function app in the [Functions](../azure-functions/functions-create-function-linux-custom-image.md) documentation.
-* [API Reference](/python/api/azureml-contrib-functions/azureml.contrib.functions)
+* [API Reference](/python/api/azureml-contrib-functions/azureml.contrib.functions)
* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md)
azure-cache-for-redis Cache Web App Arm With Redis Cache Provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-web-app-arm-with-redis-cache-provision.md
You learn the following deployment details:
You can use this template for your own deployments, or customize it to meet your requirements.
-For more information about creating templates, see [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/template-syntax.md). To learn about the JSON syntax and properties for cache resource types, see [Microsoft.Cache resource types](/azure/templates/microsoft.cache/allversions).
+For more information about creating templates, see [Authoring Azure Resource Manager Templates](../azure-resource-manager/templates/syntax.md). To learn about the JSON syntax and properties for cache resource types, see [Microsoft.Cache resource types](/azure/templates/microsoft.cache/allversions).
For the complete template, see [Web App with Azure Cache for Redis template](https://github.com/Azure/azure-quickstart-templates/blob/master/201-web-app-with-redis-cache/azuredeploy.json).
New-AzResourceGroupDeployment -TemplateUri https://raw.githubusercontent.com/Azu
```azurecli azure group deployment create --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-web-app-with-redis-cache/azuredeploy.json -g ExampleDeployGroup
-```
+```
azure-cache-for-redis Cache Web App Cache Aside Leaderboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-web-app-cache-aside-leaderboard.md
Last updated 03/30/2018
# Tutorial: Create a cache-aside leaderboard on ASP.NET
-In this tutorial you will update the *ContosoTeamStats* ASP.NET web app, created in the [ASP.NET quickstart for Azure Cache for Redis](cache-web-app-howto.md), to include a leaderboard that uses the [cache-aside pattern](/azure/architecture/patterns/cache-aside) with Azure Cache for Redis. The sample application displays a list of team statistics from a database and demonstrates different ways to use Azure Cache for Redis to store and retrieve data from the cache to improve performance. When you complete the tutorial you have a running web app that reads and writes to a database, optimized with Azure Cache for Redis, and hosted in Azure.
+In this tutorial, you update the *ContosoTeamStats* ASP.NET web appcreated in the [ASP.NET quickstart for Azure Cache for Redis](cache-web-app-howto.md)to include a leaderboard that uses the [cache-aside pattern](/azure/architecture/patterns/cache-aside) with Azure Cache for Redis. The sample application displays a list of team statistics from a database. It also demonstrates different ways to use Azure Cache for Redis to store and retrieve data from the cache to improve performance. When you complete the tutorial, you have a running web app that reads and writes to a database, optimized with Azure Cache for Redis, and hosted in Azure.
In this tutorial, you learn how to: > [!div class="checklist"]
+>
> * Improve data throughput and reduce database load by storing and retrieving data using Azure Cache for Redis. > * Use a Redis sorted set to retrieve the top five teams. > * Provision the Azure resources for the application using a Resource Manager template.
To complete this tutorial, you must have the following prerequisites:
* This tutorial continues where you left off in [ASP.NET quickstart for Azure Cache for Redis](cache-web-app-howto.md). If you haven't already, follow the quickstart first. * Install [Visual Studio 2019](https://www.visualstudio.com/downloads/) with the following workloads:
- * ASP.NET and web development
- * Azure Development
- * .NET desktop development with SQL Server Express LocalDB or [SQL Server 2017 Express edition](https://www.microsoft.com/sql-server/sql-server-editions-express).
+ * ASP.NET and web development
+ * Azure Development
+ * .NET desktop development with SQL Server Express LocalDB or [SQL Server 2017 Express edition](https://www.microsoft.com/sql-server/sql-server-editions-express).
## Add a leaderboard to the project
In this section of the tutorial, you configure the *ContosoTeamStats* project wi
### Add the Entity Framework to the project 1. In Visual Studio, open the *ContosoTeamStats* Solution that you created in the [ASP.NET quickstart for Azure Cache for Redis](cache-web-app-howto.md).
-2. Click **Tools > NuGet Package Manager > Package Manager Console**.
+2. Select **Tools > NuGet Package Manager > Package Manager Console**.
3. Run the following command from the **Package Manager Console** window to install EntityFramework: ```powershell
For more information about this package, see the [EntityFramework](https://www.n
1. Right-click **Models** in **Solution Explorer**, and choose **Add**, **Class**.
-1. Enter `Team` for the class name and click **Add**.
+1. Enter `Team` for the class name and select **Add**.
![Add model class](./media/cache-web-app-cache-aside-leaderboard/cache-model-add-class-dialog.png)
For more information about this package, see the [EntityFramework](https://www.n
using System.Data.Entity.SqlServer; ```
-1. Replace the definition of the `Team` class with the following code snippet that contains an updated `Team` class definition as well as some other Entity Framework helper classes. This tutorial is using the code first approach with Entity Framework. This approach allows Entity Framework to create the database from your code. For more information on the code first approach to Entity Framework that's used in this tutorial, see [Code first to a new database](/ef/ef6/modeling/code-first/workflows/new-database).
+1. Replace the definition of the `Team` class with the following code snippet that contains an updated `Team` class definition and some other Entity Framework helper classes. This tutorial is using the code first approach with Entity Framework. This approach allows Entity Framework to create the database from your code. For more information on the code first approach to Entity Framework that's used in this tutorial, see [Code first to a new database](/ef/ef6/modeling/code-first/workflows/new-database).
```csharp public class Team
For more information about this package, see the [EntityFramework](https://www.n
1. Add the following `connectionStrings` section inside the `configuration` section. The name of the connection string must match the name of the Entity Framework database context class, which is `TeamContext`.
- This connection string assumes you have met the [Prerequisites](#prerequisites) and installed SQL Server Express LocalDB, which is part of the *.NET desktop development* workload installed with Visual Studio 2019.
+ This connection string assumes you've met the [Prerequisites](#prerequisites) and installed that SQL Server Express LocalDB that is part of the *.NET desktop development* workload installed with Visual Studio 2019.
```xml <connectionStrings>
For more information about this package, see the [EntityFramework](https://www.n
### Add the TeamsController and views
-1. In Visual Studio, build the project.
+1. In Visual Studio, build the project.
1. In **Solution Explorer**, right-click the **Controllers** folder and choose **Add**, **Controller**.
-1. Choose **MVC 5 Controller with views, using Entity Framework**, and click **Add**. If you get an error after clicking **Add**, ensure that you have built the project first.
+1. Choose **MVC 5 Controller with views, using Entity Framework**, and select **Add**. If you get an error after selecting **Add**, ensure that you have built the project first.
![Add controller class](./media/cache-web-app-cache-aside-leaderboard/cache-add-controller-class.png)
-1. Select **Team (ContosoTeamStats.Models)** from the **Model class** drop-down list. Select **TeamContext (ContosoTeamStats.Models)** from the **Data context class** drop-down list. Type `TeamsController` in the **Controller** name textbox (if it is not automatically populated). Click **Add** to create the controller class and add the default views.
+1. Select **Team (ContosoTeamStats.Models)** from the **Model class** drop-down list. Select **TeamContext (ContosoTeamStats.Models)** from the **Data context class** drop-down list. Type `TeamsController` in the **Controller** name textbox (if it isn't automatically populated). Select **Add** to create the controller class and add the default views.
![Configure controller](./media/cache-web-app-cache-aside-leaderboard/cache-configure-controller.png)
For more information about this package, see the [EntityFramework](https://www.n
### Configure the Layout view
-1. In **Solution Explorer**, expand the **Views** folder and then the **Shared** folder, and double-click **_Layout.cshtml**.
+1. In **Solution Explorer**, expand the **Views** folder and then the **Shared** folder, and double-click **_Layout.cshtml**.
![_Layout.cshtml](./media/cache-web-app-cache-aside-leaderboard/cache-layout-cshtml.png)
For more information about this package, see the [EntityFramework](https://www.n
![Code changes](./media/cache-web-app-cache-aside-leaderboard/cache-layout-cshtml-code.png)
-1. Press **Ctrl+F5** to build and run the application. This version of the application reads the results directly from the database. Note the **Create New**, **Edit**, **Details**, and **Delete** actions that were automatically added to the application by the **MVC 5 Controller with views, using Entity Framework** scaffold. In the next section of the tutorial, you'll add Azure Cache for Redis to optimize the data access and provide additional features to the application.
+1. Press **Ctrl+F5** to build and run the application. This version of the application reads the results directly from the database. Note the **Create New**, **Edit**, **Details**, and **Delete** actions that were automatically added to the application by the **MVC 5 Controller with views, using Entity Framework** scaffold. In the next section of the tutorial, you'll add Azure Cache for Redis to optimize the data access and provide more features to the application.
![Starter application](./media/cache-web-app-cache-aside-leaderboard/cache-starter-application.png)
You already installed the *StackExchange.Redis* client library package in the qu
### Update the TeamsController to read from the cache or the database
-In this sample, team statistics can be retrieved from the database or from the cache. Team statistics are stored in the cache as a serialized `List<Team>`, and also as a sorted set using Redis data types. When retrieving items from a sorted set, you can retrieve some, all, or query for certain items. In this sample, you'll query the sorted set for the top 5 teams ranked by number of wins.
+In this sample, team statistics can be retrieved from the database or from the cache. Team statistics are stored in the cache as a serialized `List<Team>`, and also as a sorted set using Redis data types. When retrieving items from a sorted set, you can retrieve some, all, or query for certain items. In this sample, you'll query the sorted set for the top five teams ranked by number of wins.
-It is not required to store the team statistics in multiple formats in the cache in order to use Azure Cache for Redis. This tutorial uses multiple formats to demonstrate some of the different ways and different data types you can use to cache data.
+It isn't required to store the team statistics in multiple formats in the cache to use Azure Cache for Redis. This tutorial uses multiple formats to demonstrate some of the different ways and different data types you can use to cache data.
1. Add the following `using` statements to the `TeamsController.cs` file at the top with the other `using` statements:
It is not required to store the team statistics in multiple formats in the cache
1. Add the following four methods to the `TeamsController` class to implement the various ways of retrieving the team statistics from the cache and the database. Each of these methods returns a `List<Team>`, which is then displayed by the view. The `GetFromDB` method reads the team statistics from the database.+ ```csharp List<Team> GetFromDB() {
It is not required to store the team statistics in multiple formats in the cache
} ```
- The `GetFromList` method reads the team statistics from cache as a serialized `List<Team>`. If the statistics are not present in the cache, a cache miss occurs. For a cache miss, the team statistics are read from the database and then stored in the cache for the next request. In this sample, JSON.NET serialization is used to serialize the .NET objects to and from the cache. For more information, see [How to work with .NET objects in Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md#work-with-net-objects-in-the-cache).
+ The `GetFromList` method reads the team statistics from cache as a serialized `List<Team>`. If the statistics aren't present in the cache, a cache miss occurs. For a cache miss, the team statistics are read from the database and then stored in the cache for the next request. In this sample, JSON.NET serialization is used to serialize the .NET objects to and from the cache. For more information, see [How to work with .NET objects in Azure Cache for Redis](cache-dotnet-how-to-use-azure-redis-cache.md#work-with-net-objects-in-the-cache).
```csharp List<Team> GetFromList()
It is not required to store the team statistics in multiple formats in the cache
} ```
- The `GetFromSortedSet` method reads the team statistics from a cached sorted set. If there is a cache miss, the team statistics are read from the database and stored in the cache as a sorted set.
+ The `GetFromSortedSet` method reads the team statistics from a cached sorted set. If there's a cache miss, the team statistics are read from the database and stored in the cache as a sorted set.
```csharp List<Team> GetFromSortedSet()
It is not required to store the team statistics in multiple formats in the cache
} ```
- The `GetFromSortedSetTop5` method reads the top five teams from the cached sorted set. It starts by checking the cache for the existence of the `teamsSortedSet` key. If this key is not present, the `GetFromSortedSet` method is called to read the team statistics and store them in the cache. Next, the cached sorted set is queried for the top five teams, which are returned.
+ The `GetFromSortedSetTop5` method reads the top five teams from the cached sorted set. It starts by checking the cache for the existence of the `teamsSortedSet` key. If this key isn't present, the `GetFromSortedSet` method is called to read the team statistics and store them in the cache. Next, the cached sorted set is queried for the top five teams, which are returned.
```csharp List<Team> GetFromSortedSetTop5()
The scaffolding code that was generated as part of this sample includes methods
</table> ```
-1. Scroll to the bottom of the **Index.cshtml** file and add the following `tr` element so that it is the last row in the last table in the file:
+1. Scroll to the bottom of the **Index.cshtml** file and add the following `tr` element so that it's the last row in the last table in the file:
```html <tr><td colspan="5">@ViewBag.Msg</td></tr> ```
- This row displays the value of `ViewBag.Msg` which contains a status report about the current operation. The `ViewBag.Msg` is set when you click any of the action links from the previous step.
+
+ This row displays the value of `ViewBag.Msg`, which contains a status report about the current operation. The `ViewBag.Msg` is set when you select any of the action links from the previous step.
![Status message](./media/cache-web-app-cache-aside-leaderboard/cache-status-message.png)
The scaffolding code that was generated as part of this sample includes methods
Run the application locally on your machine to verify the functionality that has been added to support the teams.
-In this test, the application and database, are both running locally. However, the Azure Cache for Redis is hosted remotely in Azure. Therefore, the cache will likely under-perform the database slightly. For best performance, the client application and Azure Cache for Redis instance should be in the same location. In the next section, you will deploy all resources to Azure to see the improved performance from using a cache.
+In this test, the application and database, are both running locally. The Azure Cache for Redis is not local. It is hosted remotely in Azure. That's why the cache will likely under-perform the database slightly. For best performance, the client application and Azure Cache for Redis instance should be in the same location.
+
+In the next section, you deploy all resources to Azure to see the improved performance from using a cache.
To run the app locally:
To run the app locally:
In this section, you will provision a new database in SQL Database for the app to use while hosted in Azure.
-1. In the [Azure portal](https://portal.azure.com/), Click **Create a resource** in the upper left-hand corner of the Azure portal.
+1. In the [Azure portal](https://portal.azure.com/), Select **Create a resource** in the upper left-hand corner of the Azure portal.
-1. On the **New** page, click **Databases** > **SQL Database**.
+1. On the **New** page, select **Databases** > **SQL Database**.
1. Use the following settings for the new SQL Database:
In this section, you will provision a new database in SQL Database for the app t
| | | - | | **Database name** | *ContosoTeamsDatabase* | For valid database names, see [Database Identifiers](/sql/relational-databases/databases/database-identifiers). | | **Subscription** | *Your subscription* | Select the same subscription you used to create the cache and host the App Service. |
- | **Resource group** | *TestResourceGroup* | Click **Use existing** and use the same resource group where you placed your cache and App Service. |
+ | **Resource group** | *TestResourceGroup* | Select **Use existing** and use the same resource group where you placed your cache and App Service. |
| **Select source** | **Blank database** | Start with a blank database. |
-1. Under **Server**, click **Configure required settings** > **Create a new server** and provide the following information and then click the **Select** button:
+1. Under **Server**, select **Configure required settings** > **Create a new server** and provide the following information and then use the **Select** button:
| Setting ΓÇ» ΓÇ» ΓÇ» | Suggested value | DescriptionΓÇ»| | | | - |
In this section, you will provision a new database in SQL Database for the app t
| **Password** | Any valid password | Your password must have at least 8 characters and must contain characters from three of the following categories: upper case characters, lower case characters, numbers, and non-alphanumeric characters. | | **Location** | *East US* | Select the same region where you created the cache and App Service. |
-1. Click **Pin to dashboard** and then **Create** to create the new database and server.
+1. Select **Pin to dashboard** and then **Create** to create the new database and server.
-1. Once the new database is created, click **Show database connection strings** and copy the **ADO.NET** connection string.
+1. Once the new database is created, select **Show database connection strings** and copy the **ADO.NET** connection string.
![Show connection strings](./media/cache-web-app-cache-aside-leaderboard/cache-show-connection-strings.png)
-1. In the Azure portal, navigate to your App Service and click **Application Settings**, then **Add new connection string** under the Connection strings section.
+1. In the Azure portal, navigate to your App Service and select **Application Settings**, then **Add new connection string** under the Connection strings section.
-1. Add a new connection string named *TeamContext* to match the Entity Framework database context class. Paste the connection string for your new database as the value. Be sure to replace the following placeholders in the connection string and click **Save**:
+1. Add a new connection string named *TeamContext* to match the Entity Framework database context class. Paste the connection string for your new database as the value. Be sure to replace the following placeholders in the connection string and select **Save**:
| Placeholder | Suggested value | | | | | *{your_username}* | Use the **server admin login** for the server you just created. | | *{your_password}* | Use the password for the server you just created. |
- By adding the username and password as an Application Setting, your username and password are not included in your code. This approach helps protect those credentials.
+ By adding the username and password as an Application Setting, your username and password aren't included in your code. This approach helps protect those credentials.
### Publish the application updates to Azure In this step of the tutorial, you'll publish the application updates to Azure to run it in the cloud.
-1. Right-click the **ContosoTeamStats** project in Visual Studio and choose **Publish**.
+1. Right-select the **ContosoTeamStats** project in Visual Studio and choose **Publish**.
![Publish](./media/cache-web-app-cache-aside-leaderboard/cache-publish-app.png)
-2. Click **Publish** to use the same publishing profile you created in the quickstart.
+2. Select **Publish** to use the same publishing profile you created in the quickstart.
3. Once publishing is complete, Visual Studio launches the app in your default web browser.
In this step of the tutorial, you'll publish the application updates to Azure to
| Create New |Create a new Team. | | Play Season |Play a season of games, update the team stats, and clear any outdated team data from the cache. | | Clear Cache |Clear the team stats from the cache. |
- | List from Cache |Retrieve the team stats from the cache. If there is a cache miss, load the stats from the database and save to the cache for next time. |
- | Sorted Set from Cache |Retrieve the team stats from the cache using a sorted set. If there is a cache miss, load the stats from the database and save to the cache using a sorted set. |
- | Top 5 Teams from Cache |Retrieve the top 5 teams from the cache using a sorted set. If there is a cache miss, load the stats from the database and save to the cache using a sorted set. |
+ | List from Cache |Retrieve the team stats from the cache. If there's a cache miss, load the stats from the database and save to the cache for next time. |
+ | Sorted Set from Cache |Retrieve the team stats from the cache using a sorted set. If there's a cache miss, load the stats from the database and save to the cache using a sorted set. |
+ | Top 5 Teams from Cache |Retrieve the top 5 teams from the cache using a sorted set. If there's a cache miss, load the stats from the database and save to the cache using a sorted set. |
| Load from DB |Retrieve the team stats from the database. | | Rebuild DB |Rebuild the database and reload it with sample team data. | | Edit / Details / Delete |Edit a team, view details for a team, delete a team. |
-Click some of the actions and experiment with retrieving the data from the different sources. Note the differences in the time it takes to complete the various ways of retrieving the data from the database and the cache.
+Select some of the actions and experiment with retrieving the data from the different sources. Note the differences in the time it takes to complete the various ways of retrieving the data from the database and the cache.
## Clean up resources
-When you are finished with the sample tutorial application, you can delete the Azure resources used in order to conserve cost and resources. All of your resources should be contained in the same resource group, you can delete them together in one operation by deleting the resource group. The instructions for this topic used a resource group named *TestResources*.
+When you're finished with the sample tutorial application, you can delete the Azure resources to conserve cost and resources. All of your resources should be contained in the same resource group. You can delete them together in one operation by deleting the resource group. The instructions in this article used a resource group named *TestResources*.
> [!IMPORTANT] > Deleting a resource group is irreversible and that the resource group and all the resources in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the resources for hosting this sample inside an existing resource group, that contains resources you want to keep, you can delete each resource individually from their respective blades. >
-1. Sign in to the [Azure portal](https://portal.azure.com) and click **Resource groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Resource groups**.
2. Type the name of your resource group into the **Filter items...** textbox.
-3. Click **...** to the right of your resource group and click **Delete resource group**.
+3. Select **...** to the right of your resource group and select **Delete resource group**.
![Delete](./media/cache-web-app-cache-aside-leaderboard/cache-delete-resource-group.png)
-4. You will be asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and click **Delete**.
+4. You're asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and select **Delete**.
After a few moments, the resource group and all of its contained resources are deleted. ## Next steps > [!div class="nextstepaction"]
-> [How to Scale Azure Cache for Redis](./cache-how-to-scale.md)
+> [How to Scale Azure Cache for Redis](./cache-how-to-scale.md)
azure-functions Develop Python Worker Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/develop-python-worker-extensions.md
+
+ Title: Develop Python worker extensions for Azure Functions
+description: Learn how to create and publish worker extensions that let you inject middleware behavior into Python functions running in Azure.
+++ Last updated : 6/1/2021+++
+# Develop Python worker extensions for Azure Functions
+
+Azure Functions lets you integrate custom behaviors as part of Python function execution. This feature enables you to create business logic that customers can easily use in their own function apps. To learn more, see the [Python developer reference](functions-reference-python.md#python-worker-extensions).
+
+In this tutorial, you'll learn how to:
+> [!div class="checklist"]
+> * Create an application-level Python worker extension for Azure Functions.
+> * Consume your extension in an app the way your customers do.
+> * Package and publish an extension for consumption.
+
+## Prerequisites
+
+Before you start, you must meet these requirements:
+
+* [Python 3.6.x or above](https://www.python.org/downloads/release/python-374/). To check the full list of supported Python versions in Azure Functions, see the [Python developer guide](functions-reference-python.md#python-version).
+
+* The [Azure Functions Core Tools](functions-run-local.md#v2), version 3.0.3568 or later.
+
+* [Visual Studio Code](https://code.visualstudio.com/) installed on one of the [supported platforms](https://code.visualstudio.com/docs/supporting/requirements#_platforms).
+
+## Create the Python Worker extension
+
+The extension you create reports the elapsed time of an HTTP trigger invocation in the console logs and in the HTTP response body.
+
+### Folder structure
+
+The folder for your extension project should be like the following structure:
+
+```
+<python_worker_extension_root>/
+ | - .venv/
+ | - python_worker_extension_timer/
+ | | - __init__.py
+ | - setup.py
+ | - readme.md
+```
+
+| Folder/file | Description |
+| | |
+| **.venv/** | (Optional) Contains a Python virtual environment used for local development. |
+| **python_worker_extension/** | Contains the source code of the Python worker extension. This folder contains the main Python module to be published into PyPI. |
+| **setup.py** | Contains the metadata of the Python worker extension package. |
+| **readme.md** | (Optional) Contains the instruction and usage of your extension. This content is displayed as the description in the home page in your PyPI project. |
+
+### Configure project metadata
+
+First you create `setup.py`, which provides essential information about your package. To make sure that your extension is distributed and integrated into your customer's function apps properly, confirm that `'azure-functions >= 1.7.0, < 2.0.0'` is in the `install_requires` section.
+
+In the following template, you should change `author`, `author_email`, `install_requires`, `license`, `packages`, and `url` fields as needed.
++
+Next, you'll implement your extension code in the application-level scope.
+
+### Implement the timer extension
+
+Add the following code in `python_worker_extension_timer/__init__.py` to implement the application-level extension:
++
+This code inherits from [AppExtensionBase](https://github.com/Azure/azure-functions-python-library/blob/dev/azure/functions/extension/app_extension_base.py) so that the extension applies to every function in the app. You could have also implemented the extension on a function-level scope by inheriting from [FuncExtensionBase](https://github.com/Azure/azure-functions-python-library/blob/dev/azure/functions/extension/func_extension_base.py).
+
+The `init` method is a class method that's called by the worker when the extension class is imported. You can do initialization actions here for the extension. In this case, a hash map is initialized for recording the invocation start time for each function.
+
+The `configure` method is customer-facing. In your readme file, you can tell your customers when they need to call `Extension.configure()`. The readme should also document the extension capabilities, possible configuration, and usage of your extension. In this example, customers can choose whether the elapsed time is reported in the `HttpResponse`.
+
+The `pre_invocation_app_level` method is called by the Python worker before the function runs. It provides the information from the function, such as function context and arguments. In this example, the extension logs a message and records the start time of an invocation based on its invocation_id.
+
+Similarly, the `post_invocation_app_level` is called after function execution. This example calculates the elapsed time based on the start time and current time. It also overwrites the return value of the HTTP response.
+
+## Consume your extension locally
+
+Now that you've created an extension, you can use it in an app project to verify it works as intended.
+
+### Create an HTTP trigger function
+
+1. Create a new folder for your app project and navigate to it.
+
+1. From the appropriate shell, such as Bash, run the following command to initialize the project:
+
+ ```bash
+ func init --python
+ ```
+
+1. Use the following command to create a new HTTP trigger function that allows anonymous access:
+
+ ```bash
+ func new -t HttpTrigger -n HttpTrigger -a anonymous
+ ```
+
+### Activate a virtual environment
+
+1. Create a Python virtual environment, based on OS as follows:
+
+ # [Linux](#tab/linux)
+ ```bash
+ python3 -m venv .venv
+ ```
+ # [Windows](#tab/windows)
+ ```console
+ py -m venv .venv
+ ```
+
+
+1. Activate the Python virtual environment, based on OS as follows:
+ # [Linux](#tab/linux)
+ ```bash
+ source .venv/bin/activate
+ ```
+ # [Windows](#tab/windows)
+ ```console
+ .venv\Scripts\Activate.ps1
+ ```
+
+
+### Configure the extension
+
+1. Install remote packages for your function app project using the following command:
+
+ ```bash
+ pip install -r requirements.txt
+ ```
+
+1. Install the extension from your local file path, in editable mode as follows:
+
+ ```bash
+ pip install -e <PYTHON_WORKER_EXTENSION_ROOT>
+ ```
+
+ In this example, replace `<PYTHON_WORKER_EXTENSION_ROOT>` with the file location of your extension project.
+ When a customer uses your extension, they'll instead add your extension package location to the requirements.txt file, as in the following examples:
+
+ # [PyPI](#tab/pypi)
+ ```python
+ # requirements.txt
+ python_worker_extension_timer==1.0.0
+ ```
+ # [GitHub](#tab/github)
+
+ ```python
+ # requirements.txt
+ git+https://github.com/Azure-Samples/python-worker-extension-timer@main
+ ```
+
+
+1. Open the local.settings.json project file and add the following field to `Values`:
+
+ ```json
+ "PYTHON_ENABLE_WORKER_EXTENSIONS": "1"
+ ```
+
+ When running in Azure, you instead add `PYTHON_ENABLE_WORKER_EXTENSIONS=1` to the [app settings in the function app](functions-how-to-use-azure-function-app-settings.md#settings).
+
+1. Add following two lines before the `main` function in \_\_init.py\_\_:
+
+ ```python
+ from python_worker_extension_timer import TimerExtension
+ TimerExtension.configure(append_to_http_response=True)
+ ```
+
+ This code imports the `TimerExtension` module and sets the `append_to_http_response` configuration value.
+
+### Verify the extension
+
+1. From your app project root folder, start the function host using `func host start --verbose`. You should see the local endpoint of your function in the output as `https://localhost:7071/api/HttpTrigger`.
+
+1. In the browser, send a GET request to `https://localhost:7071/api/HttpTrigger`. You should see a response like the following, with the **TimeElapsed** data for the request appended.
+
+ <pre>
+ This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response. (TimeElapsed: 0.0009996891021728516 sec)
+ </pre>
+
+## Publish your extension
+
+After you've created and verified your extension, you still need to complete these remaining publishing tasks:
+
+> [!div class="checklist"]
+> + Choose a license.
+> + Create a readme.md and other documentation.
+> + Publish the extension library to a Python package registry or a version control system (VCS).
+
+# [PyPI](#tab/pypi)
+
+To publish your extension to PyPI:
+
+1. Run the following command to install `twine` and `wheel` in your default Python environment or a virtual environment:
+
+ ```bash
+ pip install twine wheel
+ ```
+
+1. Remove the old `dist/` folder from your extension repository.
+
+1. Run the following command to generate a new package inside `dist/`:
+
+ ```bash
+ python setup.py sdist bdist_wheel
+ ```
+
+1. Run the following command to upload the package to PyPI:
+
+ ```bash
+ twine upload dist/*
+ ```
+
+ You may need to provide your PyPI account credentials during upload.
+
+After these steps, customers can use your extension by including your package name in their requirements.txt.
+
+For more information, see the [official Python packaging tutorial](https://packaging.python.org/tutorials/packaging-projects/).
+
+# [GitHub](#tab/github)
+
+You can also publish the extension source code with the setup.py file to a GitHub repository, as shown in [this sample repository](https://github.com/Azure-Samples/python-worker-extension-timer).
+
+For more information about VCS support in pip, see the [official pip VCS support documentation](https://pip.pypa.io/en/stable/cli/pip_install/#vcs-support).
+++
+## Examples
+++ You can view completed sample extension project from this article in the [python_worker_extension_timer](https://github.com/Azure-Samples/python-worker-extension-timer) sample repository. +++ OpenCensus integration is an open-source project that uses the extension interface to integrate telemetry tracing in Azure Functions Python apps. See the [opencensus-python-extensions-azure](https://github.com/census-ecosystem/opencensus-python-extensions-azure/tree/main/extensions/functions) repository to review the implementation of this Python worker extension.+
+## Next steps
+
+For more information about Azure Functions Python development, see the following resources:
+
+* [Azure Functions Python developer guide](functions-reference-python.md)
+* [Best practices for Azure Functions](functions-best-practices.md)
+* [Azure Functions developer reference](functions-reference.md)
azure-functions Dotnet Isolated Process Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/dotnet-isolated-process-guide.md
description: Learn how to use a .NET isolated process to run your C# functions o
Previously updated : 03/01/2021 Last updated : 06/01/2021 recommendations: false #Customer intent: As a developer, I need to know how to create functions that run in an isolated process so that I can run my function code on current (not LTS) releases of .NET.
When running out-of-process, your .NET functions can take advantage of the follo
+ Full control of the process: you control the start-up of the app and can control the configurations used and the middleware started. + Dependency injection: because you have full control of the process, you can use current .NET behaviors for dependency injection and incorporating middleware into your function app.
-## Supported versions
-
-The only version of .NET that is currently supported to run out-of-process is .NET 5.0.
## .NET isolated project
azure-functions Functions App Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-app-settings.md
App settings in a function app contain global configuration options that affect
There are other global configuration options in the [host.json](functions-host-json.md) file and in the [local.settings.json](functions-run-local.md#local-settings-file) file.
-> [!NOTE]
+> [!NOTE]
> You can use application settings to override host.json setting values without having to change the host.json file itself. This is helpful for scenarios where you need to configure or modify specific host.json settings for a specific environment. This also lets you change host.json settings without having to republish your project. To learn more, see the [host.json reference article](functions-host-json.md#override-hostjson-values). Changes to function app settings require your function app to be restarted. ## APPINSIGHTS_INSTRUMENTATIONKEY
-The instrumentation key for Application Insights. Only use one of `APPINSIGHTS_INSTRUMENTATIONKEY` or `APPLICATIONINSIGHTS_CONNECTION_STRING`. When Application Insights runs in a sovereign cloud, use `APPLICATIONINSIGHTS_CONNECTION_STRING`. For more information, see [How to configure monitoring for Azure Functions](configure-monitoring.md).
+The instrumentation key for Application Insights. Only use one of `APPINSIGHTS_INSTRUMENTATIONKEY` or `APPLICATIONINSIGHTS_CONNECTION_STRING`. When Application Insights runs in a sovereign cloud, use `APPLICATIONINSIGHTS_CONNECTION_STRING`. For more information, see [How to configure monitoring for Azure Functions](configure-monitoring.md).
|Key|Sample value| |||
The instrumentation key for Application Insights. Only use one of `APPINSIGHTS_I
The connection string for Application Insights. Use `APPLICATIONINSIGHTS_CONNECTION_STRING` instead of `APPINSIGHTS_INSTRUMENTATIONKEY` in the following cases:
-+ When your function app requires the added customizations supported by using the connection string.
++ When your function app requires the added customizations supported by using the connection string. + When your Application Insights instance runs in a sovereign cloud, which requires a custom endpoint.
-For more information, see [Connection strings](../azure-monitor/app/sdk-connection-string.md).
+For more information, see [Connection strings](../azure-monitor/app/sdk-connection-string.md).
|Key|Sample value| |||
By default, [Functions proxies](functions-proxies.md) use a shortcut to send API
## AZURE_FUNCTION_PROXY_BACKEND_URL_DECODE_SLASHES
-This setting controls whether the characters `%2F` are decoded as slashes in route parameters when they are inserted into the backend URL.
+This setting controls whether the characters `%2F` are decoded as slashes in route parameters when they are inserted into the backend URL.
|Key|Value|Description| |-|-|-|
Dictates whether editing in the Azure portal is enabled. Valid values are "readw
## FUNCTIONS\_EXTENSION\_VERSION
-The version of the Functions runtime that hosts your function app. A tilde (`~`) with major version means use the latest version of that major version (for example, "~3"). When new versions for the same major version are available, they are automatically installed in the function app. To pin the app to a specific version, use the full version number (for example, "3.0.12345"). Default is "~3". A value of `~1` pins your app to version 1.x of the runtime. For more information, see [Azure Functions runtime versions overview](functions-versions.md).
+The version of the Functions runtime that hosts your function app. A tilde (`~`) with major version means use the latest version of that major version (for example, "~3"). When new versions for the same major version are available, they are automatically installed in the function app. To pin the app to a specific version, use the full version number (for example, "3.0.12345"). Default is "~3". A value of `~1` pins your app to version 1.x of the runtime. For more information, see [Azure Functions runtime versions overview](functions-versions.md). A value of `~4` lets you run a preview version Azure Functions to use the .NET 6.0 preview. To learn more, see the [Azure Functions v4 early preview](https://aka.ms/functions-dotnet6earlypreview-wiki) page.
|Key|Sample value| |||
The version of the Functions runtime that hosts your function app. A tilde (`~`)
## FUNCTIONS\_V2\_COMPATIBILITY\_MODE
-This setting enables your function app to run in a version 2.x compatible mode on the version 3.x runtime. Use this setting only if encountering issues when [upgrading your function app from version 2.x to 3.x of the runtime](functions-versions.md#migrating-from-2x-to-3x).
+This setting enables your function app to run in a version 2.x compatible mode on the version 3.x runtime. Use this setting only if encountering issues when [upgrading your function app from version 2.x to 3.x of the runtime](functions-versions.md#migrating-from-2x-to-3x).
>[!IMPORTANT] > This setting is intended only as a short-term workaround while you update your app to run correctly on version 3.x. This setting is supported as long as the [2.x runtime is supported](functions-versions.md). If you encounter issues that prevent your app from running on version 3.x without using this setting, please [report your issue](https://github.com/Azure/azure-functions-host/issues/new?template=Bug_report.md).
Specifies the maximum number of language worker processes, with a default value
## FUNCTIONS\_WORKER\_RUNTIME
-The language worker runtime to load in the function app. This corresponds to the language being used in your application (for example, `dotnet`). Starting with version 2.x of the Azure Functions runtime, a given function app can only support a single language.
+The language worker runtime to load in the function app. This corresponds to the language being used in your application (for example, `dotnet`). Starting with version 2.x of the Azure Functions runtime, a given function app can only support a single language.
|Key|Sample value| |||
Valid values:
| `powershell` | [PowerShell](functions-reference-powershell.md) | | `python` | [Python](functions-reference-python.md) |
-## MDMaxBackgroundUpgradePeriod
+## MDMaxBackgroundUpgradePeriod
-Controls the managed dependencies background update period for PowerShell function apps, with a default value of `7.00:00:00` (weekly).
+Controls the managed dependencies background update period for PowerShell function apps, with a default value of `7.00:00:00` (weekly).
-Each PowerShell worker process initiates checking for module upgrades on the PowerShell Gallery on process start and every `MDMaxBackgroundUpgradePeriod` after that. When a new module version is available in the PowerShell Gallery, it's installed to the file system and made available to PowerShell workers. Decreasing this value lets your function app get newer module versions sooner, but it also increases the app resource usage (network I/O, CPU, storage). Increasing this value decreases the app's resource usage, but it may also delay delivering new module versions to your app.
+Each PowerShell worker process initiates checking for module upgrades on the PowerShell Gallery on process start and every `MDMaxBackgroundUpgradePeriod` after that. When a new module version is available in the PowerShell Gallery, it's installed to the file system and made available to PowerShell workers. Decreasing this value lets your function app get newer module versions sooner, but it also increases the app resource usage (network I/O, CPU, storage). Increasing this value decreases the app's resource usage, but it may also delay delivering new module versions to your app.
|Key|Sample value| |||
To learn more, see [Dependency management](functions-reference-powershell.md#dep
## MDNewSnapshotCheckPeriod
-Specifies how often each PowerShell worker checks whether managed dependency upgrades have been installed. The default frequency is `01:00:00` (hourly).
+Specifies how often each PowerShell worker checks whether managed dependency upgrades have been installed. The default frequency is `01:00:00` (hourly).
-After new module versions are installed to the file system, every PowerShell worker process must be restarted. Restarting PowerShell workers affects your app availability as it can interrupt current function execution. Until all PowerShell worker processes are restarted, function invocations may use either the old or the new module versions. Restarting all PowerShell workers completes within `MDNewSnapshotCheckPeriod`.
+After new module versions are installed to the file system, every PowerShell worker process must be restarted. Restarting PowerShell workers affects your app availability as it can interrupt current function execution. Until all PowerShell worker processes are restarted, function invocations may use either the old or the new module versions. Restarting all PowerShell workers completes within `MDNewSnapshotCheckPeriod`.
-Within every `MDNewSnapshotCheckPeriod`, the PowerShell worker checks whether or not managed dependency upgrades have been installed. When upgrades have been installed, a restart is initiated. Increasing this value decreases the frequency of interruptions because of restarts. However, the increase might also increase the time during which function invocations could use either the old or the new module versions, non-deterministically.
+Within every `MDNewSnapshotCheckPeriod`, the PowerShell worker checks whether or not managed dependency upgrades have been installed. When upgrades have been installed, a restart is initiated. Increasing this value decreases the frequency of interruptions because of restarts. However, the increase might also increase the time during which function invocations could use either the old or the new module versions, non-deterministically.
|Key|Sample value| |||
To learn more, see [Dependency management](functions-reference-powershell.md#dep
## MDMinBackgroundUpgradePeriod
-The period of time after a previous managed dependency upgrade check before another upgrade check is started, with a default of `1.00:00:00` (daily).
+The period of time after a previous managed dependency upgrade check before another upgrade check is started, with a default of `1.00:00:00` (daily).
-To avoid excessive module upgrades on frequent Worker restarts, checking for module upgrades isn't performed when any worker has already initiated that check in the last `MDMinBackgroundUpgradePeriod`.
+To avoid excessive module upgrades on frequent Worker restarts, checking for module upgrades isn't performed when any worker has already initiated that check in the last `MDMinBackgroundUpgradePeriod`.
|Key|Sample value| |||
To learn more, see [Dependency management](functions-reference-powershell.md#dep
## PIP\_EXTRA\_INDEX\_URL
-The value for this setting indicates a custom package index URL for Python apps. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index.
+The value for this setting indicates a custom package index URL for Python apps. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index.
|Key|Sample value| |||
The configuration is specific to Python function apps. It defines the prioritiza
|PYTHON\_ISOLATE\_WORKER\_DEPENDENCIES|0| Prioritize loading the Python libraries from internal Python worker's dependencies. Third-party libraries defined in requirements.txt may be shadowed. | |PYTHON\_ISOLATE\_WORKER\_DEPENDENCIES|1| Prioritize loading the Python libraries from application's package defined in requirements.txt. This prevents your libraries from colliding with internal Python worker's libraries. |
+## PYTHON\_ENABLE\_WORKER\_EXTENSIONS
+
+The configuration is specific to Python function apps. Setting this to `1` allows the worker to load in [Python worker extensions](functions-reference-python.md#python-worker-extensions) defined in requirements.txt. It enables your function app to access new features provided by third-party packages. It may also change the behavior of function load and invocation in your app. Please ensure the extension you choose is trustworthy as you bear the risk of using it. Azure Functions gives no express warranties to any extensions. For how to use an extension, please visit the extension's manual page or readme doc. By default, this value sets to `0`.
+
+|Key|Value|Description|
+||--|--|
+|PYTHON\_ENABLE\_WORKER\_EXTENSIONS|0| Disable any Python worker extension. |
+|PYTHON\_ENABLE\_WORKER\_EXTENSIONS|1| Allow Python worker to load extensions from requirements.txt. |
## PYTHON\_THREADPOOL\_THREAD\_COUNT
Specifies the maximum number of threads that a Python language worker would use
## SCALE\_CONTROLLER\_LOGGING\_ENABLED
-_This setting is currently in preview._
+_This setting is currently in preview._
This setting controls logging from the Azure Functions scale controller. For more information, see [Scale controller logs](functions-monitoring.md#scale-controller-logs).
Connection string for storage account where the function app code and configurat
||| |WEBSITE_CONTENTAZUREFILECONNECTIONSTRING|DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key]|
-Only used when deploying to a Premium plan or to a Consumption plan running on Windows. Not supported for Consumptions plans running Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
+Only used when deploying to a Premium plan or to a Consumption plan running on Windows. Not supported for Consumptions plans running Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
## WEBSITE\_CONTENTOVERVNET
The file path to the function app code and configuration in an event-driven scal
Only used when deploying to a Premium plan or to a Consumption plan running on Windows. Not supported for Consumptions plans running Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
-When using an Azure Resource Manager template to create a function app during deployment, don't include WEBSITE_CONTENTSHARE in the template. This application setting is generated during deployment. To learn more, see [Automate resource deployment for your function app](functions-infrastructure-as-code.md#windows).
+When using an Azure Resource Manager template to create a function app during deployment, don't include WEBSITE_CONTENTSHARE in the template. This application setting is generated during deployment. To learn more, see [Automate resource deployment for your function app](functions-infrastructure-as-code.md#windows).
## WEBSITE\_DNS\_SERVER
-Sets the DNS server used by an app when resolving IP addresses. This setting is often required when using certain networking functionality, such as [Azure DNS private zones](functions-networking-options.md#azure-dns-private-zones) and [private endpoints](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).
+Sets the DNS server used by an app when resolving IP addresses. This setting is often required when using certain networking functionality, such as [Azure DNS private zones](functions-networking-options.md#azure-dns-private-zones) and [private endpoints](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).
|Key|Sample value| ||| |WEBSITE\_DNS\_SERVER|168.63.129.16|
-## WEBSITE\_ENABLE\_BROTLI\_ENCODING
+## WEBSITE\_ENABLE\_BROTLI\_ENCODING
-Controls whether Brotli encoding is used for compression instead of the default gzip compression. When `WEBSITE_ENABLE_BROTLI_ENCODING` is set to `1`, Brotli encoding is used; otherwise gzip encoding is used.
+Controls whether Brotli encoding is used for compression instead of the default gzip compression. When `WEBSITE_ENABLE_BROTLI_ENCODING` is set to `1`, Brotli encoding is used; otherwise gzip encoding is used.
## WEBSITE\_MAX\_DYNAMIC\_APPLICATION\_SCALE\_OUT
The maximum number of instances that the app can scale out to. Default is no lim
## WEBSITE\_NODE\_DEFAULT_VERSION
-_Windows only._
-Sets the version of Node.js to use when running your function app on Windows. You should use a tilde (~) to have the runtime use the latest available version of the targeted major version. For example, when set to `~10`, the latest version of Node.js 10 is used. When a major version is targeted with a tilde, you don't have to manually update the minor version.
+_Windows only._
+Sets the version of Node.js to use when running your function app on Windows. You should use a tilde (~) to have the runtime use the latest available version of the targeted major version. For example, when set to `~10`, the latest version of Node.js 10 is used. When a major version is targeted with a tilde, you don't have to manually update the minor version.
|Key|Sample value| |||
Valid values are either a URL that resolves to the location of a deployment pack
## WEBSITE\_TIME\_ZONE
-Allows you to set the timezone for your function app.
+Allows you to set the timezone for your function app.
|Key|OS|Sample value| ||--||
Allows you to set the timezone for your function app.
## WEBSITE\_VNET\_ROUTE\_ALL
-Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `1` indicates that all traffic is routed through the virtual network. You need this setting when using features of [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration). It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md).
+Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `1` indicates that all traffic is routed through the virtual network. You need this setting when using features of [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration). It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md).
|Key|Sample value| |||
azure-functions Functions Debug Event Grid Trigger Local https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-debug-event-grid-trigger-local.md
This article demonstrates how to debug a local function that handles an Azure Ev
## Prerequisites - Create or use an existing function app-- Create or use an existing storage account. Event Grid notification subscription can be set on Azure Storage accounts for `BlobStorage`, `StorageV2`, or [Data Lake Storage Gen2](/azure/storage/blobs/data-lake-storage-introduction).
+- Create or use an existing storage account. Event Grid notification subscription can be set on Azure Storage accounts for `BlobStorage`, `StorageV2`, or [Data Lake Storage Gen2](../storage/blobs/data-lake-storage-introduction.md).
- Download [ngrok](https://ngrok.com/) to allow Azure to call your local function ## Create a new function
To clean up the resources created in this article, delete the **test** container
## Next steps - [Automate resizing uploaded images using Event Grid](../event-grid/resize-images-on-storage-blob-upload-event.md)-- [Event Grid trigger for Azure Functions](./functions-bindings-event-grid.md)
+- [Event Grid trigger for Azure Functions](./functions-bindings-event-grid.md)
azure-functions Functions Dotnet Class Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-dotnet-class-library.md
As a C# developer, you may also be interested in one of the following articles:
Azure Functions supports C# and C# script programming languages. If you're looking for guidance on [using C# in the Azure portal](functions-create-function-app-portal.md), see [C# script (.csx) developer reference](functions-reference-csharp.md).
-## Supported versions
-
-Versions of the Functions runtime work with specific versions of .NET. To learn more about Functions versions, see [Azure Functions runtime versions overview](functions-versions.md)
-
-The following table shows the highest level of .NET Core or .NET Framework that can be used with a specific version of Functions.
-
-| Functions runtime version | Max .NET version |
-| - | - |
-| Functions 3.x | .NET Core 3.1<br/>.NET 5.0<sup>1</sup> |
-| Functions 2.x | .NET Core 2.2<sup>2</sup> |
-| Functions 1.x | .NET Framework 4.7 |
-
-<sup>1</sup> Must run [out-of-process](dotnet-isolated-process-guide.md).
-<sup>2</sup> For details, see [Functions v2.x considerations](#functions-v2x-considerations).
-
-For the latest news about Azure Functions releases, including the removal of specific older minor versions, monitor [Azure App Service announcements](https://github.com/Azure/app-service-announcements/issues).
### Functions v2.x considerations
The `Sdk` package also depends on [Newtonsoft.Json](https://www.nuget.org/packag
The source code for `Microsoft.NET.Sdk.Functions` is available in the GitHub repo [azure\-functions\-vs\-build\-sdk](https://github.com/Azure/azure-functions-vs-build-sdk).
-## Runtime version
+## Local runtime version
-Visual Studio uses the [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to run Functions projects. The Core Tools is a command-line interface for the Functions runtime.
+Visual Studio uses the [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to run Functions projects on your local computer. The Core Tools is a command-line interface for the Functions runtime.
-If you install the Core Tools by using npm, that doesn't affect the Core Tools version used by Visual Studio. For the Functions runtime version 1.x, Visual Studio stores Core Tools versions in *%USERPROFILE%\AppData\Local\Azure.Functions.Cli* and uses the latest version stored there. For Functions 2.x, the Core Tools are included in the **Azure Functions and Web Jobs Tools** extension. For both 1.x and 2.x, you can see what version is being used in the console output when you run a Functions project:
+If you install the Core Tools using the Windows installer (MSI) package or by using npm, that doesn't affect the Core Tools version used by Visual Studio. For the Functions runtime version 1.x, Visual Studio stores Core Tools versions in *%USERPROFILE%\AppData\Local\Azure.Functions.Cli* and uses the latest version stored there. For Functions 2.x, the Core Tools are included in the **Azure Functions and Web Jobs Tools** extension. For both 1.x and 2.x, you can see what version is being used in the console output when you run a Functions project:
```terminal [3/1/2018 9:59:53 AM] Starting Host (HostId=contoso2-1518597420, Version=2.0.11353.0, ProcessId=22020, Debug=False, Attempt=0, FunctionsExtensionVersion=)
azure-functions Functions Infrastructure As Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-infrastructure-as-code.md
You can use an Azure Resource Manager template to deploy a function app. This article outlines the required resources and parameters for doing so. You might need to deploy other resources, depending on the [triggers and bindings](functions-triggers-bindings.md) in your function app.
-For more information about creating templates, see [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/template-syntax.md).
+For more information about creating templates, see [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md).
For sample templates, see: - [Function app on Consumption plan]
Learn more about how to develop and configure Azure Functions.
<!-- LINKS --> [Function app on Consumption plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.web/function-app-create-dynamic/azuredeploy.json
-[Function app on Azure App Service plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.web/azuredeploy.json
+[Function app on Azure App Service plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.web/azuredeploy.json
azure-functions Functions Reference Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-python.md
This article is an introduction to developing Azure Functions using Python. The
As a Python developer, you may also be interested in one of the following articles: | Getting started | Concepts| Scenarios/Samples |
-| -- | -- | -- |
+|--|--|--|
| <ul><li>[Python function using Visual Studio Code](./create-first-function-vs-code-csharp.md?pivots=programming-language-python)</li><li>[Python function with terminal/command prompt](./create-first-function-cli-csharp.md?pivots=programming-language-python)</li></ul> | <ul><li>[Developer guide](functions-reference.md)</li><li>[Hosting options](functions-scale.md)</li><li>[Performance&nbsp;considerations](functions-best-practices.md)</li></ul> | <ul><li>[Image classification with PyTorch](machine-learning-pytorch.md)</li><li>[Azure automation sample](/samples/azure-samples/azure-functions-python-list-resource-groups/azure-functions-python-sample-list-resource-groups/)</li><li>[Machine learning with TensorFlow](functions-machine-learning-tensorflow.md)</li><li>[Browse Python samples](/samples/browse/?products=azure-functions&languages=python)</li></ul> | > [!NOTE]
from ..shared_code import my_first_helper_function #(deprecated beyond top-level
## Triggers and Inputs
-Inputs are divided into two categories in Azure Functions: trigger input and additional input. Although they are different in the `function.json` file, usage is identical in Python code. Connection strings or secrets for trigger and input sources map to values in the `local.settings.json` file when running locally, and the application settings when running in Azure.
+Inputs are divided into two categories in Azure Functions: trigger input and other input. Although they're different in the `function.json` file, usage is identical in Python code. Connection strings or secrets for trigger and input sources map to values in the `local.settings.json` file when running locally, and the application settings when running in Azure.
For example, the following code demonstrates the difference between the two:
def main(req: func.HttpRequest,
## Logging
-Access to the Azure Functions runtime logger is available via a root [`logging`](https://docs.python.org/3/library/logging.html#module-logging) handler in your function app. This logger is tied to Application Insights and allows you to flag warnings and errors encountered during the function execution.
+Access to the Azure Functions runtime logger is available via a root [`logging`](https://docs.python.org/3/library/logging.html#module-logging) handler in your function app. This logger is tied to Application Insights and allows you to flag warnings and errors that occur during the function execution.
The following example logs an info message when the function is invoked via an HTTP trigger.
def main(req):
logging.info('Python HTTP trigger function processed a request.') ```
-Additional logging methods are available that let you write to the console at different trace levels:
+More logging methods are available that let you write to the console at different trace levels:
| Method | Description | | - | |
Likewise, you can set the `status_code` and `headers` for the response message i
## Scaling and Performance
-For scaling and performance best practices for Python function apps, please refer to the [Python scale and performance article](python-scale-performance-reference.md).
+For scaling and performance best practices for Python function apps, see the [Python scale and performance article](python-scale-performance-reference.md).
## Context
You can also use Azure Pipelines to build your dependencies and publish using co
When using remote build, dependencies restored on the server and native dependencies match the production environment. This results in a smaller deployment package to upload. Use remote build when developing Python apps on Windows. If your project has custom dependencies, you can [use remote build with extra index URL](#remote-build-with-extra-index-url).
-Dependencies are obtained remotely based on the contents of the requirements.txt file. [Remote build](functions-deployment-technologies.md#remote-build) is the recommended build method. By default, the Azure Functions Core Tools requests a remote build when you use the following [func azure functionapp publish](functions-run-local.md#publish) command to publish your Python project to Azure.
+Dependencies are obtained remotely based on the contents of the requirements.txt file. [Remote build](functions-deployment-technologies.md#remote-build) is the recommended build method. By default, the Azure Functions Core Tools requests a remote build when you use the following [`func azure functionapp publish`](functions-run-local.md#publish) command to publish your Python project to Azure.
```bash func azure functionapp publish <APP_NAME>
The [Azure Functions Extension for Visual Studio Code](./create-first-function-v
### Local build
-Dependencies are obtained locally based on the contents of the requirements.txt file. You can prevent doing a remote build by using the following [func azure functionapp publish](functions-run-local.md#publish) command to publish with a local build.
+Dependencies are obtained locally based on the contents of the requirements.txt file. You can prevent doing a remote build by using the following [`func azure functionapp publish`](functions-run-local.md#publish) command to publish with a local build.
```command func azure functionapp publish <APP_NAME> --build local
class TestFunction(unittest.TestCase):
) ```
-Inside your `.venv` Python virtual environment, install your favorite Python test framework (e.g. `pip install pytest`). Simply run `pytest tests` to check the test result.
+Inside your `.venv` Python virtual environment, install your favorite Python test framework, such as `pip install pytest`. Then run `pytest tests` to check the test result.
## Temporary files
There are a few libraries come with the Python Functions runtime.
### Python Standard Library
-The Python Standard Library contain a list of built-in Python modules that are shipped with each Python distribution. Most of these libraries help you access system functionality, like file I/O. On Windows systems, these libraries are installed with Python. On the Unix-based systems, they are provided by package collections.
+The Python Standard Library contains a list of built-in Python modules that are shipped with each Python distribution. Most of these libraries help you access system functionality, like file I/O. On Windows systems, these libraries are installed with Python. On the Unix-based systems, they are provided by package collections.
-To view the full details of the list of these libraries, please visit the links below:
+To view the full details of the list of these libraries, see the links below:
* [Python 3.6 Standard Library](https://docs.python.org/3.6/library/) * [Python 3.7 Standard Library](https://docs.python.org/3.7/library/)
getattr(azure.functions, '__version__', '< 1.2.1')
### Runtime system libraries
-For a list of preinstalled system libraries in Python worker Docker images, please follow the links below:
+For a list of preinstalled system libraries in Python worker Docker images, see the links below:
| Functions runtime | Debian version | Python versions | |||| | Version 2.x | Stretch | [Python 3.6](https://github.com/Azure/azure-functions-docker/blob/master/host/2.0/stretch/amd64/python/python36/python36.Dockerfile)<br/>[Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/2.0/stretch/amd64/python/python37/python37.Dockerfile) | | Version 3.x | Buster | [Python 3.6](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python36/python36.Dockerfile)<br/>[Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python37/python37.Dockerfile)<br />[Python 3.8](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python38/python38.Dockerfile)<br/> [Python 3.9](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python39/python39.Dockerfile)|
+## Python worker extensions
+
+The Python worker process that runs in Azure Functions lets you integrate third-party libraries into your function app. These extension libraries act as middleware that can inject specific operations during the lifecycle of your function's execution.
+
+Extensions are imported in your function code much like a standard Python library module. Extensions are executed based on the following scopes:
+
+| Scope | Description |
+| | |
+| **Application-level** | When imported into any function trigger, the extension applies to every function execution in the app. |
+| **Function-level** | Execution is limited to only the specific function trigger into which it's imported. |
+
+Review the information for a given extension to learn more about the scope in which the extension runs.
+
+Extensions implement a Python worker extension interface that lets the Python worker process call into the extension code during the function execution lifecycle. To learn more, see [Creating extensions](#creating-extensions).
+
+### Using extensions
+
+You can use a Python worker extension library in your Python functions by following these basic steps:
+
+1. Add the extension package in the requirements.txt file for your project.
+1. Install the library into your app.
+1. Add the application setting `PYTHON_ENABLE_WORKER_EXTENSIONS`:
+ + Locally: add `"PYTHON_ENABLE_WORKER_EXTENSIONS": "1"` in the `Values` section of your [local.settings.json file](functions-run-local.md?tabs=python#local-settings-file)
+ + Azure: add `PYTHON_ENABLE_WORKER_EXTENSIONS=1` to your [app settings](functions-how-to-use-azure-function-app-settings.md#settings).
+1. Import the extension module into your function trigger.
+1. Configure the extension instance, if needed. Configuration requirements should be called-out in the extension's documentation.
+
+> [!IMPORTANT]
+> Third-party Python worker extension libraries are not supported or warrantied by Microsoft. You must make sure that any extensions you use in your function app is trustworthy, and you bear the full risk of using a malicious or poorly written extension.
+
+Third-parties should provide specific documentation on how to install and consume their specific extension in your function app. For a basic example of how to consume an extension, see [Consuming your extension](develop-python-worker-extensions.md#consume-your-extension-locally).
+
+Here are examples of using extensions in a function app, by scope:
+
+# [Application-level](#tab/application-level)
+
+```python
+# <project_root>/requirements.txt
+application-level-extension==1.0.0
+```
+
+```python
+# <project_root>/Trigger/__init__.py
+
+from application_level_extension import AppExtension
+AppExtension.configure(key=value)
+
+def main(req, context):
+ # Use context.app_ext_attributes here
+```
+# [Function-level](#tab/function-level)
+```python
+# <project_root>/requirements.txt
+function-level-extension==1.0.0
+```
+
+```python
+# <project_root>/Trigger/__init__.py
+
+from function_level_extension import FuncExtension
+func_ext_instance = FuncExtension(__file__)
+
+def main(req, context):
+ # Use func_ext_instance.attributes here
+```
++
+### Creating extensions
+
+Extensions are created by third-party library developers who have created functionality that can be integrated into Azure Functions. An extension developer designs, implements, and releases Python packages that contain custom logic designed specifically to be run in the context of function execution. These extensions can be published either to the PyPI registry or to GitHub repositories.
+
+To learn how to create, package, publish, and consume a Python worker extension package, see [Develop Python worker extensions for Azure Functions](develop-python-worker-extensions.md).
+
+#### Application-level extensions
+
+An extension inherited from [`AppExtensionBase`](https://github.com/Azure/azure-functions-python-library/blob/dev/azure/functions/extension/app_extension_base.py) runs in an _application_ scope.
+
+`AppExtensionBase` exposes the following abstract class methods for you to implement:
+
+| Method | Description |
+| | |
+| **`init`** | Called after the extension is imported. |
+| **`configure`** | Called from function code when needed to configure the extension. |
+| **`post_function_load_app_level`** | Called right after the function is loaded. The function name and function directory are passed to the extension. Keep in mind that the function directory is read-only, and any attempt to write to local file in this directory fails. |
+| **`pre_invocation_app_level`** | Called right before the function is triggered. The function context and function invocation arguments are passed to the extension. You can usually pass other attributes in the context object for the function code to consume. |
+| **`post_invocation_app_level`** | Called right after the function execution completes. The function context, function invocation arguments, and the invocation return object are passed to the extension. This implementation is a good place to validate whether execution of the lifecycle hooks succeeded. |
+
+#### Function-level extensions
+
+An extension that inherits from [FuncExtensionBase](https://github.com/Azure/azure-functions-python-library/blob/dev/azure/functions/extension/func_extension_base.py) runs in a specific function trigger.
+
+`FuncExtensionBase` exposes the following abstract class methods for implementations:
+
+| Method | Description |
+| | |
+| **`__init__`** | This method is the constructor of the extension. It's called when an extension instance is initialized in a specific function. When implementing this abstract method, you may want to accept a `filename` parameter and pass it to the parent's method `super().__init__(filename)` for proper extension registration. |
+| **`post_function_load`** | Called right after the function is loaded. The function name and function directory are passed to the extension. Keep in mind that the function directory is read-only, and any attempt to write to local file in this directory fails. |
+| **`pre_invocation`** | Called right before the function is triggered. The function context and function invocation arguments are passed to the extension. You can usually pass other attributes in the context object for the function code to consume. |
+| **`post_invocation`** | Called right after the function execution completes. The function context, function invocation arguments, and the invocation return object are passed to the extension. This implementation is a good place to validate whether execution of the lifecycle hooks succeeded. |
+ ## Cross-origin resource sharing [!INCLUDE [functions-cors](../../includes/functions-cors.md)]
For more information, see the following resources:
[HttpRequest]: /python/api/azure-functions/azure.functions.httprequest
-[HttpResponse]: /python/api/azure-functions/azure.functions.httpresponse
+[HttpResponse]: /python/api/azure-functions/azure.functions.httpresponse
azure-functions Functions Run Local https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-run-local.md
Developing functions on your local computer and publishing them to Azure using C
## Core Tools versions
-There are three versions of Azure Functions Core Tools. The version you use depends on your local development environment, [choice of language](supported-languages.md), and level of support required:
+There are three versions of Azure Functions Core Tools.<sup>*</sup> The version you use depends on your local development environment, [choice of language](supported-languages.md), and level of support required:
+ [**Version 3.x/2.x**](#v2): Supports either [version 3.x or 2.x of the Azure Functions runtime](functions-versions.md). These versions support [Windows](?tabs=windows#v2), [macOS](?tabs=macos#v2), and [Linux](?tabs=linux#v2) and use platform-specific package managers or npm for installation.
There are three versions of Azure Functions Core Tools. The version you use depe
You can only install one version of Core Tools on a given computer. Unless otherwise noted, the examples in this article are for version 3.x.
+<sup>*</sup> An experimental version of Azure Functions is available that lets you run C# functions on the .NET 6.0 preview. To learn more, see the [Azure Functions v4 early preview](https://aka.ms/functions-dotnet6earlypreview-wiki) page.
+ ## Prerequisites Azure Functions Core Tools currently depends on either the [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps) for authenticating with your Azure account.
azure-functions Functions Twitter Email https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-twitter-email.md
Create a connection to Twitter so your app can poll for new tweets.
| Setting | Value | | - | -- | | Search text | **#my-twitter-tutorial** |
- | How oven do you want to check for items? | **1** in the textbox, and <br> **Hour** in the dropdown. You may enter different values but be sure to review the current [limitations](https://docs.microsoft.com/connectors/twitterconnector/#limits) of the Twitter connector. |
+ | How oven do you want to check for items? | **1** in the textbox, and <br> **Hour** in the dropdown. You may enter different values but be sure to review the current [limitations](/connectors/twitterconnector/#limits) of the Twitter connector. |
1. Select the **Save** button on the toolbar to save your progress.
Optionally, you may want to return to your Twitter account and delete any test t
## Next steps > [!div class="nextstepaction"]
-> [Create a serverless API using Azure Functions](functions-create-serverless-api.md)
+> [Create a serverless API using Azure Functions](functions-create-serverless-api.md)
azure-functions Functions Twitter Email https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-glossary-cloud-terminology.md
See [Azure Resource Manager overview](azure-resource-manager/management/overview
## <a name="arm-template"></a>Resource Manager template A JSON file that declaratively defines one or more Azure resources and that defines dependencies between the deployed resources. The template can be used to deploy the resources consistently and repeatedly.
-See [Authoring Azure Resource Manager templates](./azure-resource-manager/templates/template-syntax.md)
+See [Authoring Azure Resource Manager templates](./azure-resource-manager/templates/syntax.md)
## resource provider A service that supplies the resources you can deploy and manage through Resource Manager. Each resource provider offers operations for working with the resources that are deployed. Resource providers can be accessed through the Azure portal, Azure PowerShell, and several programming SDKs.
azure-government Compare Azure Government Global Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compare-azure-government-global-azure.md
For information on how to connect to Media Services v2, see [Access the Azure Me
### Media Services Video Indexer
-For more information, see [Create a Video Indexer account](../media-services/video-indexer/connect-to-azure.md#video-indexer-in-azure-government).
+For more information, see [Create a Video Indexer account](../azure-video-analyzer/video-analyzer-for-media-docs/connect-to-azure.md#create-a-new-account-on-azure).
## Migration
azure-government Azure Services In Fedramp Auditscope https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
This article provides a detailed list of in-scope cloud services across Azure Pu
| [Microsoft Azure portal](https://azure.microsoft.com/features/azure-portal/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide) | :heavy_check_mark: | | | | :heavy_check_mark: |
| [Microsoft Graph](/graph/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Microsoft PowerApps](/powerapps/powerapps-overview) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: | | [Microsoft PowerApps Portal](https://powerapps.microsoft.com/portals/) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
This article provides a detailed list of in-scope cloud services across Azure Pu
**&ast;** DoD CC SRG IL5 (Azure Gov) column shows DoD CC SRG IL5 certification status of services in Azure Government. For details, please refer to [Azure Government Isolation Guidelines for Impact Level 5](../documentation-government-impact-level-5.md)
-**&ast;&ast;** DoD CC SRG IL5 (Azure DoD) column shows DoD CC SRG IL5 certification status for services in Azure Government DoD regions.
+**&ast;&ast;** DoD CC SRG IL5 (Azure DoD) column shows DoD CC SRG IL5 certification status for services in Azure Government DoD regions.
azure-government Documentation Accelerate Compliance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/documentation-accelerate-compliance.md
Microsoft is able to scale through its partners. Scale is what will allow us to
## Publishing to Azure Marketplace
-1. Join the Partner Network - ItΓÇÖs a requirement for publishing but easy to sign up. Instructions are located here: [Ensure you have a MPN ID and Partner Center Account](/azure/marketplace/create-account#create-a-partner-center-account-and-enroll-in-the-commercial-marketplace).
+1. Join the Partner Network - ItΓÇÖs a requirement for publishing but easy to sign up. Instructions are located here: [Ensure you have a MPN ID and Partner Center Account](../../marketplace/create-account.md#create-a-partner-center-account-and-enroll-in-the-commercial-marketplace).
2. Enable your partner center account as Publisher / Developer for Marketplace, follow the instructions [here](../../marketplace/create-account.md). 3. With an enabled Partner Center Account, publish listing as a SaaS App as instructed [here](../../marketplace/create-new-saas-offer.md).
azure-maps How To Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/how-to-create-template.md
az group delete --name MyResourceGroup
To learn more about Azure Maps and Azure Resource Manager, continue on to the articles below. - Create an Azure Maps [demo application](quick-demo-map-app.md)-- Learn more about [ARM templates](../azure-resource-manager/templates/overview.md)
+- Learn more about [ARM templates](../azure-resource-manager/templates/overview.md)
azure-monitor Resource Manager Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/resource-manager-agent.md
Last updated 11/17/2020
# Resource Manager template samples for agents in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to deploy and configure the [Log Analytics agent](./log-analytics-agent.md) and [diagnostic extension](./diagnostics-extension-overview.md) for virtual machines in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure the [Log Analytics agent](./log-analytics-agent.md) and [diagnostic extension](./diagnostics-extension-overview.md) for virtual machines in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Resource Manager Data Collection Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/resource-manager-data-collection-rules.md
Last updated 11/17/2020
# Resource Manager template samples for data collection rules in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create an association between a [data collection rule](data-collection-rule-overview.md) and the [Azure Monitor agent](./azure-monitor-agent-overview.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create an association between a [data collection rule](data-collection-rule-overview.md) and the [Azure Monitor agent](./azure-monitor-agent-overview.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Action Groups Create Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/action-groups-create-resource-manager-template.md
# Create an action group with a Resource Manager template
-This article shows you how to use an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) to configure action groups. By using templates, you can automatically set up action groups that can be reused in certain types of alerts. These action groups ensure that all the correct parties are notified when an alert is triggered.
+This article shows you how to use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure action groups. By using templates, you can automatically set up action groups that can be reused in certain types of alerts. These action groups ensure that all the correct parties are notified when an alert is triggered.
The basic steps are:
azure-monitor Alerts Enable Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-enable-template.md
Last updated 02/14/2021
> This article describes how to create older classic metric alerts. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users, though still in limited use until **31 May 2021**. Classic alerts for Azure Government cloud and Azure China 21Vianet will retire on **29 February 2024**. >
-This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) to configure Azure classic metric alerts. This enables you to automatically set up alerts on your resources when they are created to ensure that all resources are monitored correctly.
+This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure Azure classic metric alerts. This enables you to automatically set up alerts on your resources when they are created to ensure that all resources are monitored correctly.
The basic steps are as follows:
azure-monitor Alerts Log Create Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-log-create-templates.md
Last updated 09/22/2020
Log alerts allow users to use a [Log Analytics](../logs/log-analytics-tutorial.md) query to evaluate resources logs every set frequency, and fire an alert based on the results. Rules can trigger run one or more actions using [Action Groups](./action-groups.md). [Learn more about functionality and terminology of log alerts](./alerts-unified-log.md).
-This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) to configure [log alerts](./alerts-unified-log.md) in Azure Monitor. Resource Manager templates enable you to programmatically set up alerts in a consistent and reproducible way across your environments. Log alerts are created in the `Microsoft.Insights/scheduledQueryRules` resource provider. See API reference for [Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrules/).
+This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure [log alerts](./alerts-unified-log.md) in Azure Monitor. Resource Manager templates enable you to programmatically set up alerts in a consistent and reproducible way across your environments. Log alerts are created in the `Microsoft.Insights/scheduledQueryRules` resource provider. See API reference for [Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrules/).
The basic steps are as follows:
azure-monitor Alerts Metric Create Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-metric-create-templates.md
[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
-This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) to configure [newer metric alerts](./alerts-metric-near-real-time.md) in Azure Monitor. Resource Manager templates enable you to programmatically set up alerts in a consistent and reproducible way across your environments. Newer metric alerts are currently available on [this set of resource types](./alerts-metric-near-real-time.md#metrics-and-dimensions-supported).
+This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure [newer metric alerts](./alerts-metric-near-real-time.md) in Azure Monitor. Resource Manager templates enable you to programmatically set up alerts in a consistent and reproducible way across your environments. Newer metric alerts are currently available on [this set of resource types](./alerts-metric-near-real-time.md#metrics-and-dimensions-supported).
> [!IMPORTANT] > Resource template for creating metric alerts for resource type: Azure Log Analytics Workspace (i.e.) `Microsoft.OperationalInsights/workspaces`, requires additional steps. For details, see the article on [Metric Alert for Logs - Resource Template](./alerts-metric-logs.md#resource-template-for-metric-alerts-for-logs).
az deployment group create \
- Read more about [alerts in Azure](./alerts-overview.md) - Learn how to [create an action group with Resource Manager templates](../alerts/action-groups-create-resource-manager-template.md)-- For the JSON syntax and properties, see [Microsoft.Insights/metricAlerts](/azure/templates/microsoft.insights/metricalerts) template reference.
+- For the JSON syntax and properties, see [Microsoft.Insights/metricAlerts](/azure/templates/microsoft.insights/metricalerts) template reference.
azure-monitor Resource Manager Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/resource-manager-action-groups.md
Last updated 12/03/2020
# Resource Manager template samples for action groups in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create [action groups](../alerts/action-groups.md) in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create [action groups](../alerts/action-groups.md) in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample creates an action group.
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about action groups](../alerts/action-groups.md).
-
+* [Learn more about action groups](../alerts/action-groups.md).
azure-monitor Resource Manager Alerts Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/resource-manager-alerts-log.md
Last updated 09/22/2020
# Resource Manager template samples for log alert rules in Azure Monitor
-This article includes samples of [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create and configure log query alerts in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes samples of [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create and configure log query alerts in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Resource Manager Alerts Metric https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/resource-manager-alerts-metric.md
Last updated 05/18/2020
# Resource Manager template samples for metric alert rules in Azure Monitor
-This article provides samples of using [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to configure [metric alert rules](../alerts/alerts-metric-near-real-time.md) in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article provides samples of using [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to configure [metric alert rules](../alerts/alerts-metric-near-real-time.md) in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-overview.md
Dedicated [troubleshooting article](troubleshoot-availability.md).
* [Multi-step web tests](availability-multistep.md) * [URL tests](monitor-web-app-availability.md) * [Create and run custom availability tests using Azure Functions.](availability-azure-functions.md)
-* [Web Tests Azure Resource Manager template](https://docs.microsoft.com/azure/templates/microsoft.insights/webtests?tabs=json)
+* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
azure-monitor Azure Web Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/azure-web-apps.md
In order to enable telemetry collection with Application Insights, only the Appl
### App Service Application settings with Azure Resource Manager
-Application settings for App Services can be managed and configured with [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md). This method can be used when deploying new App Service resources with Azure Resource Manager automation, or for modifying the settings of existing resources.
+Application settings for App Services can be managed and configured with [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md). This method can be used when deploying new App Service resources with Azure Resource Manager automation, or for modifying the settings of existing resources.
The basic structure of the application settings JSON for an app service is below:
For the latest updates and bug fixes [consult the release notes](./web-app-exten
* [Monitor service health metrics](../data-platform.md) to make sure your service is available and responsive. * [Receive alert notifications](../alerts/alerts-overview.md) whenever operational events happen or metrics cross a threshold. * Use [Application Insights for JavaScript apps and web pages](javascript.md) to get client telemetry from the browsers that visit a web page.
-* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
+* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
In addition to the raw results, you can also view two key Availability metrics i
* [Availability Alerts](availability-alerts.md) * [Multi-step web tests](availability-multistep.md) * [Troubleshooting](troubleshoot-availability.md)
-* [Web Tests Azure Resource Manager template](https://docs.microsoft.com/azure/templates/microsoft.insights/webtests?tabs=json)
+* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
azure-monitor Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/powershell.md
To automate the creation of any other resource of any kind, create an example ma
`"apiVersion": "2015-05-01",` ### Parameterize the template
-Now you have to replace the specific names with parameters. To [parameterize a template](../../azure-resource-manager/templates/template-syntax.md), you write expressions using a [set of helper functions](../../azure-resource-manager/templates/template-functions.md).
+Now you have to replace the specific names with parameters. To [parameterize a template](../../azure-resource-manager/templates/syntax.md), you write expressions using a [set of helper functions](../../azure-resource-manager/templates/template-functions.md).
You can't parameterize just part of a string, so use `concat()` to build strings.
Other automation articles:
* [Create an Application Insights resource](./create-new-resource.md#creating-a-resource-automatically) - quick method without using a template. * [Create web tests](../alerts/resource-manager-alerts-metric.md#availability-test-with-metric-alert) * [Send Azure Diagnostics to Application Insights](powershell-azure-diagnostics.md)
-* [Create release annotations](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/API/CreateReleaseAnnotation.ps1)
+* [Create release annotations](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/API/CreateReleaseAnnotation.ps1)
azure-monitor Proactive Arm Config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/proactive-arm-config.md
> See [Smart Detection Alerts migration](../alerts/alerts-smart-detections-migration.md) for more details on the migration process and the behavior of smart detection after the migration. >
-Smart detection rules in Application Insights can be managed and configured using [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md).
+Smart detection rules in Application Insights can be managed and configured using [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md).
This method can be used when deploying new Application Insights resources with Azure Resource Manager automation, or for modifying the settings of existing resources. ## Smart detection rule configuration
Learn more about automatically detecting:
- [Failure anomalies](./proactive-failure-diagnostics.md) - [Memory Leaks](./proactive-potential-memory-leak.md)-- [Performance anomalies](./proactive-performance-diagnostics.md)-
+- [Performance anomalies](./proactive-performance-diagnostics.md)
azure-monitor Proactive Trace Severity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/proactive-trace-severity.md
Traces are widely used in applications, and they help tell the story of what hap
It's normal to expect some level of ΓÇ£BadΓÇ¥ traces because of any number of reasons, such as transient network issues. But when a real problem begins growing, it usually manifests as an increase in the relative proportion of ΓÇ£badΓÇ¥ traces vs ΓÇ£goodΓÇ¥ traces. Smart detection automatically analyzes the trace telemetry that your application logs, and can warn you about unusual patterns in their severity.
-This feature requires no special setup, other than configuring trace logging for your app. See how to configure a trace log listener for [.NET](./asp-net-trace-logs.md) or [Java](./java-trace-logs.md). It's active when your app generates enough trace telemetry.
+This feature requires no special setup, other than configuring trace logging for your app. See how to configure a trace log listener for [.NET](./asp-net-trace-logs.md) or [Java](./java-in-process-agent.md). It's active when your app generates enough trace telemetry.
## When would I get this type of smart detection notification? You get this type of notification if the ratio between ΓÇ£goodΓÇ¥ traces (traces logged with a level of *Info* or *Verbose*) and ΓÇ£badΓÇ¥ traces (traces logged with a level of *Warning*, *Error*, or *Fatal*) is degrading in a specific day, compared to a baseline calculated over the previous seven days.
A notification doesn't mean that your app definitely has a problem. Although a d
The notifications include diagnostic information to support in the diagnostics process: 1. **Triage.** The notification shows you how many operations are affected. This information can help you assign a priority to the problem. 2. **Scope.** Is the problem affecting all traffic, or just some operation? This information can be obtained from the notification.
-3. **Diagnose.** You can use the related items and reports linking to supporting information, to help you further diagnose the issue.
+3. **Diagnose.** You can use the related items and reports linking to supporting information, to help you further diagnose the issue.
azure-monitor Resource Manager App Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/resource-manager-app-resource.md
Last updated 07/08/2020
# Resource Manager template samples for creating Application Insights resources
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) and the new [preview workspace-based Application Insights resources](../app/create-workspace-resource.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) and the new [preview workspace-based Application Insights resources](../app/create-workspace-resource.md). Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample creates a [workspace-based Application Insights resource](.
* [Get other sample templates for Azure Monitor](../resource-manager-samples.md). * [Learn more about classic Application Insights resources](../app/create-new-resource.md).
-* [Learn more about workspace-based Application Insights resources](../app/create-workspace-resource.md).
+* [Learn more about workspace-based Application Insights resources](../app/create-workspace-resource.md).
azure-monitor Resource Manager Function App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/resource-manager-function-app.md
Last updated 08/06/2020
# Resource Manager template sample for creating Azure Function apps with Application Insights monitoring
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) in conjunction with an Azure Function app. The sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) in conjunction with an Azure Function app. The sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample creates a .NET Core 3.1 Azure Function app running on a Win
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about classic Application Insights resources](../app/create-new-resource.md).
+* [Learn more about classic Application Insights resources](../app/create-new-resource.md).
azure-monitor Resource Manager Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/resource-manager-web-app.md
Last updated 08/06/2020
# Resource Manager template samples for creating Azure App Services web apps with Application Insights monitoring
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) in conjunction with an Azure App Services web app. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure [classic Application Insights resources](../app/create-new-resource.md) in conjunction with an Azure App Services web app. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample creates a basic Azure App Service Linux web app with the no
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about classic Application Insights resources](../app/create-new-resource.md).
+* [Learn more about classic Application Insights resources](../app/create-new-resource.md).
azure-monitor Resource Manager Container Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/resource-manager-container-insights.md
Last updated 05/18/2020
# Resource Manager template samples for Container insights
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to deploy and configure the Log Analytics agent for virtual machines in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to deploy and configure the Log Analytics agent for virtual machines in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample enables Container insights on an AKS cluster.
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about Container insights](../containers/container-insights-overview.md).
+* [Learn more about Container insights](../containers/container-insights-overview.md).
azure-monitor Diagnostic Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/diagnostic-settings.md
Previously updated : 02/08/2021 Last updated : 06/09/2021 # Create diagnostic settings to send platform logs and metrics to different destinations
See [Diagnostic Settings](/rest/api/monitor/diagnosticsettings) to create or upd
## Create using Azure Policy Since a diagnostic setting needs to be created for each Azure resource, Azure Policy can be used to automatically create a diagnostic setting as each resource is created. See [Deploy Azure Monitor at scale using Azure Policy](../deploy-scale.md) for details.
-## Metric category is not supported error
+## Error: Metric category is not supported
When deploying a diagnostic setting, you receive the following error message: "Metric category '*xxxx*' is not supported"
The problem is caused by a recent change in the underlying API. Metric categorie
If you receive this error, update your deployments to replace any metric category names with 'AllMetrics' to fix the issue. If the deployment was previously adding multiple categories, only one with the 'AllMetrics' reference should be kept. If you continue to have the problem, please contact Azure support through the Azure portal.
+## Error: Setting disappears due to non-ASCII characters in resourceID
+Diagnostic settings do not support resourceIDs with non-ASCII characters (for example, Preproducci├│n). Since you cannot rename resources in Azure, your only option is to create a new resource without the non-ASCII characters. If the characters are in a resource group, you can move the resources under it to a new one. Otherwise, you'll need to recreate the resource.
## Next steps
azure-monitor Resource Logs Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/resource-logs-schema.md
The schema for resource logs varies depending on the resource and log category.
| Service | Schema & Docs | | | |
-| Azure Active Directory | [Overview](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md), [Audit log schema](../../active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema.md) and [Sign-ins schema](../../active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md) |
+| Azure Active Directory | [Overview](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md), [Audit log schema](../../active-directory/reports-monitoring/overview-reports.md) and [Sign-ins schema](../../active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md) |
| Analysis Services | [Azure Analysis Services - Setup diagnostic logging](../../analysis-services/analysis-services-logging.md) | | API Management | [API Management Resource Logs](../../api-management/api-management-howto-use-azure-monitor.md#resource-logs) | | App Service | [App Service Logs](../../app-service/troubleshoot-diagnostic-logs.md)
The schema for resource logs varies depending on the resource and log category.
* [Learn more about resource logs](../essentials/platform-logs-overview.md) * [Stream resource resource logs to **Event Hubs**](./resource-logs.md#send-to-azure-event-hubs) * [Change resource log diagnostic settings using the Azure Monitor REST API](/rest/api/monitor/diagnosticsettings)
-* [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace)
+* [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace)
azure-monitor Resource Manager Diagnostic Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/resource-manager-diagnostic-settings.md
Last updated 09/11/2020
# Resource Manager template samples for diagnostic settings in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create diagnostic settings for an Azure resource. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create diagnostic settings for an Azure resource. Each sample includes a template file and a parameters file with sample values to provide to the template.
To create a diagnostic setting for an Azure resource, add a resource of type `<resource namespace>/providers/diagnosticSettings` to the template. This article provides examples for some resource types, but the same pattern can be applied to other resource types. The collection of allowed logs and metrics will vary for each resource type.
azure-monitor Resource Manager Sql Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/resource-manager-sql-insights.md
Last updated 03/25/2021
# Resource Manager template samples for SQL insights
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to enable SQL insights for monitoring SQL running in Azure. See the [SQL insights documentation](sql-insights-overview.md) for details on the offering and versions of SQL we support. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to enable SQL insights for monitoring SQL running in Azure. See the [SQL insights documentation](sql-insights-overview.md) for details on the offering and versions of SQL we support. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
View the [parameter file on git hub](https://github.com/microsoft/Application-In
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about SQL insights](sql-insights-overview.md).
+* [Learn more about SQL insights](sql-insights-overview.md).
azure-monitor Private Link Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-security.md
As listed in [Restrictions and limitations](#restrictions-and-limitations), the
![Diagram of AMPLS limits](./media/private-link-security/ampls-limits.png) > [!NOTE]
-> If you use Log Analytics solutions that require an Automation account, such as Update Management, Change Tracking or Inventory, you should also setup a separare Private Link for your Automation account. For more information, see [Use Azure Private Link to securely connect networks to Azure Automation](https://docs.microsoft.com/azure/automation/how-to/private-link-security).
+> If you use Log Analytics solutions that require an Automation account, such as Update Management, Change Tracking or Inventory, you should also setup a separare Private Link for your Automation account. For more information, see [Use Azure Private Link to securely connect networks to Azure Automation](../../automation/how-to/private-link-security.md).
## Example connection
If you're connecting to your Azure Monitor resources over a Private Link, traffi
## Next steps -- Learn about [private storage](private-storage.md)
+- Learn about [private storage](private-storage.md)
azure-monitor Resource Manager Log Queries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/resource-manager-log-queries.md
Last updated 05/18/2020
# Resource Manager template samples for log queries in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create and configure log queries in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create and configure log queries in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
azure-monitor Resource Manager Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/resource-manager-workspace.md
# Resource Manager template samples for Log Analytics workspaces in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create and configure Log Analytics workspaces in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create and configure Log Analytics workspaces in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample adds collection of [IIS logs](../agents/data-sources-iis-lo
* [Get other sample templates for Azure Monitor](../resource-manager-samples.md). * [Learn more about Log Analytics workspaces](./quick-create-workspace.md).
-* [Learn more about agent data sources](../agents/agent-data-sources.md).
+* [Learn more about agent data sources](../agents/agent-data-sources.md).
azure-monitor Service Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/service-providers.md
There are two options to implement logs in a central location:
* Generate summary reports using [Power BI](../visualize/powerbi.md)
-* Onboard customers to [Azure delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md).
+* Onboard customers to [Azure delegated resource management](../../lighthouse/concepts/architecture.md).
azure-monitor Resource Manager Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/resource-manager-samples.md
# Resource Manager template samples for Azure Monitor
-Azure Monitor can be deployed and configured at scale using [Azure Resource Manager template](../azure-resource-manager/templates/template-syntax.md). The following articles provide sample templates for different Azure Monitor features. These samples can be modified for your particular requirements and deployed using any standard method for deploying Resource Manager templates.
+Azure Monitor can be deployed and configured at scale using [Azure Resource Manager template](../azure-resource-manager/templates/syntax.md). The following articles provide sample templates for different Azure Monitor features. These samples can be modified for your particular requirements and deployed using any standard method for deploying Resource Manager templates.
## Deploying the sample templates The basic steps to use the samples are:
az deployment group create \
## Next steps -- Learn more about [Resource Manager templates](../azure-resource-manager/templates/overview.md)
+- Learn more about [Resource Manager templates](../azure-resource-manager/templates/overview.md)
azure-monitor Resource Manager Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualize/resource-manager-workbooks.md
Last updated 05/18/2020
# Resource Manager template samples for workbooks in Azure Monitor
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to create workbooks in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create workbooks in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample creates a simple workbook.
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about action groups](../visualize/workbooks-overview.md).
+* [Learn more about action groups](../visualize/workbooks-overview.md).
azure-monitor View Designer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualize/view-designer.md
The options for working with views in edit mode are described in the following t
| Save | Saves your changes and closes the view. | | Cancel | Discards your changes and closes the view. | | Delete View | Deletes the view. |
-| Export | Exports the view to an [Azure Resource Manager template](../../azure-resource-manager/templates/template-syntax.md) that you can import into another workspace. The name of the file is the name of the view, and it has an *omsview* extension. |
+| Export | Exports the view to an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) that you can import into another workspace. The name of the file is the name of the view, and it has an *omsview* extension. |
| Import | Imports the *omsview* file that you exported from another workspace. This action overwrites the configuration of the existing view. | | Clone | Creates a new view and opens it in View Designer. The name of the new view is the same as the original name, but with *Copy* appended to it. |
azure-monitor Resource Manager Vminsights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/vm/resource-manager-vminsights.md
Last updated 05/18/2020
# Resource Manager template samples for VM insights
-This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to enable VM insights on virtual machines. Each sample includes a template file and a parameters file with sample values to provide to the template.
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to enable VM insights on virtual machines. Each sample includes a template file and a parameters file with sample values to provide to the template.
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
The following sample adds an Azure virtual machine scale set to VM insights.
## Next steps * [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
-* [Learn more about VM insights](vminsights-overview.md).
+* [Learn more about VM insights](vminsights-overview.md).
azure-netapp-files Monitor Volume Capacity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/monitor-volume-capacity.md
The following snapshot shows volume capacity reporting in Linux:
The *available space* is accurate using the `df` command. However, the *consumed/used space* will be an estimate when snapshots are generated on the volume. The [consumed snapshot capacity](azure-netapp-files-cost-model.md#capacity-consumption-of-snapshots) counts towards the total consumed space on the volume. To get the absolute volume consumption, including the capacity used by snapshots, use the [Azure NetApp Metrics](azure-netapp-files-metrics.md#volumes) in the Azure portal. ## Using Azure portal
-Azure NetApp Files leverages the standard [Azure Monitor](/azure/azure-monitor/overview) functionality. As such, you can use Azure Monitor to monitor Azure NetApp Files volumes.
+Azure NetApp Files leverages the standard [Azure Monitor](../azure-monitor/overview.md) functionality. As such, you can use Azure Monitor to monitor Azure NetApp Files volumes.
## Using Azure CLI
azure-percept How To Select Update Package https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-select-update-package.md
This page provides guidance on how to select the update package that is best for your dev kit and the download locations for the update packages. For more information on how to update your device, see these articles:-- [Update your Azure Percept DK over-the-air](https://docs.microsoft.com/azure/azure-percept/how-to-update-over-the-air)-- [Update your Azure Percept DK via USB](https://docs.microsoft.com/azure/azure-percept/how-to-update-via-usb)
+- [Update your Azure Percept DK over-the-air](./how-to-update-over-the-air.md)
+- [Update your Azure Percept DK via USB](./how-to-update-via-usb.md)
## Prerequisites -- An [Azure Percept DK](https://go.microsoft.com/fwlink/?linkid=2155270) that has been [set up and connected to Azure Percept Studio and IoT Hub](https://docs.microsoft.com/azure/azure-percept/quickstart-percept-dk-set-up).
+- An [Azure Percept DK](https://go.microsoft.com/fwlink/?linkid=2155270) that has been [set up and connected to Azure Percept Studio and IoT Hub](./quickstart-percept-dk-set-up.md).
## Identify the model name and software version of your dev kit To ensure you apply the correct update package to your dev kit, you must first determine which software version it's currently running.
To ensure you apply the correct update package to your dev kit, you must first d
> Applying the incorrect update package could result in your dev kit becoming inoperable. It is important that you follow these steps to ensure you apply the correct update package. Option 1:
-1. Log in to the [Azure Percept Studio](/azure/azure-percept/overview-azure-percept-studio).
+1. Log in to the [Azure Percept Studio](./overview-azure-percept-studio.md).
2. In **Devices**, choose your devkit device. 3. In the **General** tab, look for the **Model** and **SW Version** information.
Using the **model** and **swVersion** identified in the previous section, check
## Next steps Update your dev kits via the methods and update packages determined in the previous section.-- [Update your Azure Percept DK over-the-air](https://docs.microsoft.com/azure/azure-percept/how-to-update-over-the-air)-- [Update your Azure Percept DK via USB](https://docs.microsoft.com/azure/azure-percept/how-to-update-via-usb)
+- [Update your Azure Percept DK over-the-air](./how-to-update-over-the-air.md)
+- [Update your Azure Percept DK via USB](./how-to-update-via-usb.md)
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. When you see the **Device setup complete!** page, your dev kit has successfully linked to your IoT Hub and downloaded the necessary software. Your dev kit will automatically disconnect from the Wi-Fi access point resulting in these two notifications: > [!NOTE]
- > The IoT Edge containers that get configured as part of this set up process use certificates that will expire after 90 days. The certificates can be automatically regenerated by restarting IoT Edge. Refer to [Manage certificates on an IoT Edge device](https://docs.microsoft.com/azure/iot-edge/how-to-manage-device-certificates) for more details.
+ > The IoT Edge containers that get configured as part of this set up process use certificates that will expire after 90 days. The certificates can be automatically regenerated by restarting IoT Edge. Refer to [Manage certificates on an IoT Edge device](../iot-edge/how-to-manage-device-certificates.md) for more details.
:::image type="content" source="./media/quickstart-percept-dk-setup/main-19-0-warning.png" alt-text="Setup experience disconnect warning.":::
azure-portal Azure Portal Dashboards Create Programmatically https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/azure-portal-dashboards-create-programmatically.md
Template-based deployment supports parameterization and templating. We use this
## Programmatically create a dashboard from your template using a template deployment
-Azure offers the ability to orchestrate the deployment of multiple resources. You create a deployment template that expresses the set of resources to deploy and the relationships between them. The JSON format of each resource is the same as if you were creating them one by one. The difference is that the template language adds a few concepts like variables, parameters, basic functions, and more. This extended syntax is only supported in the context of a template deployment. It doesn't work if used with the imperative APIs discussed earlier. For more information, see [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/template-syntax.md).
+Azure offers the ability to orchestrate the deployment of multiple resources. You create a deployment template that expresses the set of resources to deploy and the relationships between them. The JSON format of each resource is the same as if you were creating them one by one. The difference is that the template language adds a few concepts like variables, parameters, basic functions, and more. This extended syntax is only supported in the context of a template deployment. It doesn't work if used with the imperative APIs discussed earlier. For more information, see [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md).
Parameterization should be done using the template's parameter syntax. You replace all instances of the resource ID we found earlier as shown here.
az portal dashboard list --resource-group myResourceGroup
For more information about desktops, see [Manage Azure portal settings and preferences](set-preferences.md).
-For more information about Azure CLI support for dashboards, see [az portal dashboard](/cli/azure/portal/dashboard).
+For more information about Azure CLI support for dashboards, see [az portal dashboard](/cli/azure/portal/dashboard).
azure-resource-manager Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-cli.md
To avoid conflicts with concurrent deployments and to ensure unique entries in t
## Next steps * To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](../templates/rollback-on-error.md).
-* To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/template-syntax.md).
-* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](../templates/common-deployment-errors.md).
+* To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/syntax.md).
+* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](../templates/common-deployment-errors.md).
azure-resource-manager Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-powershell.md
To avoid conflicts with concurrent deployments and to ensure unique entries in t
## Next steps - To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](../templates/rollback-on-error.md).-- To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/template-syntax.md).-- For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](../templates/secure-template-with-sas-token.md).
+- To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/syntax.md).
+- For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](../templates/secure-template-with-sas-token.md).
azure-resource-manager Deploy What If https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-what-if.md
For REST API, use:
The what-if operation lists six different types of changes: * **Create**: The resource doesn't currently exist but is defined in the Bicep file. The resource will be created.
-* **Delete**: This change type only applies when using [complete mode](../templates/deployment-modes.md) for JSON template deployment. The resource exists, but isn't defined in the Bicep file. With complete mode, the resource will be deleted. Only resources that [support complete mode deletion](../templates/complete-mode-deletion.md) are included in this change type.
+* **Delete**: This change type only applies when using [complete mode](../templates/deployment-modes.md) for JSON template deployment. The resource exists, but isn't defined in the Bicep file. With complete mode, the resource will be deleted. Only resources that [support complete mode deletion](../templates/deployment-complete-mode-deletion.md) are included in this change type.
* **Ignore**: The resource exists, but isn't defined in the Bicep file. The resource won't be deployed or modified. * **NoChange**: The resource exists, and is defined in the Bicep file. The resource will be redeployed, but the properties of the resource won't change. This change type is returned when [ResultFormat](#result-format) is set to `FullResourcePayloads`, which is the default value. * **Modify**: The resource exists, and is defined in the Bicep file. The resource will be redeployed, and the properties of the resource will change. This change type is returned when [ResultFormat](#result-format) is set to `FullResourcePayloads`, which is the default value.
You can use the what-if operation through the Azure SDKs.
* To use the what-if operation in a pipeline, see [Test ARM templates with What-If in a pipeline](https://4bes.nl/2021/03/06/test-arm-templates-with-what-if/). * If you notice incorrect results from the what-if operation, please report the issues at [https://aka.ms/whatifissues](https://aka.ms/whatifissues).
-* For a Microsoft Learn module that covers using what if, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
+* For a Microsoft Learn module that covers using what if, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
azure-resource-manager Resource Declaration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/resource-declaration.md
resource myStorageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
You set a symbolic name for the resource. In the preceding example, the symbolic name is `myStorageAccount`. You can use any value for the symbolic name but it can't be the same as another resource, parameter, or variable in the Bicep file. The symbolic name isn't the same as the resource name. You use the symbolic name to easily reference the resource in other parts of your Bicep file.
-Bicep doesn't support `apiProfile`, which is available in [Azure Resource Manager templates (ARM templates) JSON](../templates/template-syntax.md).
+Bicep doesn't support `apiProfile`, which is available in [Azure Resource Manager templates (ARM templates) JSON](../templates/syntax.md).
## Set resource name
resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
## Next steps -- To conditionally deploy a resource, see [Conditional deployment in Bicep](./conditional-resource-deployment.md).
+- To conditionally deploy a resource, see [Conditional deployment in Bicep](./conditional-resource-deployment.md).
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/overview.md
For information about publishing a Service Catalog managed application, see [Cre
Vendors wishing to bill for their services can make a managed application available through the Azure marketplace. After the vendor publishes an application, it's available to users outside the organization. With this approach, managed service providers (MSPs), independent software vendors (ISVs), and system integrators (SIs) can offer their solutions to all Azure customers.
-For information about publishing a managed application to the Marketplace, see [Create marketplace application](../../marketplace/create-new-azure-apps-offer.md).
+For information about publishing a managed application to the Marketplace, see [Create marketplace application](../../marketplace/azure-app-offer-setup.md).
## Resource groups for managed applications
The consumer has full access to the resource group and uses it to manage the lif
This resource group holds all the resources that are required by the managed application. For example, this resource group contains the virtual machines, storage accounts, and virtual networks for the solution. The consumer has limited access to this resource group because the consumer doesn't manage the individual resources for the managed application. The publisher's access to this resource group corresponds to the role specified in the managed application definition. For example, the publisher might request the Owner or Contributor role for this resource group. The access is either permanent or limited to a specific time.
-When publishing the [managed application to the marketplace](../../marketplace/create-new-azure-apps-offer.md), the publisher can grant consumers the ability to perform specific actions on resources in the managed resource group. For example, the publisher can specify that consumers can restart virtual machines. All other actions beyond read actions are still denied. Changes to resources in a managed resource group by a consumer with granted actions are subject to the [Azure Policy](../../governance/policy/overview.md) assignments within the consumers tenant scoped to include the managed resource group.
+When publishing the [managed application to the marketplace](../../marketplace/azure-app-offer-setup.md), the publisher can grant consumers the ability to perform specific actions on resources in the managed resource group. For example, the publisher can specify that consumers can restart virtual machines. All other actions beyond read actions are still denied. Changes to resources in a managed resource group by a consumer with granted actions are subject to the [Azure Policy](../../governance/policy/overview.md) assignments within the consumers tenant scoped to include the managed resource group.
When the consumer deletes the managed application, the managed resource group is also deleted.
azure-resource-manager Publish Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/publish-managed-identity.md
Creating a Managed Application with a Managed Identity requires an additional pr
} ```
-There are two common ways to create a Managed Application with **identity**: [CreateUIDefinition.json](./create-uidefinition-overview.md) and [Azure Resource Manager templates](../templates/template-syntax.md). For simple single create scenarios, CreateUIDefinition should be used to enable Managed Identity, because it provides a richer experience. However, when dealing with advanced or complex systems that require automated or multiple Managed Application deployments, templates can be used.
+There are two common ways to create a Managed Application with **identity**: [CreateUIDefinition.json](./create-uidefinition-overview.md) and [Azure Resource Manager templates](../templates/syntax.md). For simple single create scenarios, CreateUIDefinition should be used to enable Managed Identity, because it provides a richer experience. However, when dealing with advanced or complex systems that require automated or multiple Managed Application deployments, templates can be used.
### Using CreateUIDefinition
token_type | The type of the token.
## Next steps > [!div class="nextstepaction"]
-> [How to configure a Managed Application with a Custom Provider](../custom-providers/overview.md)
+> [How to configure a Managed Application with a Custom Provider](../custom-providers/overview.md)
azure-resource-manager Publish Notifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/publish-notifications.md
To get started, see [Publish a service catalog application through Azure portal]
``` ## Add Azure Marketplace managed application notifications
-For more information, see [Create an Azure application offer](../../marketplace/create-new-azure-apps-offer.md).
+For more information, see [Create an Azure application offer](../../marketplace/azure-app-offer-setup.md).
![Azure Marketplace managed application notifications in the Azure portal](./media/publish-notifications/marketplace-notifications.png) ## Event triggers
To secure the webhook endpoint and ensure the authenticity of the notification:
## Notification retries
-The Managed Application Notification service expects a `200 OK` response from the webhook endpoint to the notification. The notification service will retry if the webhook endpoint returns an HTTP error code greater than or equal to 500, if it returns an error code of 429, or if the endpoint is temporarily unreachable. If the webhook endpoint doesn't become available within 10 hours, the notification message will be dropped and the retries will stop.
+The Managed Application Notification service expects a `200 OK` response from the webhook endpoint to the notification. The notification service will retry if the webhook endpoint returns an HTTP error code greater than or equal to 500, if it returns an error code of 429, or if the endpoint is temporarily unreachable. If the webhook endpoint doesn't become available within 10 hours, the notification message will be dropped and the retries will stop.
azure-resource-manager Reference Main Template Artifact https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/reference-main-template-artifact.md
Last updated 07/11/2019
# Reference: Deployment template artifact
-This article is a reference for a *mainTemplate.json* artifact in Azure Managed Applications. For more information about authoring deployment template, see [Azure Resource Manager templates](../templates/template-syntax.md).
+This article is a reference for a *mainTemplate.json* artifact in Azure Managed Applications. For more information about authoring deployment template, see [Azure Resource Manager templates](../templates/syntax.md).
## Deployment template
azure-resource-manager Request Just In Time Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/request-just-in-time-access.md
When creating your offer in Partner Center, make sure you enable JIT access.
1. Sign in to the Commercial Marketplace portal in [Partner Center](https://partner.microsoft.com/dashboard/commercial-marketplace/overview).
-1. For guidance creating a new managed application, follow the steps in [Create an Azure application offer](../../marketplace/create-new-azure-apps-offer.md).
+1. For guidance creating a new managed application, follow the steps in [Create an Azure application offer](../../marketplace/azure-app-offer-setup.md).
1. On the **Technical configuration** page, select the **Enable just-in-time (JIT) access** checkbox.
The principal ID of the account requesting JIT access must be explicitly include
## Next steps
-To learn about approving requests for JIT access, see [Approve just-in-time access in Azure Managed Applications](approve-just-in-time-access.md).
+To learn about approving requests for JIT access, see [Approve just-in-time access in Azure Managed Applications](approve-just-in-time-access.md).
azure-resource-manager Test Createuidefinition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/test-createuidefinition.md
Now that you've verified your portal interface is working as expected, it's time
## Next steps
-After validating your portal interface, learn about making your [Azure managed application available in the Marketplace](../../marketplace/create-new-azure-apps-offer.md).
+After validating your portal interface, learn about making your [Azure managed application available in the Marketplace](../../marketplace/azure-app-offer-setup.md).
azure-resource-manager Tutorial Create Managed App With Custom Provider https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider.md
If you have questions about Azure Managed Applications, you can try asking on [S
## Next steps
-To publish your managed application to the Azure Marketplace, see [Azure managed applications in the Marketplace](../../marketplace/create-new-azure-apps-offer.md).
+To publish your managed application to the Azure Marketplace, see [Azure managed applications in the Marketplace](../../marketplace/azure-app-offer-setup.md).
-Learn more about [Azure Custom Providers](../custom-providers/overview.md).
+Learn more about [Azure Custom Providers](../custom-providers/overview.md).
azure-resource-manager Lock Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/lock-resources.md
To create a resource group and lock it, deploy the following template at the sub
# [Bicep](#tab/bicep)
-The main Bicep file creates a resource group and uses a [module](../templates/bicep-modules.md) to create the lock.
+The main Bicep file creates a resource group and uses a [module](../bicep/modules.md) to create the lock.
```Bicep targetScope = 'subscription'
In the request, include a JSON object that specifies the properties for the lock
- To learn about logically organizing your resources, see [Using tags to organize your resources](tag-resources.md). - You can apply restrictions and conventions across your subscription with customized policies. For more information, see [What is Azure Policy?](../../governance/policy/overview.md).-- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see [Azure enterprise scaffold - prescriptive subscription governance](/azure/architecture/cloud-adoption-guide/subscription-governance).
+- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see [Azure enterprise scaffold - prescriptive subscription governance](/azure/architecture/cloud-adoption-guide/subscription-governance).
azure-resource-manager Manage Resource Groups Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resource-groups-cli.md
For more information, see [Single and multi-resource export to template in Azure
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml). - To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Manage Resource Groups Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resource-groups-portal.md
For information about exporting templates, see [Single and multi-resource export
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).-- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
+- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Manage Resource Groups Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resource-groups-powershell.md
For more information, see [Single and multi-resource export to template in Azure
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).-- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
+- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Manage Resources Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resources-cli.md
Tagging helps organizing your resource group and resources logically. For inform
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml). - To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Manage Resources Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resources-portal.md
You can select the pin icon on the upper right corner of the graphs to pin the g
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).-- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
+- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Manage Resources Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/manage-resources-powershell.md
Tagging helps organizing your resource group and resources logically. For inform
## Next steps - To learn Azure Resource Manager, see [Azure Resource Manager overview](overview.md).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml).-- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
+- To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Move Support Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-support-resources.md
Jump to a resource provider namespace:
> | Resource type | Resource group | Subscription | Region move | > | - | -- | - | -- | > | controllers | Yes | Yes | No |
-> | AKS cluster | **pending** | **pending** | No<br/><br/> [Learn more](../../dev-spaces/faq.md#can-i-migrate-my-aks-cluster-with-azure-dev-spaces-to-another-region) about moving to another region.
+> | AKS cluster | **pending** | **pending** | No<br/><br/> [Learn more](../../dev-spaces/index.yml) about moving to another region.
## Microsoft.DevTestLab
Third-party services currently don't support the move operation.
- For commands to move resources, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md). - [Learn more](../../resource-mover/overview.md) about the Resource Mover service.-- To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv).
+- To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv).
azure-resource-manager Resource Providers And Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-providers-and-types.md
West US
## Next steps
-* To learn about creating Resource Manager templates, see [Authoring Azure Resource Manager templates](../templates/template-syntax.md).
+* To learn about creating Resource Manager templates, see [Authoring Azure Resource Manager templates](../templates/syntax.md).
* To view the resource provider template schemas, see [Template reference](/azure/templates/). * For a list that maps resource providers to Azure services, see [Resource providers for Azure services](azure-services-resource-providers.md).
-* To view the operations for a resource provider, see [Azure REST API](/rest/api/).
+* To view the operations for a resource provider, see [Azure REST API](/rest/api/).
azure-resource-manager Add Template To Azure Pipelines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/add-template-to-azure-pipelines.md
You can select the currently running pipeline to see details about the tasks. Wh
## Copy and deploy tasks
-This section shows how to configure continuous deployment by using a two tasks. The first task stages the artifacts to a storage account and the second task deploy the template.
+This section shows how to configure continuous deployment by using two tasks. The first task stages the artifacts to a storage account and the second task deploys the template.
To copy files to a storage account, the service principal for the service connection must be assigned the Storage Blob Data Contributor or Storage Blob Data Owner role. For more information, see [Get started with AzCopy](../../storage/common/storage-use-azcopy-v10.md).
azure-resource-manager Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/best-practices.md
If the resource group's region is temporarily unavailable, you can't update reso
## Parameters
-The information in this section can be helpful when you work with [parameters](template-parameters.md).
+The information in this section can be helpful when you work with [parameters](./parameters.md).
### General recommendations for parameters
The information in this section can be helpful when you work with [parameters](t
## Variables
-The following information can be helpful when you work with [variables](template-variables.md):
+The following information can be helpful when you work with [variables](./variables.md):
* Use camel case for variable names.
Don't use variables for the API version.
## Resource dependencies
-When deciding what [dependencies](define-resource-dependency.md) to set, use the following guidelines:
+When deciding what [dependencies](./resource-dependency.md) to set, use the following guidelines:
-* Use the `reference` function and pass in the resource name to set an implicit dependency between resources that need to share a property. Don't add an explicit `dependsOn` element when you've already defined an implicit dependency. This approach reduces the risk of having unnecessary dependencies. For an example of setting an implicit dependency, see [reference and list functions](define-resource-dependency.md#reference-and-list-functions).
+* Use the `reference` function and pass in the resource name to set an implicit dependency between resources that need to share a property. Don't add an explicit `dependsOn` element when you've already defined an implicit dependency. This approach reduces the risk of having unnecessary dependencies. For an example of setting an implicit dependency, see [reference and list functions](./resource-dependency.md#reference-and-list-functions).
* Set a child resource as dependent on its parent resource.
When deciding what [dependencies](define-resource-dependency.md) to set, use the
## Resources
-The following information can be helpful when you work with [resources](template-syntax.md#resources):
+The following information can be helpful when you work with [resources](./syntax.md#resources):
* To help other contributors understand the purpose of the resource, specify `comments` for each resource in the template.
After you've completed your template, run the test toolkit to see if there are w
## Next steps
-* For information about the structure of the template file, see [Understand the structure and syntax of ARM templates](template-syntax.md).
-* For recommendations about how to build templates that work in all Azure cloud environments, see [Develop ARM templates for cloud consistency](templates-cloud-consistency.md).
+* For information about the structure of the template file, see [Understand the structure and syntax of ARM templates](./syntax.md).
+* For recommendations about how to build templates that work in all Azure cloud environments, see [Develop ARM templates for cloud consistency](./template-cloud-consistency.md).
azure-resource-manager Child Resource Name Type https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/child-resource-name-type.md
The following example shows a virtual network and subnet that are both defined a
## Next steps
-* To learn about creating ARM templates, see [Understand the structure and syntax of ARM templates](template-syntax.md).
-* To learn about the format of the resource name when referencing the resource, see the [reference function](template-functions-resource.md#reference).
+* To learn about creating ARM templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
+* To learn about the format of the resource name when referencing the resource, see the [reference function](template-functions-resource.md#reference).
azure-resource-manager Conditional Resource Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/conditional-resource-deployment.md
If you use a [reference](template-functions-resource.md#reference) or [list](tem
Use the [if](template-functions-logical.md#if) function to make sure the function is only evaluated for conditions when the resource is deployed. See the [if function](template-functions-logical.md#if) for a sample template that uses `if` and `reference` with a conditionally deployed resource.
-You set a [resource as dependent](define-resource-dependency.md) on a conditional resource exactly as you would any other resource. When a conditional resource isn't deployed, Azure Resource Manager automatically removes it from the required dependencies.
+You set a [resource as dependent](./resource-dependency.md) on a conditional resource exactly as you would any other resource. When a conditional resource isn't deployed, Azure Resource Manager automatically removes it from the required dependencies.
## Complete mode
If you deploy a template with [complete mode](deployment-modes.md) and a resourc
## Next steps * For a Microsoft Learn module that covers conditional deployment, see [Manage complex cloud deployments by using advanced ARM template features](/learn/modules/manage-deployments-advanced-arm-template-features/).
-* For recommendations about creating templates, see [ARM template best practices](template-best-practices.md).
-* To create multiple instances of a resource, see [Resource iteration in ARM templates](copy-resources.md).
+* For recommendations about creating templates, see [ARM template best practices](./best-practices.md).
+* To create multiple instances of a resource, see [Resource iteration in ARM templates](copy-resources.md).
azure-resource-manager Copy Outputs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-outputs.md
The preceding example returns an array with the following values:
- [Resource iteration in ARM templates](copy-resources.md) - [Property iteration in ARM templates](copy-properties.md) - [Variable iteration in ARM templates](copy-variables.md)-- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](template-syntax.md).-- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
+- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](./syntax.md).
+- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
azure-resource-manager Copy Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-properties.md
The following example shows a common scenario for creating more than one value f
- [Resource iteration in ARM templates](copy-resources.md) - [Variable iteration in ARM templates](copy-variables.md) - [Output iteration in ARM templates](copy-outputs.md)-- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](template-syntax.md).-- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
+- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](./syntax.md).
+- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
azure-resource-manager Copy Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-resources.md
The following examples show common scenarios for creating more than one instance
## Next steps -- To set dependencies on resources that are created in a copy loop, see [Define the order for deploying resources in ARM templates](define-resource-dependency.md).
+- To set dependencies on resources that are created in a copy loop, see [Define the order for deploying resources in ARM templates](./resource-dependency.md).
- To go through a tutorial, see [Tutorial: Create multiple resource instances with ARM templates](template-tutorial-create-multiple-instances.md). - For a Microsoft Learn module that covers resource copy, see [Manage complex cloud deployments by using advanced ARM template features](/learn/modules/manage-deployments-advanced-arm-template-features/). - For other uses of the copy loop, see: - [Property iteration in ARM templates](copy-properties.md) - [Variable iteration in ARM templates](copy-variables.md) - [Output iteration in ARM templates](copy-outputs.md)-- For information about using copy with nested templates, see [Using copy](linked-templates.md#using-copy).
+- For information about using copy with nested templates, see [Using copy](linked-templates.md#using-copy).
azure-resource-manager Copy Variables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/copy-variables.md
The following examples show common scenarios for creating more than one value fo
- [Resource iteration in ARM templates](copy-resources.md) - [Property iteration in ARM templates](copy-properties.md) - [Output iteration in ARM templates](copy-outputs.md)-- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](template-syntax.md).-- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
+- If you want to learn about the sections of a template, see [Understand the structure and syntax of ARM templates](./syntax.md).
+- To learn how to deploy your template, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
azure-resource-manager Create Visual Studio Deployment Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/create-visual-studio-deployment-project.md
In this section, you create an Azure Resource Group project with a **Web app** t
## Customize Resource Manager template
-You can customize a deployment project by modifying the Resource Manager template that describes the resources you want to deploy. To learn about the elements of the Resource Manager template, see [Authoring Azure Resource Manager templates](template-syntax.md).
+You can customize a deployment project by modifying the Resource Manager template that describes the resources you want to deploy. To learn about the elements of the Resource Manager template, see [Authoring Azure Resource Manager templates](./syntax.md).
1. To work on your template, open **WebSite.json**.
When the Azure resources are no longer needed, clean up the resources you deploy
In this article, you learned how to create and deploy templates using Visual Studio. To learn more about template development, see our new beginner tutorial series: > [!div class="nextstepaction"]
-> [Beginner tutorials](./template-tutorial-create-first-template.md)
+> [Beginner tutorials](./template-tutorial-create-first-template.md)
azure-resource-manager Data Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/data-types.md
The following example shows two secure parameters.
## Next steps
-To learn about the template syntax, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+To learn about the template syntax, see [Understand the structure and syntax of ARM templates](./syntax.md).
azure-resource-manager Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-cli.md
For more information, see [Azure Resource Manager template specs](template-specs
## Preview changes
-Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](template-deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
+Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](./deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
## Parameters
To deploy a template with multi-line strings or comments using Azure CLI with ve
* To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](rollback-on-error.md). * To specify how to handle resources that exist in the resource group but aren't defined in the template, see [Azure Resource Manager deployment modes](deployment-modes.md).
-* To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](template-syntax.md).
-* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).
+* To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](./syntax.md).
+* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).
azure-resource-manager Deploy Cloud Shell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-cloud-shell.md
To deploy a local template, you must first upload your template to the storage a
## Next steps - For more information about deployment commands, see [Deploy resources with ARM templates and Azure CLI](deploy-cli.md) and [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).-- To preview changes before deploying a template, see [ARM template deployment what-if operation](template-deploy-what-if.md).
+- To preview changes before deploying a template, see [ARM template deployment what-if operation](./deploy-what-if.md).
azure-resource-manager Deploy Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-portal.md
Although you didn't see it, the portal used an ARM template to deploy the resour
## Deploy resources from custom template
-If you want to execute a deployment but not use any of the templates in the Marketplace, you can create a customized template that defines the infrastructure for your solution. To learn about creating templates, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+If you want to execute a deployment but not use any of the templates in the Marketplace, you can create a customized template that defines the infrastructure for your solution. To learn about creating templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
> [!NOTE] > The portal interface doesn't support referencing a [secret from a Key Vault](key-vault-parameter.md). Instead, use [PowerShell](deploy-powershell.md) or [Azure CLI](deploy-cli.md) to deploy your template locally or from an external URI.
azure-resource-manager Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-powershell.md
For more information, see [Azure Resource Manager template specs](template-specs
## Preview changes
-Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](template-deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
+Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](./deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
## Pass parameter values
New-AzResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName Example
- To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](rollback-on-error.md). - To specify how to handle resources that exist in the resource group but aren't defined in the template, see [Azure Resource Manager deployment modes](deployment-modes.md).-- To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](template-syntax.md).-- For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](secure-template-with-sas-token.md).
+- To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](./syntax.md).
+- For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](secure-template-with-sas-token.md).
azure-resource-manager Deploy Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-rest.md
The examples in this article use resource group deployments.
} ```
-1. Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](template-deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
+1. Before deploying your template, you can preview the changes the template will make to your environment. Use the [what-if operation](./deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.
1. To deploy a template, provide your subscription ID, the name of the resource group, the name of the deployment in the request URI.
To avoid conflicts with concurrent deployments and to ensure unique entries in t
- To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](rollback-on-error.md). - To specify how to handle resources that exist in the resource group but aren't defined in the template, see [Azure Resource Manager deployment modes](deployment-modes.md). - To learn about handling asynchronous REST operations, see [Track asynchronous Azure operations](../management/async-operations.md).-- To learn more about templates, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+- To learn more about templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
azure-resource-manager Deploy To Azure Button https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-azure-button.md
The portal displays a pane that allows you to easily provide parameter values. T
## Next steps -- To learn more about templates, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+- To learn more about templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
azure-resource-manager Deploy What If https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-what-if.md
The what-if operation lists six different types of changes:
- **Create**: The resource doesn't currently exist but is defined in the template. The resource will be created. -- **Delete**: This change type only applies when using [complete mode](deployment-modes.md) for deployment. The resource exists, but isn't defined in the template. With complete mode, the resource will be deleted. Only resources that [support complete mode deletion](complete-mode-deletion.md) are included in this change type.
+- **Delete**: This change type only applies when using [complete mode](deployment-modes.md) for deployment. The resource exists, but isn't defined in the template. With complete mode, the resource will be deleted. Only resources that [support complete mode deletion](./deployment-complete-mode-deletion.md) are included in this change type.
- **Ignore**: The resource exists, but isn't defined in the template. The resource won't be deployed or modified.
You can use the what-if operation through the Azure SDKs.
- To use the what-if operation in a pipeline, see [Test ARM templates with What-If in a pipeline](https://4bes.nl/2021/03/06/test-arm-templates-with-what-if/). - If you notice incorrect results from the what-if operation, please report the issues at [https://aka.ms/whatifissues](https://aka.ms/whatifissues).-- For a Microsoft Learn module that covers using what if, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
+- For a Microsoft Learn module that covers using what if, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
azure-resource-manager Deployment Complete Mode Deletion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-complete-mode-deletion.md
If you deploy to [more than one resource group in a template](./deploy-to-resour
The resources are listed by resource provider namespace. To match a resource provider namespace with its Azure service name, see [Resource providers for Azure services](../management/azure-services-resource-providers.md). > [!NOTE]
-> Always use the [what-if operation](template-deploy-what-if.md) before deploying a template in complete mode. What-if shows you which resources will be created, deleted, or modified. Use what-if to avoid unintentionally deleting resources.
+> Always use the [what-if operation](./deploy-what-if.md) before deploying a template in complete mode. What-if shows you which resources will be created, deleted, or modified. Use what-if to avoid unintentionally deleting resources.
Jump to a resource provider namespace: > [!div class="op_single_selector"]
Jump to a resource provider namespace:
## Next steps
-To get the same data as a file of comma-separated values, download [complete-mode-deletion.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/complete-mode-deletion.csv).
+To get the same data as a file of comma-separated values, download [complete-mode-deletion.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/complete-mode-deletion.csv).
azure-resource-manager Deployment History Deletions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-history-deletions.md
Deployments are deleted from your history when you exceed 700 deployments. Azure
> [!IMPORTANT] > If your resource group is already at the 800 limit, your next deployment fails with an error. The automatic deletion process starts immediately. You can try your deployment again after a short wait.
-In addition to deployments, you also trigger deletions when you run the [what-if operation](template-deploy-what-if.md) or validate a deployment.
+In addition to deployments, you also trigger deletions when you run the [what-if operation](./deploy-what-if.md) or validate a deployment.
When you give a deployment the same name as one in the history, you reset its place in the history. The deployment moves to the most recent place in the history. You also reset a deployment's place when you [roll back to that deployment](rollback-on-error.md) after an error.
POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Micro
## Next steps
-* To learn about viewing the deployment history, see [View deployment history with Azure Resource Manager](deployment-history.md).
+* To learn about viewing the deployment history, see [View deployment history with Azure Resource Manager](deployment-history.md).
azure-resource-manager Deployment Modes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-modes.md
The default mode is incremental.
In complete mode, Resource Manager **deletes** resources that exist in the resource group but aren't specified in the template. > [!NOTE]
-> Always use the [what-if operation](template-deploy-what-if.md) before deploying a template in complete mode. What-if shows you which resources will be created, deleted, or modified. Use what-if to avoid unintentionally deleting resources.
+> Always use the [what-if operation](./deploy-what-if.md) before deploying a template in complete mode. What-if shows you which resources will be created, deleted, or modified. Use what-if to avoid unintentionally deleting resources.
If your template includes a resource that isn't deployed because [condition](conditional-resource-deployment.md) evaluates to false, the result depends on which REST API version you use to deploy the template. If you use a version earlier than 2019-05-10, the resource **isn't deleted**. With 2019-05-10 or later, the resource **is deleted**. The latest versions of Azure PowerShell and Azure CLI delete the resource.
There are some differences in how resource types handle complete mode deletions.
For example, if your resource group contains a DNS zone (`Microsoft.Network/dnsZones` resource type) and a CNAME record (`Microsoft.Network/dnsZones/CNAME` resource type), the DNS zone is the parent resource for the CNAME record. If you deploy with complete mode and don't include the DNS zone in your template, the DNS zone and the CNAME record are both deleted. If you include the DNS zone in your template but don't include the CNAME record, the CNAME isn't deleted.
-For a list of how resource types handle deletion, see [Deletion of Azure resources for complete mode deployments](complete-mode-deletion.md).
+For a list of how resource types handle deletion, see [Deletion of Azure resources for complete mode deployments](./deployment-complete-mode-deletion.md).
If the resource group is [locked](../management/lock-resources.md), complete mode doesn't delete the resources.
The following example shows a linked template set to incremental deployment mode
## Next steps
-* To learn about creating Resource Manager templates, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+* To learn about creating Resource Manager templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
* To learn about deploying resources, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md).
-* To view the operations for a resource provider, see [Azure REST API](/rest/api/).
+* To view the operations for a resource provider, see [Azure REST API](/rest/api/).
azure-resource-manager Error Invalid Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/error-invalid-template.md
for the template parameter {parameter name} is not valid. The parameter value is
part of the allowed values ```
-Double check the allowed values in the template, and provide one during deployment. For more information about allowed parameter values, see [Parameters section of Azure Resource Manager templates](template-syntax.md#parameters).
+Double check the allowed values in the template, and provide one during deployment. For more information about allowed parameter values, see [Parameters section of Azure Resource Manager templates](./syntax.md#parameters).
<a id="too-many-resource-groups"></a>
azure-resource-manager Error Job Size Exceeded https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/error-job-size-exceeded.md
You can set other resources as dependent on the linked template, and [get values
## Solution 2 - Reduce name size
-Try to shorten the length of the names you use for [parameters](template-parameters.md), [variables](template-variables.md), and [outputs](template-outputs.md). When these values are repeated through copy loops, a large name gets multiplied many times.
+Try to shorten the length of the names you use for [parameters](./parameters.md), [variables](./variables.md), and [outputs](./outputs.md). When these values are repeated through copy loops, a large name gets multiplied many times.
azure-resource-manager Error Parent Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/error-parent-resource.md
To resolve this error when the parent resource was previously deployed in a diff
} ```
-For more information, see [Define the order for deploying resources in Azure Resource Manager templates](define-resource-dependency.md).
+For more information, see [Define the order for deploying resources in Azure Resource Manager templates](./resource-dependency.md).
azure-resource-manager Export Template Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/export-template-portal.md
You can export the template that was used to deploy existing resources. The temp
## Next steps - Learn how to export templates with [Azure CLI](../management/manage-resource-groups-cli.md#export-resource-groups-to-templates), [Azure PowerShell](../management/manage-resource-groups-powershell.md#export-resource-groups-to-templates), or [REST API](/rest/api/resources/resourcegroups/exporttemplate).-- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](template-syntax.md).
+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](./syntax.md).
- To learn how to develop templates, see the [step-by-step tutorials](../index.yml). - To view the Azure Resource Manager template schemas, see [template reference](/azure/templates/).
azure-resource-manager Frequently Asked Questions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/frequently-asked-questions.md
This article answers frequently asked questions about Azure Resource Manager tem
* **Where can I learn about best practices for ARM templates?**
- For recommendations about how you implement your templates, see [ARM template best practices](template-best-practices.md). After creating a template, run the [ARM test toolkit](https://github.com/azure/arm-ttk). It checks whether your template matches recommended practices.
+ For recommendations about how you implement your templates, see [ARM template best practices](./best-practices.md). After creating a template, run the [ARM test toolkit](https://github.com/azure/arm-ttk). It checks whether your template matches recommended practices.
* **I have set up my environment through the portal. Is there some way to get the template from an existing resource group?**
This article answers frequently asked questions about Azure Resource Manager tem
* **How can I test my template before deploying it?**
- We recommend running the [ARM test toolkit](https://github.com/azure/arm-ttk) and the [what-if operation](template-deploy-what-if.md) on your templates before deploying them. The test toolkit checks whether your template uses best practices. It provides warnings when it identifies changes that could improve how you've implemented your template.
+ We recommend running the [ARM test toolkit](https://github.com/azure/arm-ttk) and the [what-if operation](./deploy-what-if.md) on your templates before deploying them. The test toolkit checks whether your template uses best practices. It provides warnings when it identifies changes that could improve how you've implemented your template.
The what-if operation shows the changes your template will make to your environment. You can see unintended changes before they're deployed. What-if also returns any errors it can detect during preflight validation. For example, if your template contains a syntactical error, it returns that error. It also returns any errors it can determine about the final state of the deployed resources. For example, if your template deploys a storage account with a name that is already in use, what-if returns that error.
This article answers frequently asked questions about Azure Resource Manager tem
* **Can I preview the changes that will happen before deploying a template?**
- Yes, use the [what-if feature](template-deploy-what-if.md). It evaluates the current state of your environment and compares it to the state that will exist after deployment. You can examine the summarized changes to make sure the template doesn't have any unexpected results.
+ Yes, use the [what-if feature](./deploy-what-if.md). It evaluates the current state of your environment and compares it to the state that will exist after deployment. You can examine the summarized changes to make sure the template doesn't have any unexpected results.
* **Can I use what-if with both incremental and complete modes?**
- Yes, both [deployment modes](deployment-modes.md) are supported. For an example of using incremental mode, see [Run what-if operation](template-deploy-what-if.md#run-what-if-operation). For an example of using complete mode, see [Confirm deletion](template-deploy-what-if.md#confirm-deletion).
+ Yes, both [deployment modes](deployment-modes.md) are supported. For an example of using incremental mode, see [Run what-if operation](./deploy-what-if.md#run-what-if-operation). For an example of using complete mode, see [Confirm deletion](./deploy-what-if.md#confirm-deletion).
* **Does what-if work with linked templates?**
This article answers frequently asked questions about Azure Resource Manager tem
## Next steps
-For an introduction to ARM templates, see [What are ARM templates?](overview.md).
+For an introduction to ARM templates, see [What are ARM templates?](overview.md).
azure-resource-manager Linked Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md
The following examples show common uses of linked templates.
## Next steps * To go through a tutorial, see [Tutorial: Deploy a linked template](./deployment-tutorial-linked-template.md).
-* To learn about the defining the deployment order for your resources, see [Define the order for deploying resources in ARM templates](define-resource-dependency.md).
+* To learn about the defining the deployment order for your resources, see [Define the order for deploying resources in ARM templates](./resource-dependency.md).
* To learn how to define one resource but create many instances of it, see [Resource iteration in ARM templates](copy-resources.md).
-* For steps on setting up a template in a storage account and generating a SAS token, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md) or [Deploy resources with ARM templates and Azure CLI](deploy-cli.md).
+* For steps on setting up a template in a storage account and generating a SAS token, see [Deploy resources with ARM templates and Azure PowerShell](deploy-powershell.md) or [Deploy resources with ARM templates and Azure CLI](deploy-cli.md).
azure-resource-manager Outputs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/outputs.md
az deployment group show \
## Next steps
-* To learn about the available properties for outputs, see [Understand the structure and syntax of ARM templates](template-syntax.md).
+* To learn about the available properties for outputs, see [Understand the structure and syntax of ARM templates](./syntax.md).
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/overview.md
If you're trying to decide between using ARM templates and one of the other infr
* **Testing**: You can make sure your template follows recommended guidelines by testing it with the ARM template tool kit (arm-ttk). This test kit is a PowerShell script that you can download from [GitHub](https://github.com/Azure/arm-ttk). The tool kit makes it easier for you to develop expertise using the template language.
-* **Preview changes**: You can use the [what-if operation](template-deploy-what-if.md) to get a preview of changes before deploying the template. With what-if, you see which resources will be created, updated, or deleted, and any resource properties that will be changed. The what-if operation checks the current state of your environment and eliminates the need to manage state.
+* **Preview changes**: You can use the [what-if operation](./deploy-what-if.md) to get a preview of changes before deploying the template. With what-if, you see which resources will be created, updated, or deleted, and any resource properties that will be changed. The what-if operation checks the current state of your environment and eliminates the need to manage state.
* **Built-in validation**: Your template is deployed only after passing validation. Resource Mana