Updates from: 06/15/2021 03:07:45
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Configure Authentication Sample Spa App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-spa-app.md
+
+ Title: Configure authentication in a sample spa application using Azure Active Directory B2C
+description: Using Azure Active Directory B2C to sign in and sign up users in an SPA application.
++++++ Last updated : 06/11/2021+++++
+# Configure authentication in a sample Single Page application using Azure Active Directory B2C
+
+This article uses a sample JavaScript Single Page application to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your SPA apps.
+
+## Overview
+
+OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign a user in to an application. This Single Page Application sample uses [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser) and the OIDC PKCE flow. MSAL.js is a Microsoft provided library that simplifies adding authentication and authorization support to SPA apps.
+
+### Sign in flow
+The sign-in flow involves following steps:
+
+1. The user navigates to the web app and selects **Sign-in**.
+1. The app initiates an authentication request, and redirects the user to Azure AD B2C.
+1. The user [signs-up or signs-in](add-sign-up-and-sign-in-policy.md), [resets the password](add-password-reset-policy.md), or signs-in with a [social account](add-identity-provider.md).
+1. Upon successful sign-in, Azure AD B2C returns an ID token to the app.
+1. The Single Page Application validates the ID token, reads the claims, and in turn allows the user to call protected resources/API's.
+
+### App registration overview
+
+To enable your app to sign in with Azure AD B2C and call a web API, you must register two applications in the Azure AD B2C directory.
+
+- The **web application** registration enables your app to sign in with Azure AD B2C. During app registration, you specify the *Redirect URI*. The redirect URI is the endpoint to which the user is redirected to after they authenticate with Azure AD B2C. The app registration process generates an *Application ID*, also known as the *client ID*, that uniquely identifies your app.
+
+- The **web API** registration enables your app to call a secure web API. The registration includes the web API *scopes*. The scopes provide a way to manage permissions to protected resources such as your web API. You grant the web application permissions to the web API's scopes. When an access token is requested, your app specifies the desired permissions in the scope parameter of the request.
+
+The following diagrams describe the app registrations and the application architecture.
+
+![Web app with web API call registrations and tokens](./media/configure-authentication-sample-spa-app/spa-app-with-api-architecture.png)
+
+### Call to a web API
++
+### Sign out flow
++
+## Prerequisites
+
+A computer that's running:
+
+* [Visual Studio Code](https://code.visualstudio.com/), or another code editor.
+* [Node.js runtime](https://nodejs.org/en/download/)
+
+## Step 1: Configure your user flow
++
+## Step 2: Register your SPA and API
+
+In this step, you create the SPA app and the web API application registrations, and specify the scopes of your web API.
+
+### 2.1 Register the web API application
++
+### 2.2 Configure scopes
++
+### 2.3 Register the client app
+
+Follow these steps to create the app registration:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *MyApp*.
+1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+1. Under **Redirect URI**, select **Single-page application (SPA)**, and then enter `http://localhost:6420` in the URL text box.
+1. Under **Permissions**, select the **Grant admin consent to openid and offline access permissions** check box.
+1. Select **Register**.
+
+Next, enable the implicit grant flow:
+
+1. Under Manage, select Authentication.
+1. Select Try out the new experience (if shown).
+1. Under Implicit grant, select the ID tokens check box.
+1. Select Save.
+
+Record the **Application (client) ID** for use in a later step when you configure the web application.
+ ![Get your application ID](./media/configure-authentication-sample-web-app/get-azure-ad-b2c-app-id.png)
+
+### 2.5 Grant permissions
++
+## Step 3: Get the SPA sample code
+
+This sample demonstrates how a single-page application can use Azure AD B2C for user sign-up and sign-in, and call a protected web API. Download the sample below:
+
+ [Download a zip file](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa/archive/main.zip) or clone the sample from GitHub:
+
+ ```
+ git clone https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa.git
+ ```
+
+### 3.1 Update the SPA sample
+
+Now that you've obtained the sample, update the code with your Azure AD B2C tenant name and the application ID of *myApp* you recorded in step 2.3.
+
+Open the *authConfig.js* file inside the *App* folder.
+1. In the `msalConfig` object, find the assignment for `clientId` and replace it with the **Application (client) ID** you recorded in step 2.3.
+
+Open the `policies.js` file.
+1. Find the entries under `names` and replace their assignment with the name of the user-flows you created in an earlier step, for example `b2c_1_susi`.
+1. Find the entries under `authorities` and replace them as appropriate with the names of the user-flows you created in an earlier step, for example `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`.
+1. Find the assignment for `authorityDomain` and replace it with `<your-tenant-name>.b2clogin.com`.
+
+Open the `apiConfig.js` file.
+1. Find the assignment for `b2cScopes` and replace the URL with the scope URL you created for the Web API, for example `b2cScopes: ["https://<your-tenant-name>.onmicrosoft.com/tasks-api/tasks.read"]`.
+1. Find the assignment for `webApi` and replace the current URL with `http://localhost:5000/tasks`.
++
+Your resulting code should look similar to following sample:
+
+*authConfig.js*:
+
+```javascript
+const msalConfig = {
+ auth: {
+ clientId: "<your-MyApp-application-ID>"
+ authority: b2cPolicies.authorities.signUpSignIn.authority,
+ knownAuthorities: [b2cPolicies.authorityDomain],
+ },
+ cache: {
+ cacheLocation: "localStorage",
+ storeAuthStateInCookie: true
+ }
+};
+
+const loginRequest = {
+ scopes: ["openid", "profile"],
+};
+
+const tokenRequest = {
+ scopes: apiConfig.b2cScopes
+};
+```
+
+*policies.js*:
+
+```javascript
+const b2cPolicies = {
+ names: {
+ signUpSignIn: "b2c_1_susi",
+ forgotPassword: "b2c_1_reset",
+ editProfile: "b2c_1_edit_profile"
+ },
+ authorities: {
+ signUpSignIn: {
+ authority: "https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/b2c_1_susi",
+ },
+ forgotPassword: {
+ authority: "https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/b2c_1_reset",
+ },
+ editProfile: {
+ authority: "https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/b2c_1_edit_profile"
+ }
+ },
+ authorityDomain: "your-tenant-name.b2clogin.com"
+}
+```
+
+*apiConfig.js*:
+
+```javascript
+const apiConfig = {
+ b2cScopes: ["https://your-tenant-name.onmicrosoft.com/tasks-api/tasks.read"],
+ webApi: "http://localhost:5000/tasks"
+};
+```
+
+## Step 4: Get the web API sample code
+
+Now that the web API is registered and you've defined its scopes, configure the web API code to work with your Azure AD B2C tenant. Download the sample below:
+
+[Download a \*.zip archive](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi/archive/master.zip) or clone the sample web API project from GitHub. You can also browse directly to the [Azure-Samples/active-directory-b2c-javascript-nodejs-webapi](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) project on GitHub.
+
+```console
+git clone https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi.git
+```
+
+### 4.1 Update the web API
+
+1. Open the *config.json* file in your code editor.
+1. Modify the variable values with the application registration you created earlier. Also update the `policyName` with the user flow you created as part of the prerequisites. For example, *b2c_1_susi*.
+
+ ```json
+ "credentials": {
+ "tenantName": "<your-tenant-name>",
+ "clientID": "<your-webapi-application-ID>"
+ },
+ "policies": {
+ "policyName": "b2c_1_susi"
+ },
+ "resource": {
+ "scope": ["tasks.read"]
+ },
+ ```
+
+### 4.2 Enable CORS
+
+To allow your single-page application to call the Node.js web API, you need to enable [CORS](https://expressjs.com/en/resources/middleware/cors.html) in the web API. In a production application, you should be careful about which domain is making the request. In this example, allow requests from any domain.
+
+To enable CORS, use the following middleware. In the Node.js web API code sample you downloaded, it's already been added to the *index.js* file.
+
+```javascript
+app.use((req, res, next) => {
+ res.header("Access-Control-Allow-Origin", "*");
+ res.header("Access-Control-Allow-Headers", "Authorization, Origin, X-Requested-With, Content-Type, Accept");
+ next();
+});
+```
+
+## Step 5: Run the SPA and web API
+
+You're now ready to test the single-page application's scoped access to the API. Run both the Node.js web API and the sample JavaScript single-page application on your local machine. Then, sign in to the single-page application and select the **Call API** button to initiate a request to the protected API.
+
+### Run the Node.js web API
+
+1. Open a console window and change to the directory containing the Node.js web API sample. For example:
+
+ ```console
+ cd active-directory-b2c-javascript-nodejs-webapi
+ ```
+
+1. Run the following commands:
+
+ ```console
+ npm install && npm update
+ node index.js
+ ```
+
+ The console window displays the port number where the application is hosted.
+
+ ```console
+ Listening on port 5000...
+ ```
+
+### Run the single-page app
+
+1. Open another console window and change to the directory containing the JavaScript SPA sample. For example:
+
+ ```console
+ cd ms-identity-b2c-javascript-spa
+ ```
+
+1. Run the following commands:
+
+ ```console
+ npm install && npm update
+ npm start
+ ```
+
+ The console window displays the port number of where the application is hosted.
+
+ ```console
+ Listening on port 6420...
+ ```
+
+1. Navigate to `http://localhost:6420` in your browser to view the application.
+
+ ![Single-page application sample app shown in browser](./media/configure-authentication-sample-spa-app/sample-app-sign-in.png)
+
+1. Sign in using the email address and password you used in the [previous tutorial](tutorial-single-page-app.md). Upon successful login, you should see the `User 'Your Username' logged-in` message.
+1. Select the **Call API** button. The SPA sends the access token in a request to the protected web API, which returns the display name of the logged-in user:
+
+ ![Single-page application in browser showing username JSON result returned by API](./media/configure-authentication-sample-spa-app/sample-app-result.png)
+
+## Deploy your application
+
+In a production application, the app registration redirect URI is typically a publicly accessible endpoint where your app is running, like `https://contoso.com/signin-oidc`.
+
+You can add and modify redirect URIs in your registered applications at any time. The following restrictions apply to redirect URIs:
+
+* The reply URL must begin with the scheme `https`.
+* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application.
+
+## Next steps
+
+* Learn more [about the code sample](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa)
+* Learn how to [Authentication options in your own SPA application using Azure AD B2C](enable-authentication-spa-app-options.md)
active-directory-b2c Configure Authentication Sample Web App With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app-with-api.md
+
+ Title: Configure authentication in a sample web application that calls a web API using Azure Active Directory B2C
+description: Using Azure Active Directory B2C to sign in and sign up users in an ASP.NET web application that calls a web API.
++++++ Last updated : 06/11/2021+++++
+# Configure authentication in a sample web application that calls a web API using Azure Active Directory B2C
+
+This article uses a sample ASP.NET web application that calls a web API to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your web applications.
+
+> [!IMPORTANT]
+> The sample ASP.NET web application referenced in this article is used to call a web API with a bearer token. For a web application that doesn't call a web API, see [Configure authentication in a sample web application using Azure Active Directory B2C](configure-authentication-sample-web-app.md).
+
+## Overview
+
+OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign a user in to an application. This web app sample uses [Microsoft Identity Web](https://www.nuget.org/packages/Microsoft.Identity.Web). Microsoft Identity Web is a set of ASP.NET Core libraries that simplifies adding authentication and authorization support to web apps that can call a secure web API.
+
+The sign-in flow involves following steps:
+
+1. The user navigates to the web app and select **Sign-in**.
+1. The app initiates authentication request, and redirects the user to Azure AD B2C.
+1. The user [signs-up or signs-in](add-sign-up-and-sign-in-policy.md), [resets the password](add-password-reset-policy.md), or signs-in with a [social account](add-identity-provider.md).
+1. Upon successful sign-in, Azure AD B2C returns an authorization code to the app.
+1. The app takes the following actions
+ 1. Exchanges the authorization code to an ID token, access token and refresh token.
+ 1. Reads the ID token claims, and persists an application authorization cookie.
+ 1. Stores the refresh token in an in-memory cache for later use.
+
+### App registration overview
+
+To enable your app to sign in with Azure AD B2C and call a web API, you register two applications in the Azure AD B2C directory.
+
+- The **web application** registration enables your app to sign in with Azure AD B2C. During app registration, you specify the *Redirect URI*. The redirect URI is the endpoint to which the user is redirected by Azure AD B2C after they authenticate with Azure AD B2C is completed. The app registration process generates an *Application ID*, also known as the *client ID*, that uniquely identifies your app. You also create a *client secret*, which is used by your application to securely acquire the tokens.
+
+- The **web API** registration enables your app to call a secure web API. The registration includes the web API *scopes*. The scopes provide a way to manage permissions to protected resources, such as your web API. You grant the web application permissions to the web API scopes. When an access token is requested, your app specifies the desired permissions in the scope parameter of the request.
+
+The following diagrams describe the apps registration and the application architecture.
+
+![Web app with web API call registrations and tokens](./media/configure-authentication-sample-web-app-with-api/web-app-with-api-architecture.png)
+
+### Call to a web API
++
+### Sign-out
++
+## Prerequisites
+
+A computer that's running either:
+
+# [Visual Studio](#tab/visual-studio)
+
+* [Visual Studio 2019 16.8 or later](https://visualstudio.microsoft.com/downloads/?utm_medium=microsoft&utm_source=docs.microsoft.com&utm_campaign=inline+link&utm_content=download+vs2019) with the **ASP.NET and web development** workload
+* [.NET 5.0 SDK](https://dotnet.microsoft.com/download/dotnet)
+
+# [Visual Studio Code](#tab/visual-studio-code)
+
+* [Visual Studio Code](https://code.visualstudio.com/download)
+* [C# for Visual Studio Code (latest version)](https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp)
+* [.NET 5.0 SDK](https://dotnet.microsoft.com/download/dotnet)
+++
+## Step 1: Configure your user flow
++
+## Step 2: Register web applications
+
+In this step, you create the web app and the web API application registration, and specify the scopes of your web API.
+
+### 2.1 Register the web API app
++
+### 2.2 Configure web API app scopes
+++
+### 2.3 Register the web app
+
+Follow these steps to create the web app registration:
+
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *webapp1*.
+1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+1. Under **Redirect URI**, select **Web**, and then enter `https://localhost:5000/signin-oidc` in the URL text box.
+1. Under **Permissions**, select the **Grant admin consent to openid and offline access permissions** check box.
+1. Select **Register**.
+1. After the app registration is completed, select **Overview**.
+1. Record the **Application (client) ID** for use in a later step when you configure the web application.
+
+ ![Get your web application ID](./media/configure-authentication-sample-web-app-with-api/get-azure-ad-b2c-app-id.png)
+
+### 2.4 Create a web app client secret
+++
+### 2.5 Grant the web app permissions for the web API
++
+## Step 3: Get the web app sample
+
+[Download the zip file](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/refs/heads/master.zip), or clone the sample web application from GitHub.
+
+```bash
+git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
+```
+
+Extract the sample file to a folder where the total character length of the path is less than 260.
+
+## Step 4: Configure the sample web API
+
+In the sample folder, under the `4-WebApp-your-API/4-2-B2C/TodoListService` folder, open the **TodoListService.csproj** project with Visual Studio or Visual Studio Code.
+
+Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. The web API app uses this information to validate the access token the web app passes as a bearer token. Update the following properties of the app settings:
+
+|Section |Key |Value |
+||||
+|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.|
+|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
+|AzureAdB2C|ClientId| The web API application ID from [step 2.1](#21-register-the-web-api-app).|
+|AzureAdB2C|SignUpSignInPolicyId|The user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
+
+Your final configuration file should look like the following JSON:
+
+```json
+{
+ "AzureAdB2C": {
+ "Instance": "https://contoso.b2clogin.com",
+ "Domain": "contoso.onmicrosoft.com",
+ "ClientId": "<web-api-app-application-id>",
+ "SignedOutCallbackPath": "/signout/<your-sign-up-in-policy>",
+ "SignUpSignInPolicyId": "<your-sign-up-in-policy>"
+ },
+ // More setting here
+}
+```
+
+### 4.1 Set the permission policy
+
+The web API verifies that the user authenticated with the bearer token, and the bearer token has the configured accepted scopes. If the bearer token does not have any of these accepted scopes, the web API returns HTTP status code 403 (Forbidden) and writes to the response body a message telling which scopes are expected in the token.
+
+To configure the accepted scopes, open the `Controller/TodoListController.cs` class, and set the scope name. The scope name, without the full URI.
+
+```csharp
+[RequiredScope("tasks.read")]
+```
+
+### 4.2 Run the sample web API app
+
+To allow web app calling the web API sample, follow these steps to run the web API:
+
+1. If requested, restore dependencies.
+1. Build and run the project.
+1. After the project is built, Visual Studio or Visual Studio Code launches the web API in the browsers with the following address https://localhost:44332.
+
+## Step 5: Configure the sample web app
+
+In the sample folder, under the `4-WebApp-your-API/4-2-B2C/Client` folder, open the **TodoListClient.csproj** project with Visual Studio or Visual Studio Code.
+
+Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. The web app uses this information to establish a trust relationship with Azure AD B2C, sign-in the user in and out, acquire tokens, and validate them. Update the following properties of the app settings:
+
+|Section |Key |Value |
+||||
+|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.|
+|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
+|AzureAdB2C|ClientId| The web application ID from [step 2.1](#21-register-the-web-api-app).|
+|AzureAdB2C | ClientSecret | The web application secret from [step 2.4](#24-create-a-web-app-client-secret). |
+|AzureAdB2C|SignUpSignInPolicyId|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
+| TodoList | TodoListScope | The scopes you from [step 2.5](#25-grant-the-web-app-permissions-for-the-web-api).|
+| TodoList | TodoListBaseAddress | The base URI of your web API, for example `https://localhost:44332`|
+
+Your final configuration file should look like the following JSON:
+
+```JSon
+{
+ "AzureAdB2C": {
+ "Instance": "https://contoso.b2clogin.com",
+ "Domain": "contoso.onmicrosoft.com",
+ "ClientId": "<web-app-application-id>",
+ "ClientSecret": "<web-app-application-secret>",
+ "SignedOutCallbackPath": "/signout/<your-sign-up-in-policy>",
+ "SignUpSignInPolicyId": "<your-sign-up-in-policy>"
+ },
+ "TodoList": {
+ "TodoListScope": "https://contoso.onmicrosoft.com/api/demo.read",
+ "TodoListBaseAddress": "https://localhost:44332"
+ }
+}
+```
++
+## Step 6: Run the sample web app
+
+1. Build and run the project.
+1. Browse to https://localhost:5000.
+1. Complete the sign-up or sign-in process.
+
+After successful authentication, you'll see your display name in the navigation bar. To view the claims that Azure AD B2C token returns to your app, select **TodoList**.
+
+![Web app token's claims](./media/configure-authentication-sample-web-app-with-api/web-api-to-do-list.png)
++
+## Deploy your application
+
+In a production application, the app registration redirect URI is typically a publicly accessible endpoint where your app is running, like `https://contoso.com/signin-oidc`.
+
+You can add and modify redirect URIs in your registered applications at any time. The following restrictions apply to redirect URIs:
+
+* The reply URL must begin with the scheme `https`.
+* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application.
+
+### Token cache for a web app
+
+The web app sample uses in memory token cache serialization. This implementation is great in samples. It's also good in production applications provided you don't mind if the token cache is lost when the web app is restarted.
+
+For production environment, we recommend you use a distributed memory cache. For example, Redis cache, NCache, or a SQL Server cache. For details about the distributed memory cache implementations, see [Token cache for a web app](../active-directory/develop/msal-net-token-cache-serialization.md#token-cache-for-a-web-app-confidential-client-application).
++
+## Next steps
+
+* Learn more [about the code sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C#about-the-code)
+* Learn how to [Enable authentication in your own web application using Azure AD B2C](enable-authentication-web-application.md)
active-directory-b2c Configure Authentication Sample Web App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app.md
Previously updated : 06/10/2021 Last updated : 06/11/2021
The sign-in flow involves following steps:
When the ID token is expired, or the app session is invalidated, the app initiates a new authentication request, and redirects the user to Azure AD B2C. If the Azure AD B2C [SSO session](session-behavior.md) is active, Azure AD B2C issues an access token without prompting the user to sign in again. If the Azure AD B2C session expires or becomes invalid, the user is prompted to sign-in again.
-The sign-out flow involves following steps:
+### Sign-out
-1. From the app, the user selects **Sign-out**.
-1. The app clears its session cookies, and redirects the user to Azure AD B2C to terminate Azure AD B2C session.
-1. The user is redirected back to the app.
## Prerequisites
A computer that's running either:
## Step 1: Configure your user flow
-When a user wants to sign in to your application, the application initiates an authentication request to the authorization endpoint via a [user flow](user-flow-overview.md). The user flow defines and controls the user experience, for example during sign-up or sign-in. When the user completes the user flow, Azure AD B2C generates a token and redirects the user back to your application.
-
-If you haven't done so already, [create a user flow](add-sign-up-and-sign-in-policy.md).
## Step 2: Register a web application
In the sample folder, under the `1-WebApp-OIDC/1-5-B2C/` folder, open the **WebA
Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the following properties of the app settings:
-* **Instance** - Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.
-* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.
-* **Client ID** - Replace `<web-app-application-id>` with the Application ID from [Step 2](#step-2-register-a-web-application).
-* **Policy name** - Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](#step-1-configure-your-user-flow).
+|Section |Key |Value |
+||||
+|AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.|
+|AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
+|AzureAdB2C|ClientId| The web API application ID from [step 2](#step-2-register-a-web-application).|
+|AzureAdB2C|SignUpSignInPolicyId|The user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
Your final configuration file should look like the following JSON:
After successful authentication, you'll see your display name in the navigation
## Deploy your application
-In a production application, the app registration redirect URI is typically a publicly-accessible endpoint where your app is running, like `https://contoso.com/signin-oidc`.
+In a production application, the app registration redirect URI is typically a publicly accessible endpoint where your app is running, like `https://contoso.com/signin-oidc`.
You can add and modify redirect URIs in your registered applications at any time. The following restrictions apply to redirect URIs:
active-directory-b2c Enable Authentication Spa App Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-spa-app-options.md
+
+ Title: Enable spa application options using Azure Active Directory B2C
+description: Enable the use of spa application options by using several ways.
++++++ Last updated : 06/11/2021+++++
+# Configure authentication in a sample Single Page application using Azure Active Directory B2C options
+
+This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Single Page Application. Before you start, familiarize yourself with the following article: [Configure authentication in a sample web application](configure-authentication-sample-spa-app.md).
++
+To use a custom domain and your tenant ID in the authentication URL, follow the guidance in [Enable custom domains](custom-domain.md). Find your MSAL configuration object and change the **authorities** and **knownAuthorities** to use your custom domain name and tenant ID.
+
+The following JavaScript shows the MSAL config object before the change:
+
+```Javascript
+const msalConfig = {
+ auth: {
+ ...
+ authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/B2C_1_susi",
+ knownAuthorities: ["fabrikamb2c.b2clogin.com"],
+ ...
+ },
+ ...
+}
+```
+
+The following JavaScript shows the MSAL config object after the change:
+
+```Javascript
+const msalConfig = {
+ auth: {
+ ...
+ authority: "https://custom.domain.com/00000000-0000-0000-0000-000000000000/B2C_1_susi",
+ knownAuthorities: ["custom.domain.com"],
+ ...
+ },
+ ...
+}
+```
++
+1. If you're using a custom policy, add the required input claim as described in [Set up direct sign-in](direct-signin.md#prepopulate-the-sign-in-name).
+1. Create an object to store the **login_hint** and pass this object into the **MSAL loginPopup()** method.
+
+ ```javascript
+ let loginRequest = {
+ loginHint: "bob@contoso.com"
+ }
+
+ myMSALObj.loginPopup(loginRequest);
+ ```
++
+1. Check the domain name of your external identity provider. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Create an object to store **extraQueryParameters** and pass this object into the **MSAL loginPopup()** method.
+
+ ```javascript
+ let loginRequest = {
+ extraQueryParameters: {domain_hint: 'facebook.com'}
+ }
+
+ myMSALObj.loginPopup(loginRequest);
+ ```
++
+1. [Configure Language customization](language-customization.md).
+1. Create an object to store **extraQueryParameters** and pass this object into the **MSAL loginPopup()** method.
+
+ ```javascript
+ let loginRequest = {
+ extraQueryParameters: {ui_locales: 'en-us'}
+ }
+
+ myMSALObj.loginPopup(loginRequest);
+ ```
++
+1. Configure the [ContentDefinitionParameters](customize-ui-with-html.md#configure-dynamic-custom-page-content-uri) element.
+1. Create an object to store **extraQueryParameters** and pass this object into the **MSAL loginPopup()** method.
+
+ ```javascript
+ let loginRequest = {
+ extraQueryParameters: {campaignId: 'germany-promotion'}
+ }
+
+ myMSALObj.loginPopup(loginRequest);
+ ```
++
+1. In your custom policy, define an [ID token hint technical profile](id-token-hint.md).
+1. Create an object to store **extraQueryParameters** and pass this object into the **MSAL loginPopup()** method.
+
+ ```javascript
+ let loginRequest = {
+ extraQueryParameters: {id_token_hint: 'id-token-hint-value'}
+ }
+
+ myMSALObj.loginPopup(loginRequest);
+ ```
+
+## Enable Single Logout
+
+Single logout in Azure AD B2C uses OpenId Connect front channel logout to make logout requests to all applications the user has signed into through Azure AD B2C.
+
+These logout requests are made from the Azure AD B2C logout page, in a hidden Iframe. The Iframes will make HTTP requests to all of the front channel logout endpoints registered for the apps Azure AD B2C has recorded as being logged in.
+
+Your logout endpoint for each application must call the **MSAL logout()** method. MSAL must also be explicitly configured to execute within an Iframe in this scenario by setting `allowRedirectInIframe` to `true`.
+
+See the code sample below which sets `allowRedirectInIframe` to `true`:
+
+```javascript
+const msalConfig = {
+ auth: {
+ clientId: "enter_client_id_here",
+ .....
+ },
+ cache: {
+ cacheLocation: "..",
+ ....
+ },
+ system: {
+ allowRedirectInIframe: true
+ };
+}
+
+async function logoutSilent(MSAL) {
+ return MSAL.logout({
+ onRedirectNavigate: (url) => {
+ return false;
+ }
+```
+
+## Next steps
+
+- Learn more: [MSAL.js configuration options](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md)
active-directory-b2c Enable Authentication Web App With Api Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-app-with-api-options.md
+
+ Title: Enable web application that calls a web API options using Azure Active Directory B2C
+description: Enable the use of web application that calls a web API options by using several ways.
++++++ Last updated : 06/11/2021+++++
+# Configure authentication in a sample web application that calls a web API using Azure Active Directory B2C options
+
+This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application that calls a web API. Before you start, familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app-with-api.md) or [Enable authentication in your own web application](enable-authentication-web-app-with-api.md).
++
+To use a custom domain and your tenant ID in the authentication URL, follow the guidance in [Enable custom domains](custom-domain.md). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider.
+
+- Update the `Instance` entry with your custom domain.
+- Update the `Domain` entry with your [tenant ID](tenant-management.md#get-your-tenant-id). For more information, see [Use tenant ID](custom-domain.md#optional-use-tenant-id).
+
+The following JSON shows the app settings before the change:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://contoso.b2clogin.com",
+ "Domain": "tenant-name.onmicrosoft.com",
+ ...
+}
+```
+
+The following JSON shows the app settings after the change:
+
+```JSon
+"AzureAdB2C": {
+ "Instance": "https://login.contoso.com",
+ "Domain": "00000000-0000-0000-0000-000000000000",
+ ...
+}
+```
+
+## Support advanced scenarios
+
+The `AddMicrosoftIdentityWebAppAuthentication` method in the Microsoft identity platform API lets developers add code for advanced authentication scenarios or subscribe to OpenIdConnect events. For example, you can subscribe to OnRedirectToIdentityProvider, which allows you to customize the authentication request your app sends to Azure AD B2C.
+
+To support advanced scenarios, open the `Startup.cs`, and in the `ConfigureServices` function, replace the `AddMicrosoftIdentityWebAppAuthentication` with the following code snippet:
+
+```csharp
+// Configuration to sign-in users with Azure AD B2C
+
+//services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
+
+services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApp(options =>
+{
+ Configuration.Bind("AzureAdB2C", options);
+ options.Events ??= new OpenIdConnectEvents();
+ options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProviderFunc;
+});
+```
+
+The code above adds the OnRedirectToIdentityProvider event with a reference to the *OnRedirectToIdentityProviderFunc* method. Add the following code snippet to the `Startup.cs` class.
+
+```csharp
+private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+{
+ // Custom code here
+
+ // Don't remove this line
+ await Task.CompletedTask.ConfigureAwait(false);
+}
+```
+
+You can pass parameters between your controller and the *OnRedirectToIdentityProvider* function using context parameters.
+++
+1. If you're using a custom policy, add the required input claim as described in [Set up direct sign-in](direct-signin.md#prepopulate-the-sign-in-name).
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.LoginHint = "emily@contoso.com";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
++
+1. Check the domain name of your external identity provider. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. In the *OnRedirectToIdentityProviderFunc* function, add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.DomainHint = "facebook.com";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
++
+1. [Configure Language customization](language-customization.md).
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.UiLocales = "es";
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+ ```
++
+1. Configure the [ContentDefinitionParameters](customize-ui-with-html.md#configure-dynamic-custom-page-content-uri) element.
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ context.ProtocolMessage.Parameters.Add("campaignId", "123");
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
+1. In your custom policy, define an [ID token hint technical profile](id-token-hint.md).
+1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
+
+ ```csharp
+ private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+ {
+ // The idTokenHint variable holds your ID token
+ context.ProtocolMessage.IdTokenHint = idTokenHint
+
+ // More code
+ await Task.CompletedTask.ConfigureAwait(false);
+ }
+ ```
+
+## Account controller
+
+If you want to customize the **Sign-in**, **Sign-up** or **Sign-out** actions, you are encouraged to create your own controller. Having your own controller allows you to pass parameters between your controller and the authentication library. The `AccountController` is part of `Microsoft.Identity.Web.UI` NuGet package, which handles the sign-in and sign-out actions. You can find its implementation in the [Microsoft Identity Web library](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Controllers/AccountController.cs).
+
+The following code snippet demonstrates a custom `MyAccountController` with the **SignIn** action. The action passes a parameter named `campaign_id` to the authentication library.
+
+```csharp
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
++
+namespace mywebapp.Controllers
+{
+ [AllowAnonymous]
+ [Area("MicrosoftIdentity")]
+ [Route("[area]/[controller]/[action]")]
+ public class MyAccountController : Controller
+ {
+
+ [HttpGet("{scheme?}")]
+ public IActionResult SignIn([FromRoute] string scheme)
+ {
+ scheme ??= OpenIdConnectDefaults.AuthenticationScheme;
+ var redirectUrl = Url.Content("~/");
+ var properties = new AuthenticationProperties { RedirectUri = redirectUrl };
+ properties.Items["campaign_id"] = "1234";
+ return Challenge(properties, scheme);
+ }
+
+ }
+}
+
+```
+
+In the `_LoginPartial.cshtml` view, change the sign-in link to your controller
+
+```
+<form method="get" asp-area="MicrosoftIdentity" asp-controller="MyAccount" asp-action="SignIn">
+```
+
+In the `OnRedirectToIdentityProvider` in the `Startup.cs` calls, you can read the custom parameter:
+
+```csharp
+private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
+{
+ // Read the custom parameter
+ var campaign_id = (context.Properties.Items.ContainsKey("campaign_id"))
+
+ // Add your custom code here
+
+ await Task.CompletedTask.ConfigureAwait(false);
+}
+```
+
+## Role-based access control
+
+With [authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction) you can use [role-based authorization](/aspnet/core/security/authorization/roles), [claims-based authorization](/aspnet/core/security/authorization/claims), or [policy-based authorization](/aspnet/core/security/authorization/policies) to check if the user is authorized to access a protected resource.
+
+In the *ConfigureServices* method, add the *AddAuthorization* method, which adds the authorization model. The following example creates a policy named `EmployeeOnly`. The policy checks that a claim `EmployeeNumber` exists. The value of the claim must be one of the following IDs: 1, 2, 3, 4 or 5.
+
+```csharp
+services.AddAuthorization(options =>
+ {
+ options.AddPolicy("EmployeeOnly", policy =>
+ policy.RequireClaim("EmployeeNumber", "1", "2", "3", "4", "5"));
+ });
+```
+
+Authorization in ASP.NET Core is controlled with [AuthorizeAttribute](/aspnet/core/security/authorization/simple) and its various parameters. In its most basic form, applying the `[Authorize]` attribute to a controller, action, or Razor Page, limits access to that component's authenticated users.
+
+Policies are applied to controllers by using the `[Authorize]` attribute with the policy name. The following code limits access to the `Claims` action to users authorized by the `EmployeeOnly` policy:
+
+```csharp
+[Authorize(Policy = "EmployeeOnly")]
+public IActionResult Claims()
+{
+ return View();
+}
+```
+
+## Next steps
+
+- Learn more: [Introduction to authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction)
active-directory-b2c Enable Authentication Web App With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-app-with-api.md
+
+ Title: Enable authentication in a web that calls a web API using Azure Active Directory B2C building blocks
+description: The building blocks of an ASP.NET web application that calls a web API using Azure Active Directory B2C.
++++++ Last updated : 06/11/2021+++++
+# Enable authentication in your own web application that calls a web API using Azure Active Directory B2C
+
+This article shows you how to add Azure Active Directory B2C (Azure AD B2C) authentication to your own ASP.NET web application that calls a web API. Learn how create an ASP.NET Core web application with ASP.NET Core middleware that uses the [OpenID Connect](openid-connect.md) protocol. Use this article with [Configure authentication in a sample web application that calls a web API](configure-authentication-sample-web-app-with-api.md), substituting the sample web app with your own web app.
+
+This article focus on the web application project. For instructions how to create the web API, see the [to do list web API sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C).
+
+## Prerequisites
+
+Review the prerequisites and integration steps in [Configure authentication in a sample web application that calls a web API](configure-authentication-sample-web-app-with-api.md).
+
+## Create a web app project
+
+You can use an existing ASP.NET MVC web app project or create new one. To create a new project, open a command shell, and enter the following command:
+
+```dotnetcli
+dotnet new mvc -o mywebapp
+```
+
+The preceding command:
+
+* Creates a new MVC web app.
+* The `-o mywebapp` parameter creates a directory named *mywebapp* with the source files for the app.
+
+## Add the authentication libraries
+
+First, add the Microsoft Identity Web library. This is a set of ASP.NET Core libraries that simplify adding Azure AD B2C authentication and authorization support to your web app. The Microsoft Identity Web library sets up the authentication pipeline with cookie-based authentication. It takes care of sending and receiving HTTP authentication messages, token validation, claims extraction, and more.
+
+To add the Microsoft Identity Web library, install the packages by running the following commands:
+
+# [Visual Studio](#tab/visual-studio)
+
+```dotnetcli
+dotnet add package Microsoft.Identity.Web
+dotnet add package Microsoft.Identity.Web.UI
+```
+
+# [Visual Studio Code](#tab/visual-studio-code)
+
+```dotnetcli
+Install-Package Microsoft.Identity.Web
+Install-Package Microsoft.Identity.Web.UI
+```
++++
+## Initiate the authentication libraries
+
+The Microsoft Identity Web middleware uses a startup class that runs when the hosting process starts. In this step, you add the necessary code to initiate the authentication libraries.
+
+Open `Startup.cs` and add the following `using` declarations at the beginning of the class:
+
+```csharp
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
+```
+
+Because Microsoft Identity Web uses cookie-based authentication to protect your web app, the following code sets the *SameSite* cookie settings. Then it reads the `AzureADB2C` application settings and initiates the middleware controller with its view.
+
+Replace the `ConfigureServices(IServiceCollection services)` function with the following code snippet.
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+ services.Configure<CookiePolicyOptions>(options =>
+ {
+ // This lambda determines whether user consent for non-essential cookies is needed for a given request.
+ options.CheckConsentNeeded = context => true;
+ options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+ // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
+ options.HandleSameSiteCookieCompatibility();
+ });
+
+ // Configuration to sign-in users with Azure AD B2C
+ services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
+ // Enable token acquisition to call downstream web API
+ .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
+ // Add refresh token in-memory cache
+ .AddInMemoryTokenCaches();
+
+ services.AddControllersWithViews()
+ .AddMicrosoftIdentityUI();
+
+ services.AddRazorPages();
+
+ //Configuring appsettings section AzureAdB2C, into IOptions
+ services.AddOptions();
+ services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));
+}
+```
+
+The following code adds the cookie policy, and uses the authentication model. Replace the `Configure` function, with the following code snippet.
+
+```csharp
+public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+{
+ if (env.IsDevelopment())
+ {
+ app.UseDeveloperExceptionPage();
+ }
+ else
+ {
+ app.UseExceptionHandler("/Home/Error");
+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+ app.UseHsts();
+ }
+
+ app.UseHttpsRedirection();
+ app.UseStaticFiles();
+
+ // Add the Microsoft Identity Web cookie policy
+ app.UseCookiePolicy();
+ app.UseRouting();
+ // Add the ASP.NET Core authentication service
+ app.UseAuthentication();
+ app.UseAuthorization();
+
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapControllerRoute(
+ name: "default",
+ pattern: "{controller=Home}/{action=Index}/{id?}");
+
+ // Add endpoints for Razor pages
+ endpoints.MapRazorPages();
+ });
+};
+```
+
+## Add the UI elements
+
+To add user interface elements, use a partial view. The partial view contains logic for checking whether a user is signed in or not. If the user is not signed in, the partial view renders the sign-in button. If the user is signed in, it shows the user's display name and sign-out button.
+
+Create a new file `_LoginPartial.cshtml` inside the `Views/Shared` folder with the following code snippet:
+
+```razor
+@using System.Security.Principal
+@if (User.Identity.IsAuthenticated)
+{
+ <ul class="nav navbar-nav navbar-right">
+ <li class="navbar-text">Hello @User.Identity.Name</li>
+ <!-- The Account controller is not defined in this project. Instead, it is part of Microsoft.Identity.Web.UI nuget package and
+ it defines some well known actions such as SignUp/In, SignOut and EditProfile-->
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="EditProfile">
+ <button type="submit" class="btn btn-primary" style="margin-right:5px">Edit Profile</button>
+ </form>
+ </li>
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">
+ <button type="submit" class="btn btn-primary">Sign Out</button>
+ </form>
+ </li>
+ </ul>
+}
+else
+{
+ <ul class="nav navbar-nav navbar-right">
+ <li class="navbar-btn">
+ <form method="get" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">
+ <button type="submit" class="btn btn-primary">Sign Up/In</button>
+ </form>
+ </li>
+ </ul>
+}
+```
+
+Modify your `Views\Shared\_Layout.cshtml` to include the *_LoginPartial.cshtml* file you added. The *_Layout.cshtml* file is a common layout that provides the user with a consistent experience as they navigate from page to page. The layout includes common user interface elements such as the app header, and footer.
+
+> [!NOTE]
+> Depending on the .NET Core version and whether you're adding sign-in to an existing app, the UI elements might look different. If so, be sure to include *_LoginPartial* in the proper location within the page layout.
+
+Open the */Views/Shared/_Layout.cshtml* and add the following `div` element.
+
+```razor
+<div class="navbar-collapse collapse">
+...
+</div>
+```
+
+Replace this element with the following Razor code:
+
+```razor
+<div class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
+ <li><a asp-area="" asp-controller="Home" asp-action="Claims">Claims</a></li>
+ <li><a asp-area="" asp-controller="Home" asp-action="TodoList">To do list</a></li>
+ </ul>
+ <partial name="_LoginPartial" />
+</div>
+```
+
+The preceding Razor code includes a link to the `Claims` and `TodoList` actions you'll create in the next steps.
+
+## Add the claims view
+
+To view the ID token claims under the `Views/Home` folder, add the `Claims.cshtml` view.
+
+```razor
+@using System.Security.Claims
+
+@{
+ ViewData["Title"] = "Claims";
+}
+<h2>@ViewData["Title"].</h2>
+
+<table class="table-hover table-condensed table-striped">
+ <tr>
+ <th>Claim Type</th>
+ <th>Claim Value</th>
+ </tr>
+
+ @foreach (Claim claim in User.Claims)
+ {
+ <tr>
+ <td>@claim.Type</td>
+ <td>@claim.Value</td>
+ </tr>
+ }
+</table>
+```
+
+In this step, you add the `Claims` action that links the *Claims.cshtml* view to the *Home* controller. It uses the `[Authorize]` attribute, which limits access to the Claims action to authenticated users.
+
+In the `/Controllers/HomeController.cs` controller, add the following action.
+
+```csharp
+[Authorize]
+public IActionResult Claims()
+{
+ return View();
+}
+```
+
+Add the following `using` declaration at the beginning of the class:
+
+```csharp
+using Microsoft.AspNetCore.Authorization;
+```
+
+## Add the to do list view
+
+To call the to do web api, you need to have an access token with the right scopes. In this step you acc and action to the `Home` controller. Under the `Views/Home` folder, add the `TodoList.cshtml` view.
+
+```razor
+@{
+ ViewData["Title"] = "To do list";
+}
+
+<div class="text-left">
+ <h1 class="display-4">Your access token</h1>
+ @* Remove following line in production environments *@
+ <code>@ViewData["accessToken"]</code>
+</div>
+```
+
+After you added the view, you add the `TodoList` action that links the *TodoList.cshtml* view to the *Home* controller. It uses the `[Authorize]` attribute, which limits access to the TodoList action to authenticated users.
+
+In the `/Controllers/HomeController.cs` controller, add the following action class member with and inject the token acquisition service into your controller.
+
+```csharp
+public class HomeController : Controller
+{
+ private readonly ILogger<HomeController> _logger;
+
+ // Add the token acquisition service member variable
+ private readonly ITokenAcquisition _tokenAcquisition;
+
+ // Inject the acquisition service
+ public HomeController(ILogger<HomeController> logger, ITokenAcquisition tokenAcquisition)
+ {
+ _logger = logger;
+ // Set the acquisition service member variable
+ _tokenAcquisition = tokenAcquisition;
+ }
+
+ // More code...
+}
+```
+
+Then add the following action. The action shows you how to call a web API along with the bearer token.
+
+```csharp
+[Authorize]
+public async Task<IActionResult> TodoListAsync()
+{
+ // Acquire an access token with the relevant scopes.
+ var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { "https://your-tenant.onmicrosoft.com/tasks-api/tasks.read", "https://your-tenant.onmicrosoft.com/tasks-api/tasks.write" });
+
+ // Remove this line in production environments
+ ViewData["accessToken"] = accessToken;
+
+ using (HttpClient client = new HttpClient())
+ {
+ client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+
+ HttpResponseMessage response = await client.GetAsync("https://path-to-your-web-api");
+ }
+
+ return View();
+}
+```
+
+## Add the app settings
+
+Azure AD B2C identity provider settings are stored in the `appsettings.json` file. Open appsettings.json and add the app settings as described in the [Step 5: Configure the sample web app](configure-authentication-sample-web-app-with-api.md#step-5-configure-the-sample-web-app).
+
+## Run your application
+
+1. Build and run the project.
+1. Browse to https://localhost:5001.
+1. Select **SignIn/Up**.
+1. Complete the sign-up or sign-in process.
+
+After you successfully authenticate, you will see your display name in the navigation bar.
+
+* To view the claims the Azure AD B2C token return to your app, select **Claims**.
+* To view the access token, select **To do list**.
+
+## Next steps
+
+* Learn how to [customize and enhance the Azure AD B2C authentication experience for your web app](enable-authentication-web-application-options.md)
active-directory-b2c Enable Authentication Web Application Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application-options.md
Previously updated : 05/25/2021 Last updated : 06/11/2021
# Configure authentication in a sample web application using Azure Active Directory B2C options
-This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application. Before you start, familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) or [Enable authentication in your own web application](enable-authentication-web-application.md).
+This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application. Before you start, it is important to familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) or [Enable authentication in your own web application](enable-authentication-web-application.md).
-## Use a custom domain
-Using a [custom domain](custom-domain.md) in your application's redirect URL provides a more seamless user experience. From the user's perspective, the user remains in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com.
+To use a custom domain and your tenant ID in the authentication URL, follow the guidance in [Enable custom domains](custom-domain.md). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider.
-To use a custom domain, follow the guidance in [Enable custom domains](custom-domain.md). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the `Instance` entry with your custom domain.
+- Update the `Instance` entry with your custom domain.
+- Update the `Domain` entry with your [tenant ID](tenant-management.md#get-your-tenant-id). For more information, see [Use tenant ID](custom-domain.md#optional-use-tenant-id).
The following JSON shows the app settings before the change: ```JSon "AzureAdB2C": { "Instance": "https://contoso.b2clogin.com",
+ "Domain": "tenant-name.onmicrosoft.com",
... } ```
The following JSON shows the app settings after the change:
```JSon "AzureAdB2C": { "Instance": "https://login.contoso.com",
- ...
-}
-```
-
-## Use your tenant ID
-
-You can replace your B2C tenant name in the URL with your tenant ID GUID to remove all references to ΓÇ£b2cΓÇ¥ in the URL. For example, you can change `https://account.contosobank.co.uk/contosobank.onmicrosoft.com/` to `https://account.contosobank.co.uk/<tenant ID GUID>/`
-
-To use the tenant ID, follow the guidance [Enable custom domains](custom-domain.md#optional-use-tenant-id). Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the `Domain` entry with your custom domain.
-
-The following JSON demonstrates the app settings before the change:
-
-```JSon
-"AzureAdB2C": {
- "Domain": "tenant-name.onmicrosoft.com",
- ...
-}
-```
-
-The following JSON demonstrates the app settings after the change:
-
-```JSon
-"AzureAdB2C": {
"Domain": "00000000-0000-0000-0000-000000000000", ... }
private async Task OnRedirectToIdentityProviderFunc(RedirectContext context)
You can pass parameters between your controller and the *OnRedirectToIdentityProvider* function using context parameters.
-## Prepopulate the sign-in name
-
-During a sign-in user journey, your app may target a specific user. When targeting a user, an application can specify in the authorization request, the `login_hint` query parameter with the user sign-in name. Azure AD B2C automatically populates the sign-in name, and the user only needs to provide the password.
-To prepopulate the sign-in name, follow these steps:
-
-1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
1. If you're using a custom policy, add the required input claim as described in [Set up direct sign-in](direct-signin.md#prepopulate-the-sign-in-name).
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
1. Add the following line of code to the *OnRedirectToIdentityProvider* function: ```csharp
To prepopulate the sign-in name, follow these steps:
} ```
-## Redirect sign-in to an external identity provider
-
-If you configured the sign-in journey for your application to include social accounts, such as Facebook, LinkedIn, or Google, you can specify the `domain_hint` parameter. This query parameter provides a hint to Azure AD B2C about the social identity provider that should be used for sign-in. For example, if the application specifies `domain_hint=facebook.com`, the sign-in flow goes directly to the Facebook sign-in page.
-To redirect sign-in to an external identity provider, follow these steps:
-
-1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
1. Check the domain name of your external identity provider. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure.
1. In the *OnRedirectToIdentityProviderFunc* function, add the following line of code to the *OnRedirectToIdentityProvider* function: ```csharp
To redirect sign-in to an external identity provider, follow these steps:
} ```
-## Specify the UI language
-
-Language customization in Azure AD B2C allows your user flow to accommodate different languages to suit your customer needs. For more information, see [Language customization](language-customization.md).
-To set the preferred language, follow these steps:
+1. [Configure Language customization](language-customization.md).
1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure. 1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
To set the preferred language, follow these steps:
} ```
-## Pass a custom query string parameter
-
-With custom policies you can pass a custom query string parameter, for example when you want to [dynamically change the page content](customize-ui-with-html.md?pivots=b2c-custom-policy#configure-dynamic-custom-page-content-uri).
--
-To pass a custom query string parameter, follow these steps:
+1. Configure the [ContentDefinitionParameters](customize-ui-with-html.md#configure-dynamic-custom-page-content-uri) element.
1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure. 1. Add the following line of code to the *OnRedirectToIdentityProvider* function:
To pass a custom query string parameter, follow these steps:
} ```
-## Pass ID token hint
-
-Azure AD B2C allows relying party applications to send an inbound JWT as part of the OAuth2 authorization request. The JWT token can be issued by a relying party application or an identity provider, and it can pass a hint about the user or the authorization request. Azure AD B2C validates the signature, issuer name, and token audience, and extracts the claim from the inbound token.
-To include an ID token hint in the authentication request, follow these steps:
1. Complete the [Support advanced scenarios](#support-advanced-scenarios) procedure. 1. In your custom policy, define an [ID token hint technical profile](id-token-hint.md).
public IActionResult Claims()
## Next steps -- Learn more: [Introduction to authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction)
+- Learn more: [Introduction to authorization in ASP.NET Core](/aspnet/core/security/authorization/introduction)
active-directory-b2c Enable Authentication Web Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application.md
Previously updated : 06/10/2021 Last updated : 06/11/2021
dotnet add package Microsoft.Identity.Web.UI
```dotnetcli Install-Package Microsoft.Identity.Web
-Install-Package Microsoft.Identity.Web
+Install-Package Microsoft.Identity.Web.UI
```
public IActionResult Claims()
} ```
+Add the following `using` declaration at the beginning of the class:
+
+```csharp
+using Microsoft.AspNetCore.Authorization;
+```
+ ## Add the app settings Azure AD B2C identity provider settings are stored in the `appsettings.json` file. Open appsettings.json and add the following settings:
active-directory Concept Sspr Howitworks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-howitworks.md
Previously updated : 06/08/2021 Last updated : 06/14/2021
The following authentication methods are available for SSPR:
* Mobile app code * Email * Mobile phone
-* Office phone
+* Office phone (available only for tenants with paid subscriptions)
* Security questions Users can only reset their password if they have registered an authentication method that the administrator has enabled.
active-directory Howto Mfa Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-reporting.md
Previously updated : 06/08/2021 Last updated : 06/14/2021
The sign-ins report provides you with information about the usage of managed app
- Was the sign-in challenged with MFA? - How did the user complete MFA?
+- Which authentication methods were used during a sign-in?
- Why was the user unable to complete MFA? - How many users are challenged for MFA? - How many users are unable to complete the MFA challenge?
To view the sign-in activity report in the [Azure portal](https://portal.azure.c
1. Under *Activity* from the menu on the left-hand side, select **Sign-ins**. 1. A list of sign-in events is shown, including the status. You can select an event to view more details.
- The *Authentication Details* or *Conditional Access* tab of the event details shows you the status code or which policy triggered the MFA prompt.
+ The **Authentication Details** or **Conditional Access** tab of the event details shows you the status code or which policy triggered the MFA prompt.
[![Screenshot of example Azure Active Directory sign-ins report in the Azure portal](media/howto-mfa-reporting/sign-in-report-cropped.png)](media/howto-mfa-reporting/sign-in-report.png#lightbox) If available, the authentication is shown, such as text message, Microsoft Authenticator app notification, or phone call.
-The following details are shown on the *Authentication Details* window for a sign-in event that show if the MFA request was satisfied or denied:
+The **Authentication Details** tab provides the following information, for each authentication attempt:
+
+- A list of authentication policies applied (such as Conditional Access, per-user MFA, Security Defaults)
+- The sequence of authentication methods used to sign-in
+- Whether or not the authentication attempt was successful
+- Detail about why the authentication attempt succeeded or failed
+
+This information allows admins to troubleshoot each step in a userΓÇÖs sign-in, and track:
+
+- Volume of sign-ins protected by multi-factor authentication
+- Usage and success rates for each authentication method
+- Usage of passwordless authentication methods (such as Passwordless Phone Sign-in, FIDO2, and Windows Hello for Business)
+- How frequently authentication requirements are satisfied by token claims (where users are not interactively prompted to enter a password, enter an SMS OTP, and so on)
+
+While viewing the sign-ins report, select the **Authentication Details** tab:
+
+![Screenshot of the Authentication Details tab](media/howto-mfa-reporting/auth-details-tab.png)
+
+>[!NOTE]
+>**OATH verification code** is logged as the authentication method for both OATH hardware and software tokens (such as the Microsoft Authenticator app).
+
+>[!IMPORTANT]
+>The **Authentication details** tab can initially show incomplete or inaccurate data, until log information is fully aggregated. Known examples include:
+>- A **satisfied by claim in the token** message is incorrectly displayed when sign-in events are initially logged.
+>- The **Primary authentication** row is not initially logged.
+
+The following details are shown on the **Authentication Details** window for a sign-in event that show if the MFA request was satisfied or denied:
* If MFA was satisfied, this column provides more information about how MFA was satisfied. * completed in the cloud
The following table can help troubleshoot events using the downloaded version of
| FAILED_AUTH_RESULT_TIMEOUT | Auth Result Timeout | The user took too long to complete the Multi-Factor Authentication attempt. | | FAILED_AUTHENTICATION_THROTTLED | Authentication Throttled | The Multi-Factor Authentication attempt was throttled by the service. | + ## Additional MFA reports The following additional information and reports are available for MFA events, including those for MFA Server:
The following additional information and reports are available for MFA events, i
| Bypassed User History | Azure AD > Security > MFA > One-time bypass | Provides a history of MFA Server requests to bypass MFA for a user. | | Server status | Azure AD > Security > MFA > Server status | Displays the status of MFA Servers associated with your account. | + ## Next steps This article provided an overview of the sign-ins activity report. For more detailed information on what this report contains and understand the data, see [sign-in activity reports in Azure AD](../reports-monitoring/concept-sign-ins.md).
active-directory Msal Compare Msal Js And Adal Js https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md
Title: Differences between MSAL.js and ADAL.js | Azure
description: Learn about the differences between Microsoft Authentication Library for JavaScript (MSAL.js) and Azure AD Authentication Library for JavaScript (ADAL.js) and how to choose which to use. -+
Last updated 04/10/2019-+ #Customer intent: As an application developer, I want to learn about the differences between the ADAL.js and MSAL.js libraries so I can migrate my applications to MSAL.js.
active-directory Msal Js Known Issues Ie Edge Browsers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-js-known-issues-ie-edge-browsers.md
Title: Issues on Internet Explorer & Microsoft Edge (MSAL.js) | Azure
description: Learn about know issues when using the Microsoft Authentication Library for JavaScript (MSAL.js) with Internet Explorer and Microsoft Edge browsers. -+
Last updated 05/18/2020-+ #Customer intent: As an application developer, I want to learn about issues with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Prompt Behavior https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-js-prompt-behavior.md
Title: Interactive request prompt behavior (MSAL.js) | Azure
description: Learn to customize prompt behavior in interactive calls using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 04/24/2019-+ #Customer intent: As an application developer, I want to learn about customizing the UI prompt behaviors in MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-js-sso.md
Title: Single sign-on (MSAL.js) | Azure
description: Learn about building single sign-on experiences using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 04/24/2019-+ #Customer intent: As an application developer, I want to learn about enabling single sign on experiences with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Use Ie Browser https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-js-use-ie-browser.md
Title: Issues on Internet Explorer (MSAL.js) | Azure
description: Use the Microsoft Authentication Library for JavaScript (MSAL.js) with Internet Explorer browser. -+
Last updated 05/16/2019-+ #Customer intent: As an application developer, I want to learn about issues with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Quickstart Register App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-register-app.md
Previously updated : 05/30/2021 Last updated : 06/14/2021 # Customer intent: As developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue ID and/or access tokens to client applications that request them.
The Microsoft identity platform performs identity and access management (IAM) on
## Prerequisites - An Azure account that has an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:
+ - [Application administrator](../roles/permissions-reference.md#application-administrator)
+ - [Application developer](../roles/permissions-reference.md#application-developer)
+ - [Cloud application administrator](../roles/permissions-reference.md#cloud-application-administrator)
- Completion of the [Set up a tenant](quickstart-create-new-tenant.md) quickstart. ## Register an application
active-directory Quickstart V2 Java Daemon https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-java-daemon.md
Title: "Quickstart: Call Microsoft Graph from a Java daemon | Azure"
description: In this quickstart, you learn how a Java app can get an access token and call an API protected by Microsoft identity platform endpoint, using the app's own identity -+
Last updated 01/22/2021-+ #Customer intent: As an application developer, I want to learn how my Java app can get an access token and call an API that's protected by Microsoft identity platform endpoint using client credentials flow.
active-directory Quickstart V2 Javascript https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript.md
Title: "Quickstart: Sign in users in JavaScript single-page apps | Azure"
description: In this quickstart, you learn how a JavaScript app can call an API that requires access tokens issued by the Microsoft identity platform. -+
Last updated 04/11/2019-+ #Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
active-directory Refresh Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/refresh-tokens.md
Before reading through this article, it's recommended that you go through the fo
## Refresh token lifetime
-Refresh tokens have a significantly longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
+Refresh tokens have a significantly longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. This means that whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.
## Refresh token expiration
active-directory Scenario Spa App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-app-configuration.md
Title: Configure single-page app | Azure
description: Learn how to build a single-page application (app's code configuration) -+
Last updated 02/11/2020-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-overview.md
Title: JavaScript single-page app scenario
description: Learn how to build a single-page application (scenario overview) by using the Microsoft identity platform. -+
Last updated 05/07/2019-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-production.md
Title: Move single-page app to production
description: Learn how to build a single-page application (move to production) -+
Last updated 05/07/2019-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Sign In https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-sign-in.md
Title: Single-page app sign-in & sign-out
description: Learn how to build a single-page application (sign-in) -+
Last updated 02/11/2020-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Tutorial V2 Javascript Spa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-javascript-spa.md
Title: "Tutorial: Create a JavaScript single-page app that uses the Microsoft id
description: In this tutorial, you build a JavaScript single-page app (SPA) that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. -+
Last updated 08/06/2020-+
active-directory Tutorial V2 React https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-react.md
Title: "Tutorial: Create a React single-page app that uses auth code flow | Azur
description: In this tutorial, you create a React SPA that can sign in users and use the auth code flow to obtain an access token from the Microsoft identity platform and call the Microsoft Graph API. -+ Last updated 04/16/2021-+
active-directory V2 Oauth2 Auth Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
|`response_type`| Required | The addition of `id_token` indicates to the server that the application would like an ID token in the response from the `/authorize` endpoint. | |`scope`| Required | For ID tokens, must be updated to include the ID token scopes - `openid`, and optionally `profile` and `email`. | |`nonce`| Required| A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. |
-|`response_mode`| Recommended | Specifies the method that should be used to send the resulting token back to your app. Defaults to `query` for just an authorization code, but `fragment` if the request includes an id_token `response_type`. However, apps are recommended to use `form_post`, especially when using `http:/localhost` as a redirect URI. |
+|`response_mode`| Recommended | Specifies the method that should be used to send the resulting token back to your app. Defaults to `query` for just an authorization code, but `fragment` if the request includes an id_token `response_type`. However, apps are recommended to use `form_post`, especially when using `http://localhost` as a redirect URI. |
The use of `fragment` as a response mode causes issues for web apps that read the code from the redirect, as browsers do not pass the fragment to the web server. In these situations, apps should use the `form_post` response mode to ensure that all data is sent to the server.
active-directory Azuread Join Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/azuread-join-sso.md
If you have a hybrid environment, with both Azure AD and on-premises AD, it is l
>[!NOTE] > Windows Hello for Business requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base).
+>
+> FIDO2 security key based passwordless authentication with Windows 10 requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Enable passwordless security key sign-in to on-premises resources with Azure Active Directory](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises).
During an access attempt to a resource requesting Kerberos or NTLM in the user's on-premises environment, the device:
active-directory Leave The Organization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/leave-the-organization.md
An Azure Active Directory (Azure AD) B2B guest user can decide to leave an organ
To leave an organization, follow these steps.
-1. Go to your Access Panel Profile page by doing one of the following steps:
-
- - In the [Azure portal](https://portal.azure.com), click your name in the upper right and select **View account**.
- - Open your [Access Panel](https://myapps.microsoft.com), click your name in the upper right, and next to **Organizations** and select **View account**.
-
-
-2. Select **Manage Organizations**.
- ![Screenshot showing user settings in Access Panel](media/leave-the-organization/manage-organizations.png)
-
-3. Under **Organizations**, find the organization that you want to leave, and select **Leave organization**.
+1. Go to your **My Account** page by doing one of the following:
+- If you're using a work or school account, go to https://myaccount.microsoft.com and sign in.
+- If you're using a personal account, go to https://myapps.microsoft.com and sign in, and then click your account icon in the upper right and select **View account**.
+ > [!NOTE]
+ > When using a personal account, another option is to go directly to your My Account page by adding the tenant name or tenant ID to the URL, for example: `https://myaccount.microsoft.com?tenantId=wingtiptoys.onmicrosoft.com` or `https://myaccount.microsoft.com?tenantId=ab123456-cd12-ef12-gh12-ijk123456789`
+
+2. Under **Organizations**, find the organization that you want to leave, and select **Leave organization**.
![Screenshot showing Leave organization option in the user interface](media/leave-the-organization/leave-org.png)
-4. When asked to confirm, select **Leave**.
+3. When asked to confirm, select **Leave**.
+ > [!NOTE] > You cannot leave your home organization.
active-directory Active Directory Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-architecture.md
Application writes using the Microsoft Graph API of Azure AD are abstracted from
>[!NOTE] >Writes are immediately replicated to the secondary replica to which the logical session's reads were issued.
-#### Backup protection
+#### Service-level backup
-The directory implements soft deletes, instead of hard deletes, for users and tenants for easy recovery in case of accidental deletes by a customer. If your tenant administrator accidental deletes users, they can easily undo and restore the deleted users.
-
-Azure AD implements daily backups of all data, and therefore can authoritatively restore data in case of any logical deletions or corruptions. The data tier employs error correcting codes, so that it can check for errors and automatically correct particular types of disk errors.
+Azure AD implements daily backup of directory data and can use these backups to restore data in case of any service-wide issue.
+
+The directory also implements soft deletes instead of hard deletes for selected object types. The tenant administrator can undo any accidental deletions of these objects within 30 days. For more information, see the [API to restore deleted objects](/graph/api/directory-deleteditems-restore).
#### Metrics and monitors
Using operational controls such as multi-factor authentication (MFA) for any ope
## Next steps
-[Azure Active Directory developer's guide](../develop/index.yml)
+[Azure Active Directory developer's guide](../develop/index.yml)
active-directory Access Panel Collections https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-collections.md
Title: Create collections for My Apps portals in Azure Active Directory | Micro
description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your end users. Organize applications into groups with separate tabs. documentationcenter: ''-+ ms.assetid:
Last updated 02/10/2020-+
active-directory Access Panel Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-manage-self-service-access.md
Title: How to use self-service application access in Azure AD description: Enable self-service so users can find apps in Azure AD -+ Last updated 07/11/2017-+
active-directory Add Application Portal Assign Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-assign-users.md
Title: 'Quickstart: Assign users to an app that uses Azure Active Directory as an identity provider' description: This quickstart walks through the process of allowing users to use an app that you have setup to use Azure AD as an identity provider. -+ Last updated 09/01/2020-+ # Quickstart: Assign users to an app that is using Azure AD as an identity provider
active-directory Add Application Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-configure.md
Title: 'Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to configure an application that has been registered with your Azure Active Directory (Azure AD) tenant. -+ Last updated 10/29/2019-+ # Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal Setup Oidc Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md
Title: 'Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart walks through the process of setting up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant. -+ Last updated 07/01/2020-+ # Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
Title: 'Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant' description: This quickstart walks through the process of setting up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant. -+ Last updated 07/01/2020-+ # Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
active-directory Add Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal.md
Title: 'Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to add a gallery application to your Azure Active Directory (Azure AD) tenant. -+ Last updated 10/29/2019-+ # Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant
active-directory App Management Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/app-management-powershell-samples.md
Title: PowerShell samples for Azure Active Directory Application Management description: These PowerShell samples are used for apps you manage in your Azure Active Directory tenant. You can use these sample scripts to find expiration information about secrets and certificates. -+ Last updated 02/18/2021-+
active-directory Application Management Certs Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-certs-faq.md
Title: Azure Active Directory Application Management certificates frequently asked questions description: Learn answers to frequently asked questions (FAQ) about managing certificates for apps using Azure Active Directory as an Identity Provider (IdP). -+ Last updated 03/19/2021-+
active-directory Application Management Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-fundamentals.md
Title: 'Application management: Best practices and recommendations | Microsoft D
description: Learn best practices and recommendations for managing applications in Azure Active Directory. Learn about using automatic provisioning and publishing on-premises apps with Application Proxy. -+ ms.assetid:
na
Last updated 11/13/2019 -+
active-directory Application Sign In Other Problem Access Panel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md
Title: Troubleshoot problems signing in to an application from Azure AD My Apps description: Troubleshoot problems signing in to an application from Azure AD My Apps -+ Last updated 07/11/2017-+
active-directory Application Sign In Problem Application Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-application-error.md
Title: Error message appears on app page after you sign in | Microsoft Docs description: How to resolve issues with Azure AD sign in when the app returns an error message. -+ Last updated 07/11/2017-+
active-directory Application Sign In Problem First Party Microsoft https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-first-party-microsoft.md
Title: Problems signing in to a Microsoft application | Microsoft Docs description: Troubleshoot common problems faced when signing in to first-party Microsoft Applications using Azure AD (like Microsoft 365). -+ Last updated 09/10/2018-+
active-directory Application Sign In Unexpected User Consent Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md
Title: Unexpected error when performing consent to an application | Microsoft Docs description: Discusses errors that can occur during the process of consenting to an application and what you can do about them -+ Last updated 07/11/2017-+
active-directory Application Sign In Unexpected User Consent Prompt https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md
Title: Unexpected consent prompt when signing in to an application | Microsoft Docs description: How to troubleshoot when a user sees a consent prompt for an application you have integrated with Azure AD that you did not expect -+ Last updated 07/11/2017-+
active-directory Application Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-types.md
Title: Viewing apps using your Azure Active Directory tenant for identity management description: Understand how to view all applications using your Azure Active Directory tenant for identity management. -+ Last updated 01/07/2021-+ # Viewing apps using your Azure AD tenant for identity management
active-directory Assign User Or Group Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Title: Manage user assignment for an app in Azure Active Directory description: Learn how to assign and unassign users, and groups, for an app using Azure Active Directory for identity management. -+ Last updated 02/21/2020-+
active-directory Certificate Signing Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/certificate-signing-options.md
Title: Advanced SAML token certificate signing options for Azure AD apps description: Learn how to use advanced certificate signing options in the SAML token for pre-integrated apps in Azure Active Directory -+ Last updated 03/25/2019-+
active-directory Cloud App Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/cloud-app-security.md
Title: App visibility and control with Microsoft Cloud App Security description: Learn ways to identify app risk levels, stop breaches and leaks in real time, and use app connectors to take advantage of provider APIs for visibility and governance. -+ Last updated 02/03/2020-+
active-directory Common Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/common-scenarios.md
Title: Common application management scenarios for Azure Active Directory | Microsoft Docs description: Centralize application management with Azure AD-+ Last updated 03/02/2019-+
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Title: Configure the admin consent workflow - Azure Active Directory | Microsoft Docs description: Learn how to configure a way for end users to request access to applications that require admin consent. -+ Last updated 10/29/2019-+
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Title: Configure sign-in auto-acceleration using Home Realm Discovery description: Learn how to configure Home Realm Discovery policy for Azure Active Directory authentication for federated users, including auto-acceleration and domain hints. -+ Last updated 02/12/2021-+
active-directory Configure Linked Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-linked-sign-on.md
Title: Understand linked sign-on in Azure Active Directory description: Understand linked sign-on in Azure Active Directory. -+ Last updated 07/30/2020-+
active-directory Configure Oidc Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-oidc-single-sign-on.md
Title: Understand OIDC-based single sign-on (SSO) for apps in Azure Active Directory description: Understand OIDC-based single sign-on (SSO) for apps in Azure Active Directory. -+ Last updated 10/19/2020-+
active-directory Configure Password Single Sign On Non Gallery Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications.md
Title: Understand password-based single sign-on (SSO) for apps in Azure Active Directory description: Understand password-based single sign-on (SSO) for apps in Azure Active Directory -+ Last updated 07/29/2020-+ # Understand password-based single sign-on
active-directory Configure Permission Classifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-permission-classifications.md
Title: Configure permission classifications with Azure AD description: Learn how to manage delegated permission classifications. -+ Last updated 06/01/2020-+
active-directory Configure Saml Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-saml-single-sign-on.md
Title: Understand SAML-based single sign-on (SSO) for apps in Azure Active Directory description: Understand SAML-based single sign-on (SSO) for apps in Azure Active Directory -+ Last updated 07/28/2020-+
active-directory Configure User Consent Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent-groups.md
Title: Configure group owner consent to apps accessing group data using Azure AD description: Learn manage whether group and team owners can consent to applications that will have access to the group or team's data. -+ Last updated 05/19/2020-+
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
Title: Configure how end-users consent to applications using Azure AD description: Learn how to manage how and when users can consent to applications that will have access to your organization's data. -+ Last updated 06/01/2021-+
active-directory Debug Saml Sso Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/debug-saml-sso-issues.md
Title: Debug SAML-based single sign-on - Azure Active Directory description: Debug SAML-based single sign-on to applications in Azure Active Directory. --++
active-directory Delete Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/delete-application-portal.md
Title: 'Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant' description: This quickstart uses the Azure portal to delete an application from your Azure Active Directory (Azure AD) tenant. -+ Last updated 1/5/2021-+ # Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant
active-directory Disable User Sign In Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/disable-user-sign-in-portal.md
Title: Disable user sign-ins for an enterprise app in Azure AD description: How to disable an enterprise application so that no users may sign in to it in Azure Active Directory -+ Last updated 04/12/2019-+
active-directory End User Experiences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/end-user-experiences.md
Title: End-user experiences for applications - Azure Active Directory description: Azure Active Directory (Azure AD) provides several customizable ways to deploy applications to end users in your organization. -+ Last updated 09/27/2019-+
active-directory Get It Now Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/get-it-now-azure-marketplace.md
Title: 'Add an app from the Azure Marketplace' description: This article acts as a landing page from the Get It Now button on the Azure Marketplace. -+ Last updated 07/16/2020-+
active-directory Grant Admin Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/grant-admin-consent.md
Title: Grant tenant-wide admin consent to an application - Azure AD description: Learn how to grant tenant-wide consent to an application so that end-users are not prompted for consent when signing in to an application. -+ Last updated 11/04/2019-+
active-directory Hide Application From User Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/hide-application-from-user-portal.md
Title: Hide an Enterprise application from user's experience in Azure AD description: How to hide an Enterprise application from user's experience in Azure Active Directory access panels or Microsoft 365 launchers. -+ Last updated 03/25/2020-+
active-directory Howto Saml Token Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/howto-saml-token-encryption.md
Title: SAML token encryption in Azure Active Directory description: Learn how to configure Azure Active Directory SAML token encryption. -+ Last updated 03/13/2020-+
active-directory Manage App Consent Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-app-consent-policies.md
Title: Manage app consent policies in Azure AD description: Learn how to manage built-in and custom app consent policies to control when consent can be granted. -+ Last updated 06/01/2020-+
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-application-permissions.md
Title: Manage user and admin permissions - Azure Active Directory | Microsoft Docs description: Learn how to review and manage permissions for the application on Azure AD. For example, revoke all permissions granted to an application. -+ Last updated 7/10/2020-+
active-directory Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md
Title: Manage federation certificates in Azure AD | Microsoft Docs description: Learn how to customize the expiration date for your federation certificates, and how to renew certificates that will soon expire. -+ Last updated 04/04/2019-+
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-consent-requests.md
Title: Managing consent to applications and evaluating consent requests in Azure Active Directory description: Learn how to manage consent requests when user consent is disabled or restricted, and how to evaluate a request for tenant-wide admin consent to an application in Azure Active Directory. -+ Last updated 12/27/2019-+
active-directory Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-self-service-access.md
Title: How to configure self-service application assignment | Microsoft Docs description: Enable self-service application access to allow users to find their own applications -+ Last updated 04/20/2020-+
active-directory Methods For Removing User Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/methods-for-removing-user-access.md
Title: How to remove a user's access to an application in Azure Active Directory description: Understand how to remove a user's access to an application in Azure Active Directory -+ Last updated 11/02/2020-+ # How to remove a user's access to an application
active-directory Migrate Adfs Application Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-application-activity.md
Title: Use the activity report to move AD FS apps to Azure Active Directory | Microsoft Docs' description: The Active Directory Federation Services (AD FS) application activity report lets you quickly migrate applications from AD FS to Azure Active Directory (Azure AD). This migration tool for AD FS identifies compatibility with Azure AD and gives migration guidance. -+ Last updated 01/14/2019-+
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
Title: Moving application authentication from AD FS to Azure Active Directory description: Learn how to use Azure Active Directory to replace Active Directory Federation Services (AD FS), giving users single sign-on to all their applications. -+ Last updated 03/01/2021-+
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
Title: 'Migrate application authentication to Azure Active Directory' description: This whitepaper details the planning for and benefits of migrating your application authentication to Azure AD. -+ Last updated 02/05/2021-+
active-directory Migration Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migration-resources.md
Title: Resources for migrating apps to Azure Active Directory | Microsoft Docs description: Resources to help you migrate application access and authentication to Azure Active Directory (Azure AD). -+ Last updated 02/29/2020-+
active-directory One Click Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/one-click-sso-tutorial.md
Title: One-click, single sign-on (SSO) configuration of your Azure Marketplace application | Microsoft Docs description: Steps for one-click configuration of SSO for your application from the Azure Marketplace. -+ ms.assetid: e0416991-4b5d-4b18-89bb-91b6070ed3ba
Last updated 06/11/2019-+
active-directory Plan An Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-an-application-integration.md
Title: Get started integrating Azure Active Directory with apps description: This article is a getting started guide for integrating Azure Active Directory (AD) with on-premises applications, and cloud applications. -+ Last updated 04/05/2021-+
active-directory Plan Sso Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-sso-deployment.md
Title: Plan an Azure Active Directory single sign-on deployment description: Guide to help you plan, deploy, and manage SSO in your organization. -+ Last updated 06/10/2020-+
active-directory Prevent Domain Hints With Home Realm Discovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/prevent-domain-hints-with-home-realm-discovery.md
Title: Prevent sign-in auto-acceleration in Azure AD using Home Realm Discovery policy description: Learn how to prevent domain_hint auto-acceleration to federated IDPs. -+ Last updated 02/12/2021-+
active-directory Powershell Export All App Registrations Secrets And Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-all-app-registrations-secrets-and-certs.md
Title: PowerShell sample - Export secrets and certificates for app registrations in Azure Active Directory tenant. description: PowerShell example that exports all secrets and certificates for the specified app registrations in your Azure Active Directory tenant. -+ Last updated 03/09/2021-+
active-directory Powershell Export All Enterprise Apps Secrets And Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-all-enterprise-apps-secrets-and-certs.md
Title: PowerShell sample - Export secrets and certificates for enterprise apps in Azure Active Directory tenant. description: PowerShell example that exports all secrets and certificates for the specified enterprise apps in your Azure Active Directory tenant. -+ Last updated 03/09/2021-+
active-directory Powershell Export Apps With Expriring Secrets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-expriring-secrets.md
Title: PowerShell sample - Export apps with expiring secrets and certificates in Azure Active Directory tenant. description: PowerShell example that exports all apps with expiring secrets and certificates for the specified apps in your Azure Active Directory tenant. -+ Last updated 03/09/2021-+
active-directory Powershell Export Apps With Secrets Beyond Required https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-secrets-beyond-required.md
Title: PowerShell sample - Export apps with secrets and certificates expiring beyond the required date in Azure Active Directory tenant. description: PowerShell example that exports all apps with secrets and certificates expiring beyond the required date for the specified apps in your Azure Active Directory tenant. -+ Last updated 03/09/2021-+
active-directory Sso Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/sso-options.md
Title: Single sign-on options in Azure AD description: Learn about the options available for single sign-on (SSO) in Azure Active Directory. -+ Last updated 12/03/2019-+
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/tenant-restrictions.md
Title: Use tenant restrictions to manage access to SaaS apps - Azure AD description: How to use tenant restrictions to manage which users can access apps based on their Azure AD tenant. -+ Last updated 6/2/2021-+
active-directory Troubleshoot Password Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-password-based-sso.md
Title: Troubleshoot password-based single sign-on in Azure Active Directory description: Troubleshoot issues with an Azure AD app that's configured for password-based single sign-on.-+ Last updated 07/11/2017-+
active-directory Troubleshoot Saml Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-saml-based-sso.md
Title: Troubleshoot SAML-based single sign-on in Azure Active Directory description: Troubleshoot issues with an Azure AD app that's configured for SAML-based single sign-on. -+ Last updated 07/11/2017-+ # Troubleshoot SAML-based single sign-on in Azure Active Directory
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/view-applications-portal.md
Title: 'Quickstart: View the list of applications that are using your Azure Active Directory (Azure AD) tenant for identity management' description: In this Quickstart, use the Azure portal to view the list of applications that are registered to use your Azure Active Directory (Azure AD) tenant for identity management. -+ Last updated 04/09/2019-+
To view applications that have been registered in your Azure AD tenant, you need
>[!IMPORTANT] >We recommend using a non-production environment to test the steps in this quickstart.
-## Find the list of applications in your tenant
-The applications that are registered with your Azure AD tenant are viewable in the **Enterprise apps** section of the Azure portal.
+To install and use the CLI locally, run Azure CLI version 2.0.4 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+
+## Find the list of applications in your tenant
To view the applications registered in your tenant:
+# [Portal](#tab/azure-portal)
+
+The applications that are registered with your Azure AD tenant are viewable in the **Enterprise apps** section of the Azure portal.
+ 1. Sign in to your [Azure portal](https://portal.azure.com). 2. On the left navigation panel, select **Azure Active Directory**. 3. In the **Azure Active Directory** pane, select **Enterprise applications**. 4. From the **Application Type** drop-down menu, select **All Applications**, and choose **Apply**. A random sample of your tenant applications appears. 5. To view more applications, select **Load more** at the bottom of the list. If there are numerous applications in your tenant, it might be easier to search for a particular application instead of scrolling through the list. Searching for a particular application is covered later in this quickstart.
+# [Azure CLI](#tab/azure-cli)
+
+Sign in and use applications with the [az ad app](/cli/azure/ad/app) commands.
+
+```azurecli
+az login
+
+az ad app list --all
+```
+++ ## Select viewing options Select options according to what you're looking for.
+# [Portal](#tab/azure-portal)
+ 1. You can view the applications by **Application Type**, **Application Status**, and **Application visibility**. 2. Under **Application Type**, choose one of these options: - **Enterprise Applications** shows non-Microsoft applications.
Select options according to what you're looking for.
4. Under **Application Visibility**, choose **Any**, or **Hidden**. The **Hidden** option shows applications that are in the tenant, but aren't visible to users. 5. After choosing the options you want, select **Apply**.
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli
+az ad app list --filter "displayname eq 'test' and servicePrincipalType eq 'Application'"
+```
+++ ## Search for an application To search for a particular application:
+# [Portal](#tab/azure-portal)
+ 1. In the **Application Type** menu, select **All applications**, and choose **Apply**. 2. Enter the name of the application you want to find. If the application has been added to your Azure AD tenant, it appears in the search results. This example shows that GitHub hasn't been added to the tenant applications. ![Example shows an app hasn't been added to the tenant](media/view-applications-portal/search-for-tenant-application.png) 3. Try entering the first few letters of an application name. This example shows all the applications that start with **Sales**. ![Example shows all apps that start with Sales](media/view-applications-portal/search-by-prefix.png)
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli
+az ad app show --id 710abb12-abeb-40ba-91ab-4b1f44f9ceb8 --query 'objectId' -o json
+```
++ > [!TIP] > You can automate app management using the Graph API, see [Automate app management with Microsoft Graph API](/graph/application-saml-sso-configure-api). - ## Clean up resources You did not create any new resources in this quickstart, so there is nothing to clean up.
You did not create any new resources in this quickstart, so there is nothing to
Advance to the next article to learn how to use Azure AD as the identity provider for an app. > [!div class="nextstepaction"]
-> [Add an app](add-application-portal.md)
+> [Add an app](add-application-portal.md)
active-directory Ways Users Get Assigned To Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/ways-users-get-assigned-to-applications.md
Title: Understand how users are assigned to apps in Azure Active Directory description: Understand how users get assigned to an app that is using Azure Active Directory for identity management. -+ Last updated 01/07/2021-+ # Understand how users are assigned to apps in Azure Active Directory
active-directory What Is Access Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-access-management.md
Title: Managing access to apps using Azure AD description: Describes how Azure Active Directory enables organizations to specify the apps to which each user has access. -+ Last updated 05/16/2017-+ # Managing access to apps
active-directory What Is Application Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-application-management.md
Title: What is application management in Azure Active Directory description: An overview of using Azure Active Directory (AD) as an Identity and Access Management (IAM) system for your cloud and on-premises applications. -+ Last updated 01/22/2021-+
active-directory What Is Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-single-sign-on.md
Title: What is Azure single sign-on (SSO)? description: Learn how single sign-on (SSO) works with Azure Active Directory. Use SSO so users don't need to remember passwords for every application. Also use SSO to simplify the administration of account management. -+ Last updated 12/03/2019-+
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/whats-new-docs.md
--++
active-directory How To Manage Ua Identity Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md
documentationcenter:
editor: -+ ms.devlang: na na Previously updated : 08/26/2020 Last updated : 05/20/2021
Deleting a user assigned identity does not remove it from the VM or resource it
To assign a role to a user-assigned managed identity, your account needs the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role assignment.
-1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription to list the user-assigned managed identities.
-2. In the search box, type *Managed Identities*, and under Services, click **Managed Identities**.
-3. A list of the user-assigned managed identities for your subscription is returned. Select the user-assigned managed identity that you want to assign a role.
-4. Select **Access control (IAM)**, and then select **Add role assignment**.
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
- ![User-assigned managed identity start](./media/how-to-manage-ua-identity-portal/assign-role-screenshot1.png)
+## Next steps
-5. In the Add role assignment blade, configure the following values, and then click **Save**:
- - **Role** - the role to assign
- - **Assign access to** - the resource to assign the user-assigned managed identity
- - **Select** - the member to assign access
-
- ![User-assigned managed identity IAM](./media/how-to-manage-ua-identity-portal/assign-role-screenshot2.png)
+- [Assign a managed identity access to a resource using Azure CLI](howto-assign-access-cli.md)
+- [Assign a managed identity access to a resource using PowerShell](howto-assign-access-powershell.md)
active-directory How To Use Vm Token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
func main() {
fmt.Println("Error creating URL: ", err) return }
- msi_parameters := url.Values{}
+ msi_parameters := msi_endpoint.Query()
msi_parameters.Add("resource", "https://management.azure.com/") msi_endpoint.RawQuery = msi_parameters.Encode() req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/overview.md
ms.devlang: Previously updated : 04/07/2021 Last updated : 05/20/2021
If you choose a user assigned managed identity instead:
- CRUD operations are available for review in [Azure Activity logs](../../azure-resource-manager/management/view-activity-logs.md). - View sign-in activity in Azure AD [sign-in logs](../reports-monitoring/concept-sign-ins.md).
-Operations on managed identities may be performed by using an Azure Resource Manager (ARM) template, the Azure Portal, the Azure CLI, PowerShell, and REST APIs.
+Operations on managed identities may be performed by using an Azure Resource Manager (ARM) template, the Azure portal, the Azure CLI, PowerShell, and REST APIs.
## Next steps
active-directory Services Support Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
Managed identity type | All Generally Available<br>Global Azure Regions | Azure
| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] | | User assigned | Not available | Not available | Not available | Not available | -
-### Azure Communication Services
-
-Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
-| | :-: | :-: | :-: | :-: |
-| System assigned | ![Available][check] | Not available | Not available | Not available |
-| User assigned | ![Available][check] | Not available | Not available | Not available |
-- ### Azure Container Instances Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
Refer to the following list to configure access to Azure Resource
| Azure Germany | `https://*.asazure.cloudapi.de` | ![Available][check] | | Azure China 21Vianet | `https://*.asazure.chinacloudapi.cn` | ![Available][check] |
+### Azure Communication Services
+
+Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
+| | :-: | :-: | :-: | :-: |
+| System assigned | ![Available][check] | Not available | Not available | Not available |
+| User assigned | ![Available][check] | Not available | Not available | Not available |
++ > [!Note] > Microsoft Power BI also [supports managed identities](../../stream-analytics/powerbi-output-managed-identity.md).
active-directory Tutorial Linux Vm Access Storage Access Key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-access-key.md
ms.devlang: na
na Previously updated : 03/04/2020 Last updated : 05/24/2021
Later we will upload and download a file to the new storage account. Because fil
## Grant your VM's system-assigned managed identity access to use storage account access keys
-In this step, you grant your VM's system-assigned managed identity access to the keys to your storage account.
+Azure Storage does not natively support Azure AD authentication. However, you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
+
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).ΓÇ¥
+
+>[!NOTE]
+> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Azure Active Directory](../../storage/common/storage-auth-aad.md#assign-azure-roles-for-access-rights)
-1. Navigate back to your newly created storage account.
-2. Click the **Access control (IAM)** link in the left panel.
-3. Click **+ Add role assignment** on top of the page to add a new role assignment for your VM
-4. Set **Role** to "Storage Account Key Operator Service Role", on the right side of the page.
-5. In the next dropdown, set **Assign access to** the resource "Virtual Machine".
-6. Next, ensure the proper subscription is listed in **Subscription** dropdown, then set **Resource Group** to "All resource groups".
-7. Finally, under **Select** choose your Linux Virtual Machine in the dropdown, then click **Save**.
-
- ![Alt image text](./media/msi-tutorial-linux-vm-access-storage/msi-storage-role.png)
## Get an access token using the VM's identity and use it to call Azure Resource Manager
active-directory Tutorial Linux Vm Access Storage Sas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md
documentationcenter: ''
editor: daveba-+ ms.devlang: na na Previously updated : 11/03/2020 Last updated : 05/24/2021
Later we will upload and download a file to the new storage account. Because fil
## Grant your VM's system-assigned managed identity access to use a storage SAS
-Azure Storage does not natively support Azure AD authentication. However, you can use your VM's system-assigned managed identity to retrieve a storage SAS from the Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS.
+Azure Storage does not natively support Azure AD authentication. However, you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
+
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).ΓÇ¥
+
+>[!NOTE]
+> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Azure Active Directory](../../storage/common/storage-auth-aad.md#assign-azure-roles-for-access-rights)
-1. Navigate back to your newly created storage account.
-2. Click the **Access control (IAM)** link in the left panel.
-3. Click **+ Add role assignment** on top of the page to add a new role assignment for your VM
-4. Set **Role** to "Storage Account Contributor", on the right side of the page.
-5. In the next dropdown, set **Assign access to** the resource "Virtual Machine".
-6. Next, ensure the proper subscription is listed in **Subscription** dropdown, then set **Resource Group** to "All resource groups".
-7. Finally, under **Select** choose your Linux Virtual Machine in the dropdown, then click **Save**.
-
- ![Alt image text](./media/msi-tutorial-linux-vm-access-storage/msi-storage-role-sas.png)
## Get an access token using the VM's identity and use it to call Azure Resource Manager
active-directory Tutorial Linux Vm Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage.md
documentationcenter:
editor: -+ ms.devlang: na na Previously updated : 10/23/2020 Last updated : 05/24/2021
Files require blob storage so you need to create a blob container in which to st
## Grant your VM access to an Azure Storage container
-You can use the VM's managed identity to retrieve the data in the Azure storage blob.
+You can use the VM's managed identity to retrieve the data in the Azure storage blob. Managed identities for Azure resources, can be used to authenticate to resources that support Azure AD authentication. Grant access by assigning the [storage-blob-data-reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader) role to the managed-identity at the scope of the resource group that contains your storage account.
+
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).ΓÇ¥
>[!NOTE] > For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Azure Active Directory](../../storage/common/storage-auth-aad.md#assign-azure-roles-for-access-rights)-
-1. Navigate back to your newly created storage account.ΓÇ»
-2. Click the **Access control (IAM)** link in the left panel.
-3. Click **+ Add role assignment** on top of the page to add a new role assignment for your VM.
-4. Under **Role**, from the dropdown, select **Storage Blob Data Reader**.
-5. In the next dropdown, under **Assign access to**, choose **Virtual Machine**.
-6. Next, ensure the proper subscription is listed in **Subscription** dropdown and then set **Resource Group** to **All resource groups**.
-7. Under **Select**, choose your VM and then click **Save**.
-
- ![Assign permissions](./media/tutorial-linux-vm-access-storage/access-storage-perms.png)
- ## Get an access token and use it to call Azure Storage Azure Storage natively supports Azure AD authentication, so it can directly accept access tokens obtained using a Managed Identity. This is part of Azure Storage's integration with Azure AD, and is different from supplying credentials on the connection string.
active-directory Tutorial Windows Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm.md
documentationcenter: ''
editor: daveba-+ ms.devlang: na na Previously updated : 12/09/2020 Last updated : 05/24/2021
This tutorial shows you how to access the Azure Resource Manager API using a Win
## Grant your VM access to a resource group in Resource Manager
-Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication. The Azure Resource Manager supports Azure AD authentication. First, we need to grant this VMΓÇÖs system-assigned managed identity access to a resource in Resource Manager, in this case the Resource Group in which the VM is contained.
-
-1. Navigate to the tab for **Resource Groups**.
-2. Select the specific **Resource Group** you created for your **Windows VM**.
-3. Go to **Access control (IAM)** in the left panel.
-4. Then **Add role assignment** a new role assignment for your **Windows VM**. Choose **Role** as **Reader**.
-5. In the next drop-down, **Assign access to** the resource **Virtual Machine**.
-6. Next, ensure the proper subscription is listed in the **Subscription** dropdown. And for **Resource Group**, select **All resource groups**.
-7. Finally, in **Select** choose your Windows VM in the dropdown and click **Save**.
-
- ![Alt image text](media/msi-tutorial-windows-vm-access-arm/msi-windows-permissions.png)
+Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication and Azure Resource Manager supports Azure AD authentication. We need to grant this VMΓÇÖs system-assigned managed identity access to a resource in Resource Manager, in this case the Resource Group where you created the VM. Assign the [Reader](../../role-based-access-control/built-in-roles.md#reader) role to the managed-identity at the scope of the resource group we created for your **Windows VM**.
+
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
## Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager
active-directory Acadia Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/acadia-tutorial.md
Previously updated : 1/17/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Acadia
-In this tutorial, you learn how to integrate Acadia with Azure Active Directory (Azure AD).
-Integrating Acadia with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Acadia with Azure Active Directory (Azure AD). When you integrate Acadia with Azure AD, you can:
-* You can control in Azure AD who has access to Acadia.
-* You can enable your users to be automatically signed-in to Acadia (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Acadia.
+* Enable your users to be automatically signed-in to Acadia with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Acadia, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Acadia single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Acadia single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Acadia supports **SP and IDP** initiated SSO
-* Acadia supports **Just In Time** user provisioning
+* Acadia supports **SP and IDP** initiated SSO.
+* Acadia supports **Just In Time** user provisioning.
-## Adding Acadia from the gallery
+## Add Acadia from the gallery
To configure the integration of Acadia into Azure AD, you need to add Acadia from the gallery to your list of managed SaaS apps.
-**To add Acadia from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Acadia**, select **Acadia** from result panel then click **Add** button to add the application.
-
- ![Acadia in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Acadia based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Acadia needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Acadia** in the search box.
+1. Select **Acadia** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with Acadia, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Acadia
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Acadia Single Sign-On](#configure-acadia-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Acadia test user](#create-acadia-test-user)** - to have a counterpart of Britta Simon in Acadia that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Acadia using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Acadia.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Acadia, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Acadia SSO](#configure-acadia-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Acadia test user](#create-acadia-test-user)** - to have a counterpart of B.Simon in Acadia that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Acadia, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Acadia** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Acadia** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the screen elements required to configure the application in IDP initiated mode.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<CUSTOMER>.acadia.sysalli.com/shibboleth`
To configure Azure AD single sign-on with Acadia, perform the following steps:
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Acadia Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<CUSTOMER>.acadia.sysalli.com/Shibboleth.sso/Login`
To configure Azure AD single sign-on with Acadia, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Acadia Single Sign-On
-
-To configure single sign-on on the **Acadia** side, you need to send the downloaded **Metadata XML**, the **App Federation Metadata URL**, and appropriate copied URLs from Azure portal to [Acadia support team](mailto:support@systemsalliance.com). They configure this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Acadia.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Acadia.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Acadia**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Acadia**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Acadia SSO
-2. In the applications list, select **Acadia**.
-
- ![The Acadia link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on the **Acadia** side, you need to send the downloaded **Metadata XML**, the **App Federation Metadata URL**, and appropriate copied URLs from Azure portal to [Acadia support team](mailto:support@systemsalliance.com). They configure this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Acadia test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, a user called Britta Simon is created in Acadia. Acadia supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Acadia, a new one is created after authentication.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Acadia test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, a user called Britta Simon is created in Acadia. Acadia supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Acadia, a new one is created after authentication.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Acadia Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Acadia Sign-on URL directly and initiate the login flow from there.
-When you click the Acadia tile in the Access Panel, you should be automatically signed in to the Acadia for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Acadia for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Acadia tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Acadia for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Acadia you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Claromentis Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/claromentis-tutorial.md
Previously updated : 12/04/2019 Last updated : 06/11/2021
In this tutorial, you'll learn how to integrate Claromentis with Azure Active Di
* Enable your users to be automatically signed-in to Claromentis with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Claromentis supports **SP and IDP** initiated SSO
-* Claromentis supports **Just In Time** user provisioning
+* Claromentis supports **SP and IDP** initiated SSO.
+* Claromentis supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Claromentis from the gallery
+## Add Claromentis from the gallery
To configure the integration of Claromentis into Azure AD, you need to add Claromentis from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Claromentis** in the search box. 1. Select **Claromentis** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Claromentis
+## Configure and test Azure AD SSO for Claromentis
Configure and test Azure AD SSO with Claromentis using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Claromentis.
-To configure and test Azure AD SSO with Claromentis, complete the following building blocks:
+To configure and test Azure AD SSO with Claromentis, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Claromentis SSO](#configure-claromentis-sso)** - to configure the single sign-on settings on application side.
- * **[Create Claromentis test user](#create-claromentis-test-user)** - to have a counterpart of B.Simon in Claromentis that is linked to the Azure AD representation of user.
+ 1. **[Create Claromentis test user](#create-claromentis-test-user)** - to have a counterpart of B.Simon in Claromentis that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Claromentis** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Claromentis** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, enter the identifier value as per your organization requirement. b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<customer_site_url>/custom/loginhandler/simplesaml/www/module.php/saml/sp/saml2-acs.php/claromentis`
+ `https://<CUSTOMER_SITE_URL>/custom/loginhandler/simplesaml/www/module.php/saml/sp/saml2-acs.php/claromentis`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
-
- ```https
- https://<customer_site_url>/login
- https://<customer_site_url>/login?no_auto=0
- ```
+ In the **Sign-on URL** text box, type a URL using one of the following patterns:
+ | Sign-on URL |
+ | - |
+ | `https://<CUSTOMER_SITE_URL>/login` |
+ | `https://<CUSTOMER_SITE_URL>/login?no_auto=0` |
+ |
> [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL which is explained later in the turorial.
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL which is explained later in the turorial.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Claromentis**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Claromentis SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the **applications icon** and select **Admin**.
- ![Screenshot shows the Claromentis website with Admin selected.](./media/claromentis-tutorial/config1.png)
+ ![Screenshot shows the Claromentis website with Admin selected.](./media/claromentis-tutorial/admin.png)
1. Select **Custom Login Handler** tab.
- ![Screenshot shows the Administration page with Custom Login Handler selected.](./media/claromentis-tutorial/config2.png)
+ ![Screenshot shows the Administration page with Custom Login Handler selected.](./media/claromentis-tutorial/custom-login.png)
1. Select **SAML Config**.
- ![Screenshot shows the configuration page for SAML.](./media/claromentis-tutorial/config3.png)
+ ![Screenshot shows the configuration page for SAML.](./media/claromentis-tutorial/configure.png)
1. On the **SAML Config** tab, scroll down to the **Config** section and perform the following steps:
- ![Screenshot shows the Config section of the page where you can enter the information described in this step.](./media/claromentis-tutorial/config4.png)
+ ![Screenshot shows the Config section of the page where you can enter the information described in this step.](./media/claromentis-tutorial/information.png)
a. In the **Technical Contact Name** textbox, enter the name of technical contact person.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Scroll down to **Auth Sources** and perform the following steps:
- ![Screenshot shows the Auth Sources section where you can enter the information described in this step.](./media/claromentis-tutorial/config5.png)
+ ![Screenshot shows the Auth Sources section where you can enter the information described in this step.](./media/claromentis-tutorial/sources.png)
a. In the **IDP** textbox, enter the **Azure AD Identifier** value, which you have copied from the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. You will now notice all URLs have been populated within the **Identity Provider** section in the **SAML Config** section.
- ![Screenshot shows the Identity Provider page populated with U R Ls.](./media/claromentis-tutorial/config6.png)
+ ![Screenshot shows the Identity Provider page populated with U R Ls.](./media/claromentis-tutorial/configuration.png)
a. Copy **Identifier (Entity ID)** value, paste this value in the **Identifier** textbox on the **Basic SAML Configuration** section in Azure portal.
In this section, a user called B.Simon is created in Claromentis. Claromentis su
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Claromentis Sign on URL where you can initiate the login flow.
-When you click the Claromentis tile in the Access Panel, you should be automatically signed in to the Claromentis for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Claromentis Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Claromentis for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Claromentis tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Claromentis for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Claromentis with Azure AD](https://aad.portal.azure.com/)
+Once you configure Claromentis you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Encompass Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/encompass-tutorial.md
Previously updated : 02/06/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Encompass
-In this tutorial, you learn how to integrate Encompass with Azure Active Directory (Azure AD).
-Integrating Encompass with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Encompass with Azure Active Directory (Azure AD). When you integrate Encompass with Azure AD, you can:
-* You can control in Azure AD who has access to Encompass.
-* You can enable your users to be automatically signed-in to Encompass (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Encompass.
+* Enable your users to be automatically signed-in to Encompass with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Encompass, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Encompass single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Encompass single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Encompass supports **IDP** initiated SSO
-
-## Adding Encompass from the gallery
-
-To configure the integration of Encompass into Azure AD, you need to add Encompass from the gallery to your list of managed SaaS apps.
-
-**To add Encompass from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Encompass supports **IDP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Encompass**, select **Encompass** from result panel then click **Add** button to add the application.
+## Add Encompass from the gallery
- ![Encompass in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Encompass based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Encompass needs to be established.
-
-To configure and test Azure AD single sign-on with Encompass, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Encompass Single Sign-On](#configure-encompass-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Encompass test user](#create-encompass-test-user)** - to have a counterpart of Britta Simon in Encompass that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Encompass into Azure AD, you need to add Encompass from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Encompass** in the search box.
+1. Select **Encompass** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Encompass
-To configure Azure AD single sign-on with Encompass, perform the following steps:
+Configure and test Azure AD SSO with Encompass using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Encompass.
-1. In the [Azure portal](https://portal.azure.com/), on the **Encompass** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Encompass, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Encompass SSO](#configure-encompass-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Encompass test user](#create-encompass-test-user)** - to have a counterpart of B.Simon in Encompass that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Encompass** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Encompass Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, provide your customer specific value. b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.voxmobile.com/voxportal/ws/saml/consume`
+ `https://<SUBDOMAIN>.voxmobile.com/voxportal/ws/saml/consume`
> [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Encompass Client support team](https://www.voxmobile.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > This value is not real. Update this value with the actual Reply URL. Contact [Encompass Client support team](https://www.voxmobile.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Encompass, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Encompass Single Sign-On
-
-To configure single sign-on on **Encompass** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Encompass support team](https://www.voxmobile.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Encompass.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Encompass.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Encompass**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Encompass**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Encompass SSO
-2. In the applications list, select **Encompass**.
-
- ![The Encompass link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Encompass** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Encompass support team](https://www.voxmobile.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Encompass test user In this section, you create a user called Britta Simon in Encompass. Work with [Encompass support team](https://www.voxmobile.com/contact/) to add the users in the Encompass platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Encompass tile in the Access Panel, you should be automatically signed in to the Encompass for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Encompass for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Encompass tile in the My Apps, you should be automatically signed in to the Encompass for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Encompass you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Helpshift Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/helpshift-tutorial.md
Previously updated : 12/20/2019 Last updated : 06/11/2021
In this tutorial, you'll learn how to integrate Helpshift with Azure Active Dire
* Enable your users to be automatically signed-in to Helpshift with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Helpshift supports **SP and IDP** initiated SSO
+* Helpshift supports **SP and IDP** initiated SSO.
-## Adding Helpshift from the gallery
+## Add Helpshift from the gallery
To configure the integration of Helpshift into Azure AD, you need to add Helpshift from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Helpshift** in the search box. 1. Select **Helpshift** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Helpshift
+## Configure and test Azure AD SSO for Helpshift
Configure and test Azure AD SSO with Helpshift using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Helpshift.
-To configure and test Azure AD SSO with Helpshift, complete the following building blocks:
+To configure and test Azure AD SSO with Helpshift, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Helpshift SSO](#configure-helpshift-sso)** - to configure the single sign-on settings on application side.
- * **[Create Helpshift test user](#create-helpshift-test-user)** - to have a counterpart of B.Simon in Helpshift that is linked to the Azure AD representation of user.
+ 1. **[Create Helpshift test user](#create-helpshift-test-user)** - to have a counterpart of B.Simon in Helpshift that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Helpshift** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Helpshift** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<YourDOMAIN>.helpshift.com/`
+ `https://<YOUR_DOMAIN>.helpshift.com/`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<YourDOMAIN>.helpshift.com/login/saml/acs/`
+ `https://<YOUR_DOMAIN>.helpshift.com/login/saml/acs/`
1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:
- d. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<YourDOMAIN>.helpshift.com/login/saml/idp-login/`
+ a. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<YOUR_DOMAIN>.helpshift.com/login/saml/idp-login/`
- e. In the **Relay State** text box, type a URL using the following pattern:
- `https://<YourDOMAIN>.helpshift.com/`
+ b. In the **Relay State** text box, type a URL using the following pattern:
+ `https://<YOUR_DOMAIN>.helpshift.com/`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State. Contact [Helpshift Client support team](mailto:support@helpshift.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Helpshift**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Helpshift SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Open the Helpshift **Dashboard** and click on **Settings icon**.
- ![Screenshot shows the Helpshift Settings icon.](./media/helpshift-tutorial/configuration01.png)
+ ![Screenshot shows the Helpshift Settings icon.](./media/helpshift-tutorial/dashboard.png)
1. Click **Integrations** tab and perform the following steps:
- ![Screenshot shows the Integration tab where you can perform steps described.](./media/helpshift-tutorial/configuration02.png)
+ ![Screenshot shows the Integration tab where you can perform steps described.](./media/helpshift-tutorial/configuration.png)
a. Turn on the **Single Sign-On(SAML ΓÇô SSO)**.
In this section, you create a user called B.Simon in Helpshift. Work with [Help
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Helpshift Sign on URL where you can initiate the login flow.
-When you click the Helpshift tile in the Access Panel, you should be automatically signed in to the Helpshift for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Helpshift Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Helpshift for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Helpshift tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Helpshift for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Helpshift with Azure AD](https://aad.portal.azure.com/)
+Once you configure Helpshift you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hostedgraphite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hostedgraphite-tutorial.md
Previously updated : 02/15/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Hosted Graphite
-In this tutorial, you learn how to integrate Hosted Graphite with Azure Active Directory (Azure AD).
-Integrating Hosted Graphite with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Hosted Graphite with Azure Active Directory (Azure AD). When you integrate Hosted Graphite with Azure AD, you can:
-* You can control in Azure AD who has access to Hosted Graphite.
-* You can enable your users to be automatically signed-in to Hosted Graphite (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Hosted Graphite.
+* Enable your users to be automatically signed-in to Hosted Graphite with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Hosted Graphite, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Hosted Graphite single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Hosted Graphite single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Hosted Graphite supports **SP and IDP** initiated SSO
-* Hosted Graphite supports **Just In Time** user provisioning
+* Hosted Graphite supports **SP and IDP** initiated SSO.
+* Hosted Graphite supports **Just In Time** user provisioning.
-## Adding Hosted Graphite from the gallery
+## Add Hosted Graphite from the gallery
To configure the integration of Hosted Graphite into Azure AD, you need to add Hosted Graphite from the gallery to your list of managed SaaS apps.
-**To add Hosted Graphite from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Hosted Graphite**, select **Hosted Graphite** from result panel then click **Add** button to add the application.
-
- ![Hosted Graphite in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Hosted Graphite based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Hosted Graphite needs to be established.
-
-To configure and test Azure AD single sign-on with Hosted Graphite, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Hosted Graphite Single Sign-On](#configure-hosted-graphite-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Hosted Graphite test user](#create-hosted-graphite-test-user)** - to have a counterpart of Britta Simon in Hosted Graphite that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Hosted Graphite** in the search box.
+1. Select **Hosted Graphite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Hosted Graphite
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Hosted Graphite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hosted Graphite.
-To configure Azure AD single sign-on with Hosted Graphite, perform the following steps:
+To configure and test Azure AD SSO with Hosted Graphite, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Hosted Graphite** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Hosted Graphite SSO](#configure-hosted-graphite-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Hosted Graphite test user](#create-hosted-graphite-test-user)** - to have a counterpart of B.Simon in Hosted Graphite that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Hosted Graphite** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://www.hostedgraphite.com/metadata/<user id>`
+ `https://www.hostedgraphite.com/metadata/<USER_ID>`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://www.hostedgraphite.com/complete/saml/<user id>`
+ `https://www.hostedgraphite.com/complete/saml/<USER_ID>`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://www.hostedgraphite.com/login/saml/<user id>/`
+ `https://www.hostedgraphite.com/login/saml/<USER_ID>/`
> [!NOTE] > Please note that these are not the real values. You have to update these values with the actual Identifier, Reply URL and Sign On URL. To get these values, you can go to Access->SAML setup on your Application side or Contact [Hosted Graphite support team](mailto:help@hostedgraphite.com).
To configure Azure AD single sign-on with Hosted Graphite, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure Ad Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Hosted Graphite.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Hosted Graphite**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Hosted Graphite Single Sign-On
+## Configure Hosted Graphite SSO
1. Sign-on to your Hosted Graphite tenant as an administrator. 2. Go to the **SAML Setup page** in the sidebar (**Access -> SAML Setup**).
- ![Screenshot shows the Access menu with SAML Setup selected.](./media/hostedgraphite-tutorial/tutorial_hostedgraphite_000.png)
+ ![Screenshot shows the Access menu with SAML Setup selected.](./media/hostedgraphite-tutorial/setup.png)
-3. Confirm these URls match your configuration done on the **Basic SAML Configuration** section of the Azure portal.
+3. Confirm these URLs match your configuration done on the **Basic SAML Configuration** section of the Azure portal.
- ![Screenshot shows Basic SAML Configuration.](./media/hostedgraphite-tutorial/tutorial_hostedgraphite_001.png)
+ ![Screenshot shows Basic SAML Configuration.](./media/hostedgraphite-tutorial/configuration.png)
4. In **Entity or Issuer ID** and **SSO Login URL** textboxes, paste the value of **Azure Ad Identifier** and **Login URL** which you have copied from Azure portal.
- ![Screenshot shows entries for Identity Provider.](./media/hostedgraphite-tutorial/tutorial_hostedgraphite_002.png)
+ ![Screenshot shows entries for Identity Provider.](./media/hostedgraphite-tutorial/integration.png)
5. Select **Read-only** as **Default User Role**.
- ![Screenshot shows Default User Role, which is Read-only.](./media/hostedgraphite-tutorial/tutorial_hostedgraphite_004.png)
+ ![Screenshot shows Default User Role, which is Read-only.](./media/hostedgraphite-tutorial/role.png)
6. Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **X.509 Certificate** textbox.
- ![Screenshot shows X dot 509 Certificate.](./media/hostedgraphite-tutorial/tutorial_hostedgraphite_005.png)
+ ![Screenshot shows X dot 509 Certificate.](./media/hostedgraphite-tutorial/certificate.png)
7. Click **Save** button.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Hosted Graphite.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Hosted Graphite**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Hosted Graphite**.
-
- ![The Hosted Graphite link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Hosted Graphite test user In this section, a user called Britta Simon is created in Hosted Graphite. Hosted Graphite supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hosted Graphite, a new one is created after authentication. > [!NOTE]
-> If you need to create a user manually, you need to contact the Hosted Graphite support team via <mailto:help@hostedgraphite.com>.
+> If you need to create a user manually, you need to contact the [Hosted Graphite support team](<mailto:help@hostedgraphite.com>).
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Hosted Graphite Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Hosted Graphite Sign-on URL directly and initiate the login flow from there.
-When you click the Hosted Graphite tile in the Access Panel, you should be automatically signed in to the Hosted Graphite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Hosted Graphite for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Hosted Graphite tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hosted Graphite for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Hosted Graphite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hpesaas Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hpesaas-tutorial.md
Previously updated : 02/15/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with HPE SaaS
-In this tutorial, you learn how to integrate HPE SaaS with Azure Active Directory (Azure AD).
-Integrating HPE SaaS with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate HPE SaaS with Azure Active Directory (Azure AD). When you integrate HPE SaaS with Azure AD, you can:
-* You can control in Azure AD who has access to HPE SaaS.
-* You can enable your users to be automatically signed-in to HPE SaaS (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to HPE SaaS.
+* Enable your users to be automatically signed-in to HPE SaaS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with HPE SaaS, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* HPE SaaS single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* HPE SaaS single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* HPE SaaS supports **SP** initiated SSO
+* HPE SaaS supports **SP** initiated SSO.
-## Adding HPE SaaS from the gallery
+## Add HPE SaaS from the gallery
To configure the integration of HPE SaaS into Azure AD, you need to add HPE SaaS from the gallery to your list of managed SaaS apps.
-**To add HPE SaaS from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **HPE SaaS**, select **HPE SaaS** from result panel then click **Add** button to add the application.
-
- ![HPE SaaS in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **HPE SaaS** in the search box.
+1. Select **HPE SaaS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with HPE SaaS based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in HPE SaaS needs to be established.
+## Configure and test Azure AD SSO for HPE SaaS
-To configure and test Azure AD single sign-on with HPE SaaS, you need to complete the following building blocks:
+Configure and test Azure AD SSO with HPE SaaS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HPE SaaS.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure HPE SaaS Single Sign-On](#configure-hpe-saas-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create HPE SaaS test user](#create-hpe-saas-test-user)** - to have a counterpart of Britta Simon in HPE SaaS that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with HPE SaaS, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure HPE SaaS SSO](#configure-hpe-saas-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create HPE SaaS test user](#create-hpe-saas-test-user)** - to have a counterpart of B.Simon in HPE SaaS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with HPE SaaS, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **HPE SaaS** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **HPE SaaS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![HPE SaaS Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL as:
+ a. In the **Sign on URL** text box, type the URL:
`https://login.saas.hpe.com/msg` b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.saas.hpe.com`
+ `https://<SUBDOMAIN>.saas.hpe.com`
> [!NOTE] > The Identifier value is not real. Update this value with the actual Identifier. Contact [HPE SaaS Client support team](https://www.sas.com/en_us/contact.html) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with HPE SaaS, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure HPE SaaS Single Sign-On
-
-To configure single sign-on on **HPE SaaS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [HPE SaaS support team](https://www.sas.com/en_us/contact.html). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to HPE SaaS.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to HPE SaaS.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **HPE SaaS**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **HPE SaaS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure HPE SaaS SSO
-2. In the applications list, select **HPE SaaS**.
-
- ![The HPE SaaS link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **HPE SaaS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [HPE SaaS support team](https://www.sas.com/en_us/contact.html). They set this setting to have the SAML SSO connection set properly on both sides.
### Create HPE SaaS test user In this section, you create a user called Britta Simon in HPE SaaS. Work with [HPE SaaS support team](https://www.sas.com/en_us/contact.html) to add the users in the HPE SaaS platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the HPE SaaS tile in the Access Panel, you should be automatically signed in to the HPE SaaS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to HPE SaaS Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to HPE SaaS Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the HPE SaaS tile in the My Apps, this will redirect to HPE SaaS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure HPE SaaS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Inforretailinformationmanagement Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/inforretailinformationmanagement-tutorial.md
Previously updated : 04/16/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Infor Retail ΓÇô Information Management
-In this tutorial, you learn how to integrate Infor Retail ΓÇô Information Management with Azure Active Directory (Azure AD).
-Integrating Infor Retail ΓÇô Information Management with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Infor Retail ΓÇô Information Management with Azure Active Directory (Azure AD). When you integrate Infor Retail ΓÇô Information Management with Azure AD, you can:
-* You can control in Azure AD who has access to Infor Retail ΓÇô Information Management.
-* You can enable your users to be automatically signed-in to Infor Retail ΓÇô Information Management (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Infor Retail ΓÇô Information Management.
+* Enable your users to be automatically signed-in to Infor Retail ΓÇô Information Management with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Infor Retail ΓÇô Information Management, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Infor Retail ΓÇô Information Management single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Infor Retail ΓÇô Information Management single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Infor Retail ΓÇô Information Management supports **SP and IDP** initiated SSO
+* Infor Retail ΓÇô Information Management supports **SP and IDP** initiated SSO.
-## Adding Infor Retail ΓÇô Information Management from the gallery
+## Add Infor Retail ΓÇô Information Management from the gallery
To configure the integration of Infor Retail ΓÇô Information Management into Azure AD, you need to add Infor Retail ΓÇô Information Management from the gallery to your list of managed SaaS apps.
-**To add Infor Retail ΓÇô Information Management from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Infor Retail ΓÇô Information Management**, select **Infor Retail ΓÇô Information Management** from result panel then click **Add** button to add the application.
-
- ![Infor Retail ΓÇô Information Management in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Infor Retail ΓÇô Information Management** in the search box.
+1. Select **Infor Retail ΓÇô Information Management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Infor Retail ΓÇô Information Management based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Infor Retail ΓÇô Information Management needs to be established.
+## Configure and test Azure AD SSO for Infor Retail ΓÇô Information Management
-To configure and test Azure AD single sign-on with Infor Retail ΓÇô Information Management, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Infor Retail ΓÇô Information Management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Infor Retail ΓÇô Information Management.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Infor Retail ΓÇô Information Management Single Sign-On](#configure-infor-retail--information-management-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Infor Retail ΓÇô Information Management test user](#create-infor-retail--information-management-test-user)** - to have a counterpart of Britta Simon in Infor Retail ΓÇô Information Management that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Infor Retail ΓÇô Information Management, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Infor Retail Information Management SSO](#configure-infor-retail-information-management-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Infor Retail Information Management test user](#create-infor-retail-information-management-test-user)** - to have a counterpart of B.Simon in Infor Retail ΓÇô Information Management that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Infor Retail ΓÇô Information Management, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Infor Retail ΓÇô Information Management** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Infor Retail ΓÇô Information Management** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
-
- ```http
- https://<company name>.mingle.infor.com
- http://<company name>.mingledev.infor.com
- ```
+
+ | Identifier URL |
+ |-|
+ |`https://<COMPANY_NAME>.mingle.infor.com`|
+ |`http://<COMPANY_NAME>.mingledev.infor.com`|
+ |
- b. In the **Reply URL** text box, type a URL using the following pattern: `https://<company name>.mingle.infor.com/sp/ACS.saml2`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.mingle.infor.com/sp/ACS.saml2`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<company name>.mingle.infor.com/<company code>`
+ `https://<COMPANY_NAME>.mingle.infor.com/<COMPANY_CODE>`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Infor Retail ΓÇô Information Management Client support team](mailto:innovate@infor.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Infor Retail ΓÇô Information Managemen
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Infor Retail ΓÇô Information Management Single Sign-On
-
-To configure single sign-on on **Infor Retail ΓÇô Information Management** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [Infor Retail ΓÇô Information Management support team](mailto:innovate@infor.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Infor Retail ΓÇô Information Management.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Infor Retail ΓÇô Information Management**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Infor Retail ΓÇô Information Management**.
-
- ![The Infor Retail ΓÇô Information Management link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infor Retail ΓÇô Information Management.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Infor Retail ΓÇô Information Management**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure Infor Retail Information Management SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **Infor Retail ΓÇô Information Management** side, you need to send the downloaded **Metadata XML** and appropriate copied URLs from Azure portal to [Infor Retail ΓÇô Information Management support team](mailto:innovate@infor.com). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Infor Retail Information Management test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Infor Retail – Information Management. Work with [Infor Retail – Information Management support team](mailto:innovate@infor.com) to add the users in the Infor Retail – Information Management platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Infor Retail ΓÇô Information Management test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in Infor Retail – Information Management. Work with [Infor Retail – Information Management support team](mailto:innovate@infor.com) to add the users in the Infor Retail – Information Management platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Infor Retail ΓÇô Information Management Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Infor Retail ΓÇô Information Management Sign-on URL directly and initiate the login flow from there.
-When you click the Infor Retail ΓÇô Information Management tile in the Access Panel, you should be automatically signed in to the Infor Retail ΓÇô Information Management for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Infor Retail ΓÇô Information Management for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Infor Retail ΓÇô Information Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Infor Retail ΓÇô Information Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Infor Retail ΓÇô Information Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ipasssmartconnect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ipasssmartconnect-tutorial.md
Previously updated : 10/14/2019 Last updated : 06/09/2021
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * iPass SmartConnect single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory Keylight Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/keylight-tutorial.md
Previously updated : 04/14/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with LockPath Keylight
-In this tutorial, you learn how to integrate LockPath Keylight with Azure Active Directory (Azure AD).
-Integrating LockPath Keylight with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate LockPath Keylight with Azure Active Directory (Azure AD). When you integrate LockPath Keylight with Azure AD, you can:
-* You can control in Azure AD who has access to LockPath Keylight.
-* You can enable your users to be automatically signed-in to LockPath Keylight (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to LockPath Keylight.
+* Enable your users to be automatically signed-in to LockPath Keylight with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with LockPath Keylight, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* LockPath Keylight single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* LockPath Keylight single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* LockPath Keylight supports **SP** initiated SSO
-* LockPath Keylight supports **Just In Time** user provisioning
+* LockPath Keylight supports **SP** initiated SSO.
+* LockPath Keylight supports **Just In Time** user provisioning.
-## Adding LockPath Keylight from the gallery
+## Add LockPath Keylight from the gallery
To configure the integration of LockPath Keylight into Azure AD, you need to add LockPath Keylight from the gallery to your list of managed SaaS apps.
-**To add LockPath Keylight from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **LockPath Keylight** in the search box.
+1. Select **LockPath Keylight** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![The New application button](common/add-new-app.png)
+## Configure and test Azure AD SSO for LockPath Keylight
-4. In the search box, type **LockPath Keylight**, select **LockPath Keylight** from result panel then click **Add** button to add the application.
+Configure and test Azure AD SSO with LockPath Keylight using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LockPath Keylight.
- ![LockPath Keylight in the results list](common/search-new-app.png)
+To configure and test Azure AD SSO with LockPath Keylight, perform the following steps:
-## Configure and test Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure LockPath Keylight SSO](#configure-lockpath-keylight-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create LockPath Keylight test user](#create-lockpath-keylight-test-user)** - to have a counterpart of B.Simon in LockPath Keylight that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you configure and test Azure AD single sign-on with LockPath Keylight based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in LockPath Keylight needs to be established.
-
-To configure and test Azure AD single sign-on with LockPath Keylight, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure LockPath Keylight Single Sign-On](#configure-lockpath-keylight-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create LockPath Keylight test user](#create-lockpath-keylight-test-user)** - to have a counterpart of Britta Simon in LockPath Keylight that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
In this section, you enable Azure AD single sign-on in the Azure portal.
-To configure Azure AD single sign-on with LockPath Keylight, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **LockPath Keylight** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **LockPath Keylight** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![LockPath Keylight Domain and URLs single sign-on information](common/sp-identifier-reply.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<company name>.keylightgrc.com/`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.keylightgrc.com`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<company name>.keylightgrc.com`
+ b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<COMPANY_NAME>.keylightgrc.com/Login.aspx`
- c. In the **Reply URL** textbox, type a URL using the following pattern: `https://<company name>.keylightgrc.com/Login.aspx`
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.keylightgrc.com/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [LockPath Keylight Client support team](https://www.lockpath.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [LockPath Keylight Client support team](https://www.lockpath.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with LockPath Keylight, perform the followi
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
- c. Logout URL
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to LockPath Keylight.
-### Configure LockPath Keylight Single Sign-On
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **LockPath Keylight**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure LockPath Keylight SSO
1. To enable SSO in LockPath Keylight, perform the following steps:
To configure Azure AD single sign-on with LockPath Keylight, perform the followi
b. In the menu on the top, click **Person**, and select **Keylight Setup**.
- ![Screenshot that shows the "Person" icon selected, and "Keylight Setup" selected from the drop-down.](./media/keylight-tutorial/401.png)
+ ![Screenshot that shows the "Person" icon selected, and "Keylight Setup" selected from the drop-down.](./media/keylight-tutorial/setup-icon.png)
c. In the treeview on the left, click **SAML**.
- ![Screenshot that shows "S A M L" selected in the tree view.](./media/keylight-tutorial/402.png)
+ ![Screenshot that shows "S A M L" selected in the tree view.](./media/keylight-tutorial/treeview.png)
d. On the **SAML Settings** dialog, click **Edit**.
- ![Screenshot that shows the "S A M L Settings" window with the "Edit" button selected.](./media/keylight-tutorial/404.png)
+ ![Screenshot that shows the "S A M L Settings" window with the "Edit" button selected.](./media/keylight-tutorial/edit-icon.png)
1. On the **Edit SAML Settings** dialog page, perform the following steps:
- ![Configure Single Sign-On](./media/keylight-tutorial/405.png)
+ ![Configure Single Sign-On](./media/keylight-tutorial/settings.png)
a. Set **SAML authentication** to **Active**.
To configure Azure AD single sign-on with LockPath Keylight, perform the followi
n. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to LockPath Keylight.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **LockPath Keylight**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **LockPath Keylight**.
-
- ![The LockPath Keylight link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create LockPath Keylight test user In this section, a user called Britta Simon is created in LockPath Keylight. LockPath Keylight supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in LockPath Keylight, a new one is created after authentication. If you need to create a user manually, you need to contact the [LockPath Keylight Client support team](https://www.lockpath.com/contact/).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the LockPath Keylight tile in the Access Panel, you should be automatically signed in to the LockPath Keylight for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to LockPath Keylight Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to LockPath Keylight Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the LockPath Keylight tile in the My Apps, this will redirect to LockPath Keylight Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure LockPath Keylight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Netop Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netop-portal-tutorial.md
Previously updated : 06/08/2021 Last updated : 06/09/2021
To get started, you need the following items:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Netop Portal single sign-on (SSO) enabled subscription.
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+ ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory Neustar Ultradns Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/neustar-ultradns-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Neustar UltraDNS | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Neustar UltraDNS.
++++++++ Last updated : 06/10/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Neustar UltraDNS
+
+In this tutorial, you'll learn how to integrate Neustar UltraDNS with Azure Active Directory (Azure AD). When you integrate Neustar UltraDNS with Azure AD, you can:
+
+* Control in Azure AD who has access to Neustar UltraDNS.
+* Enable your users to be automatically signed-in to Neustar UltraDNS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Neustar UltraDNS single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Neustar UltraDNS supports **SP and IDP** initiated SSO.
+* Neustar UltraDNS supports **Just In Time** user provisioning.
+
+## Adding Neustar UltraDNS from the gallery
+
+To configure the integration of Neustar UltraDNS into Azure AD, you need to add Neustar UltraDNS from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Neustar UltraDNS** in the search box.
+1. Select **Neustar UltraDNS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Neustar UltraDNS
+
+Configure and test Azure AD SSO with Neustar UltraDNS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Neustar UltraDNS.
+
+To configure and test Azure AD SSO with Neustar UltraDNS, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Neustar UltraDNS SSO](#configure-neustar-ultradns-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Neustar UltraDNS test user](#create-neustar-ultradns-test-user)** - to have a counterpart of B.Simon in Neustar UltraDNS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Neustar UltraDNS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.sso.security.neustar`
+
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Sign-on URL. Contact [Neustar UltraDNS Client support team](mailto:IDMTeam@neustar.biz) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Click **Save**.
+
+1. Neustar UltraDNS application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Neustar UltraDNS application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | - | |
+ | givenname | first name |
+ | mail | email address |
+ | sn | last name |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Neustar UltraDNS** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Neustar UltraDNS.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Neustar UltraDNS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Neustar UltraDNS SSO
+
+To configure single sign-on on **Neustar UltraDNS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Neustar UltraDNS support team](mailto:IDMTeam@neustar.biz). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Neustar UltraDNS test user
+
+In this section, a user called Britta Simon is created in Neustar UltraDNS. Neustar UltraDNS supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Neustar UltraDNS, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+SP initiated:
+
+* Click on Test this application in Azure portal. This will redirect to Neustar UltraDNS Sign on URL where you can initiate the login flow.
+
+* Go to Neustar UltraDNS Sign-on URL directly and initiate the login flow from there.
+
+IDP initiated:
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the Neustar UltraDNS for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Neustar UltraDNS tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Neustar UltraDNS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Neustar UltraDNS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Procoresso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/procoresso-tutorial.md
Previously updated : 04/03/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Procore SSO
-In this tutorial, you learn how to integrate Procore SSO with Azure Active Directory (Azure AD).
-Integrating Procore SSO with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Procore SSO with Azure Active Directory (Azure AD). When you integrate Procore SSO with Azure AD, you can:
-* You can control in Azure AD who has access to Procore SSO.
-* You can enable your users to be automatically signed-in to Procore SSO (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Procore SSO.
+* Enable your users to be automatically signed-in to Procore SSO with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Procore SSO, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Procore SSO single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Procore SSO single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Procore SSO supports **IDP** initiated SSO
+* Procore SSO supports **IDP** initiated SSO.
-## Adding Procore SSO from the gallery
+## Add Procore SSO from the gallery
To configure the integration of Procore SSO into Azure AD, you need to add Procore SSO from the gallery to your list of managed SaaS apps.
-**To add Procore SSO from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Procore SSO**, select **Procore SSO** from result panel then click **Add** button to add the application.
-
- ![Procore SSO in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Procore SSO based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Procore SSO needs to be established.
-
-To configure and test Azure AD single sign-on with Procore SSO, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Procore SSO** in the search box.
+1. Select **Procore SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Procore SSO Single Sign-On](#configure-procore-sso-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Procore SSO test user](#create-procore-sso-test-user)** - to have a counterpart of Britta Simon in Procore SSO that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Procore SSO
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Procore SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Procore SSO.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Procore SSO, perform the following steps:
-To configure Azure AD single sign-on with Procore SSO, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Procore SSO](#configure-procore-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Procore SSO test user](#create-procore-sso-test-user)** - to have a counterpart of B.Simon in Procore SSO that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Procore SSO** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Procore SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Procore SSO Domain and URLs single sign-on information](common/preintegrated.png)
- 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/metadataxml.png)
To configure Azure AD single sign-on with Procore SSO, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Procore SSO.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Procore SSO**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Procore SSO Single Sign-On
+## Configure Procore SSO
1. To configure single sign-on on **Procore SSO** side, sign in to your procore company site as an administrator. 2. From the toolbox drop down, click on **Admin** to open the SSO settings page.
- ![Screenshot shows the Procore company site with Directory selected.](./media/procoresso-tutorial/procore_tool_admin.png)
+ ![Screenshot shows the Procore company site with Directory selected.](./media/procoresso-tutorial/admin.png)
3. Paste the values in the boxes as described below-
- ![Screenshot shows the Add a Person dialog box.](./media/procoresso-tutorial/procore_setting_admin.png)
+ ![Screenshot shows the Add a Person dialog box.](./media/procoresso-tutorial/setting.png)
a. In the **Single Sign On Issuer URL** text box, paste the value of **Azure AD Identifier** which you have copied from the Azure portal.
To configure Azure AD single sign-on with Procore SSO, perform the following ste
5. After these settings, you needs to send the **domain name** (e.g **contoso.com**) through which you are logging into Procore to the [Procore Support team](https://support.procore.com/) and they will activate federated SSO for that domain.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Procore SSO.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Procore SSO**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Procore SSO**.
-
- ![The Procore SSO link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Procore SSO test user Please follow the below steps to create a Procore test user on Procore SSO side.
Please follow the below steps to create a Procore test user on Procore SSO side.
2. From the toolbox drop down, click on **Directory** to open the company directory page.
- ![Screenshot shows the Procore company site with Directory selected from the toolbox.](./media/procoresso-tutorial/Procore_sso_directory.png)
+ ![Screenshot shows the Procore company site with Directory selected from the toolbox.](./media/procoresso-tutorial/directory.png)
3. Click on **Add a Person** option to open the form and enter perform following options -
- ![Screenshot shows the Add a person to Boylan Construction where you can enter user information.](./media/procoresso-tutorial/Procore_user_add.png)
+ ![Screenshot shows the Add a person to Boylan Construction where you can enter user information.](./media/procoresso-tutorial/user.png)
a. In the **First Name** textbox, type user's first name like **Britta**.
Please follow the below steps to create a Procore test user on Procore SSO side.
4. Check and update the details for the newly added contact.
- ![Screenshot shows an edit page where you can verify the user settings.](./media/procoresso-tutorial/Procore_user_check.png)
+ ![Screenshot shows an edit page where you can verify the user settings.](./media/procoresso-tutorial/details.png)
5. Click on **Save and Send Invitation** (if an invite through mail is required) or **Save** (Save directly) to complete the user registration.
- ![Screenshot shows the Current Project Settings where you can Save and Send Invitation.](./media/procoresso-tutorial/Procore_user_save.png)
-
-### Test single sign-on
+ ![Screenshot shows the Current Project Settings where you can Save and Send Invitation.](./media/procoresso-tutorial/save.png)
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Procore SSO tile in the Access Panel, you should be automatically signed in to the Procore SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Procore SSO for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Procore SSO tile in the My Apps, you should be automatically signed in to the Procore SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Procore SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Spaceiq Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/spaceiq-tutorial.md
Previously updated : 03/25/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with SpaceIQ
-In this tutorial, you learn how to integrate SpaceIQ with Azure Active Directory (Azure AD).
-Integrating SpaceIQ with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SpaceIQ with Azure Active Directory (Azure AD). When you integrate SpaceIQ with Azure AD, you can:
-* You can control in Azure AD who has access to SpaceIQ.
-* You can enable your users to be automatically signed-in to SpaceIQ (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SpaceIQ.
+* Enable your users to be automatically signed-in to SpaceIQ with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with SpaceIQ, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* SpaceIQ single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* SpaceIQ single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SpaceIQ supports **IDP** initiated SSO
-
-## Adding SpaceIQ from the gallery
-
-To configure the integration of SpaceIQ into Azure AD, you need to add SpaceIQ from the gallery to your list of managed SaaS apps.
-
-**To add SpaceIQ from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SpaceIQ**, select **SpaceIQ** from result panel then click **Add** button to add the application.
+* SpaceIQ supports **IDP** initiated SSO.
- ![SpaceIQ in the results list](common/search-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Configure and test Azure AD single sign-on
+## Add SpaceIQ from the gallery
-In this section, you configure and test Azure AD single sign-on with SpaceIQ based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SpaceIQ needs to be established.
-
-To configure and test Azure AD single sign-on with SpaceIQ, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SpaceIQ Single Sign-On](#configure-spaceiq-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SpaceIQ test user](#create-spaceiq-test-user)** - to have a counterpart of Britta Simon in SpaceIQ that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of SpaceIQ into Azure AD, you need to add SpaceIQ from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SpaceIQ** in the search box.
+1. Select **SpaceIQ** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for SpaceIQ
-To configure Azure AD single sign-on with SpaceIQ, perform the following steps:
+Configure and test Azure AD SSO with SpaceIQ using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SpaceIQ.
-1. In the [Azure portal](https://portal.azure.com/), on the **SpaceIQ** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with SpaceIQ, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SpaceIQ SSO](#configure-spaceiq-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SpaceIQ test user](#create-spaceiq-test-user)** - to have a counterpart of B.Simon in SpaceIQ that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **SpaceIQ** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![SpaceIQ Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type the URL: `https://api.spaceiq.com` b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://api.spaceiq.com/saml/<instanceid>/callback`
+ `https://api.spaceiq.com/saml/<INSTANCE_ID>/callback`
> [!NOTE] > Update these values with the actual Reply URL and identifier which is explained later in the tutorial.
To configure Azure AD single sign-on with SpaceIQ, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SpaceIQ.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SpaceIQ**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure SpaceIQ Single Sign-On
+## Configure SpaceIQ SSO
1. Open a new browser window, and then sign in to your SpaceIQ environment as an administrator. 1. Once you are logged in, click on the puzzle sign at the top right, then click on **Integrations**
- ![Account settings](./media/spaceiq-tutorial/setting1.png)
+ ![Account settings](./media/spaceiq-tutorial/setting.png)
1. Under **All PROVISIONING & SSO**, click on the **Azure** tile to add an instance of Azure as IDP.
- ![SAML icon](./media/spaceiq-tutorial/setting2.png)
+ ![SAML icon](./media/spaceiq-tutorial/azure.png)
1. In the **SSO** dialog box, perform the following steps:
- ![SAML Authentication Settings](./media/spaceiq-tutorial/setting3.png)
+ ![SAML Authentication Settings](./media/spaceiq-tutorial/configuration.png)
a. In the **SAML Issuer URL** box, paste the **Azure AD Identifier** value copied from the Azure AD application configuration window.
To configure Azure AD single sign-on with SpaceIQ, perform the following steps:
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SpaceIQ.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SpaceIQ**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SpaceIQ**.
-
- ![The SpaceIQ link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create SpaceIQ test user In this section, you create a user called Britta Simon in SpaceIQ. Work [SpaceIQ support team](mailto:eng@spaceiq.com) to add the users in the SpaceIQ platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the SpaceIQ tile in the Access Panel, you should be automatically signed in to the SpaceIQ for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the SpaceIQ for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SpaceIQ tile in the My Apps, you should be automatically signed in to the SpaceIQ for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SpaceIQ you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Talent Palette Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/talent-palette-tutorial.md
Previously updated : 01/17/2019 Last updated : 06/11/2021 # Tutorial: Azure Active Directory integration with Talent Palette
-In this tutorial, you learn how to integrate Talent Palette with Azure Active Directory (Azure AD).
-Integrating Talent Palette with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Talent Palette with Azure Active Directory (Azure AD). When you integrate Talent Palette with Azure AD, you can:
-* You can control in Azure AD who has access to Talent Palette.
-* You can enable your users to be automatically signed-in to Talent Palette (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Talent Palette.
+* Enable your users to be automatically signed-in to Talent Palette with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Talent Palette, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Talent Palette single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Talent Palette single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Folloze supports **IDP** initiated SSO
-* Folloze supports **Just In Time** user provisioning
-
-## Adding Talent Palette from the gallery
-
-To configure the integration of Talent Palette into Azure AD, you need to add Talent Palette from the gallery to your list of managed SaaS apps.
-
-**To add Talent Palette from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select_azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise_applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add_new_app.png)
+* Folloze supports **IDP** initiated SSO.
+* Folloze supports **Just In Time** user provisioning.
-4. In the search box, type **Talent Palette**, select **Talent Palette** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![Talent Palette in the results list](common/search_new_app.png)
+## Add Talent Palette from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Talent Palette based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Talent Palette needs to be established.
-
-To configure and test Azure AD single sign-on with Talent Palette, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Talent Palette Single Sign-On](#configure-talent-palette-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Talent Palette test user](#create-talent-palette-test-user)** - to have a counterpart of Britta Simon in Talent Palette that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Talent Palette into Azure AD, you need to add Talent Palette from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Talent Palette** in the search box.
+1. Select **Talent Palette** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Talent Palette, perform the following steps:
+## Configure and test Azure AD SSO for Talent Palette
-1. In the [Azure portal](https://portal.azure.com/), on the **Talent Palette** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Talent Palette using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Talent Palette.
- ![Configure single sign-on link](common/select_sso.png)
+To configure and test Azure AD SSO with Talent Palette, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Talent Palette SSO](#configure-talent-palette-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Talent Palette test user](#create-talent-palette-test-user)** - to have a counterpart of B.Simon in Talent Palette that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select_saml_option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit_urls.png)
+1. In the Azure portal, on the **Talent Palette** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Screenshot shows the Basic SAML Configuration, where you can enter a Reply U R L.](common/both_replyurl.png)
+4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step:
In the **Reply URL** text box, type a URL using the following pattern:
- `https://talent-p.net/saml/acs/<tenantID>`
+ `https://talent-p.net/saml/acs/<TENANT_ID>`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/both_signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://talent-p.net/saml/sso/<tenantID>`
+ `https://talent-p.net/saml/sso/<TENANT_ID>`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [Talent Palette Client support team](mailto:talent-support@pa-consul.co.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Talent Palette, perform the following
![Copy configuration URLs](common/copy_configuration_urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Talent Palette Single Sign-On
-
-To configure single sign-on on **Talent Palette** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Talent Palette support team](mailto:talent-support@pa-consul.co.jp). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new_user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user_properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Talent Palette.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Talent Palette.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Talent Palette**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Talent Palette**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise_applications.png)
+## Configure Talent Palette SSO
-2. In the applications list, type and select **Talent Palette**.
-
- ![The Talent Palette link in the Applications list](common/all_applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users_groups_blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add_assign_user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Talent Palette** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Talent Palette support team](mailto:talent-support@pa-consul.co.jp). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Talent Palette test user
-In this section, you create a user called Britta Simon in Talent Palette. Work with [Talent Palette support team](mailto:talent-support@pa-consul.co.jp) to add the users in the Talent Palette platform. Users must be created and activated before you use single sign-on.
-
-### Test single sign-on
+In this section, a user called B.Simon is created in Talent Palette. Talent Palette supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Talent Palette, a new one is created after authentication.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Talent Palette tile in the Access Panel, you should be automatically signed in to the Talent Palette for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Talent Palette for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Talent Palette tile in the My Apps, you should be automatically signed in to the Talent Palette for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Talent Palette you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Whatfix Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/whatfix-tutorial.md
Previously updated : 05/17/2019 Last updated : 06/11/2021 # Tutorial: Integrate Whatfix with Azure Active Directory
In this tutorial, you'll learn how to integrate Whatfix with Azure Active Direct
* Enable your users to be automatically signed-in to Whatfix with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Whatfix single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Whatfix supports **SP and IDP** initiated SSO
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Whatfix supports **SP and IDP** initiated SSO.
-## Adding Whatfix from the gallery
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Whatfix from the gallery
To configure the integration of Whatfix into Azure AD, you need to add Whatfix from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Whatfix** in the search box. 1. Select **Whatfix** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Whatfix
-Configure and test Azure AD SSO with Whatfix using a test user called **Britta Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Whatfix.
+Configure and test Azure AD SSO with Whatfix using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Whatfix.
-To configure and test Azure AD SSO with Whatfix, complete the following building blocks:
+To configure and test Azure AD SSO with Whatfix, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Whatfix SSO](#configure-whatfix-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Whatfix test user](#create-whatfix-test-user)** - to have a counterpart of Britta Simon in Whatfix that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Whatfix SSO](#configure-whatfix-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Whatfix test user](#create-whatfix-test-user)** - to have a counterpart of B.Simon in Whatfix that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Whatfix** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Whatfix** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following field:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
1. Click **Set additional URLs**. 1. In the **Relay State** text box, enter the customer specified Relay state URL.
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/copy-metadataurl.png)
-### Configure Whatfix SSO
-
-To configure single sign-on on **Whatfix** side, you need to send the **App Federation Metadata Url** to [Whatfix support team](https://support.whatfix.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called Britta Simon.
In this section, you'll create a test user in the Azure portal called Britta Sim
### Assign the Azure AD test user
-In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to Whatfix.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Whatfix.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Whatfix**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The Add User link](common/add-assign-user.png)
+## Configure Whatfix SSO
-1. In the **Users and groups** dialog, select **Britta Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on **Whatfix** side, you need to send the **App Federation Metadata Url** to [Whatfix support team](https://support.whatfix.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Whatfix test user In this section, you create a user called Britta Simon in Whatfix. Work with [Whatfix support team](https://support.whatfix.com) to add the users in the Whatfix platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Whatfix Sign on URL where you can initiate the login flow.
+
+* Go to Whatfix Sign-on URL directly and initiate the login flow from there.
-When you select the Whatfix tile in the Access Panel, you should be automatically signed in to the Whatfix for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Whatfix for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Whatfix tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Whatfix for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Whatfix you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
aks Coredns Custom https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/coredns-custom.md
data:
} ```
+To specify one or more lines in host table using INLINE:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: coredns-custom # this is the name of the configmap you can overwrite with your changes
+ namespace: kube-system
+data:
+ test.override: | # you may select any name here, but it must end with the .override file extension
+ hosts {
+ 10.0.0.1 example1.org
+ 10.0.0.2 example2.org
+ 10.0.0.3 example3.org
+ fallthrough
+ }
+```
+ ## Enable logging for DNS query debugging To enable DNS query logging, apply the following configuration in your coredns-custom ConfigMap:
application-gateway Configuration Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/configuration-infrastructure.md
Previously updated : 06/08/2021 Last updated : 06/14/2021
Consider a subnet that has 27 application gateway instances and an IP address fo
Application Gateway (Standard or WAF) SKU can support up to 32 instances (32 instance IP addresses + 1 private front-end IP + 5 Azure reserved) ΓÇô so a minimum subnet size of /26 is recommended
-Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private front-end IP + 5 Azure reserved) ΓÇô so a minimum subnet size of /24 is required.
+Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private front-end IP + 5 Azure reserved). A minimum subnet size of /24 is recommended.
> [!IMPORTANT]
-> Starting mid-late May 2021, a minimum subnet size of /24 (256 IPs) per Application Gateway v2 SKU (Standard_v2 or WAF_v2) will be required for new deployments. Existing deployments will not be affected by this requirement but are encouraged to move to a subnet with at least 256 IPs per v2 gateway. This requirement will ensure the subnet has sufficient IP addresses for the gateway to undergo maintenance updates without impact on available capacity.
+> Although a /24 subnet is not required per Application Gateway v2 SKU deployment, it is highly recommended. This is to ensure that Application Gateway v2 has sufficient space for autoscaling expansion and maintenance upgrades. You should ensure that the Application Gateway v2 subnet has sufficient address space to accommodate the number of instances required to serve your maximum expected traffic. If you specify the maximum instance count, then the subnet should have capacity for at least that many addresses. For capacity planning around instance count, see [instance count details](understanding-pricing.md#instance-count).
> [!TIP] > It is possible to change the subnet of an existing Application Gateway within the same virtual network. You can do this using Azure PowerShell or Azure CLI. For more information, see [Frequently asked questions about Application Gateway](application-gateway-faq.yml#can-i-change-the-virtual-network-or-subnet-for-an-existing-application-gateway)
application-gateway Quick Create Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-cli.md
Previously updated : 01/19/2021 Last updated : 06/14/2021
In this quickstart, you use Azure CLI to create an application gateway. Then you
The application gateway directs application web traffic to specific resources in a backend pool. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool. ++ You can also complete this quickstart using [Azure PowerShell](quick-create-powershell.md) or the [Azure portal](quick-create-portal.md). [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
az network vnet create \
--name myVNet \ --resource-group myResourceGroupAG \ --location eastus \
- --address-prefix 10.0.0.0/16 \
+ --address-prefix 10.21.0.0/16 \
--subnet-name myAGSubnet \
- --subnet-prefix 10.0.1.0/24
+ --subnet-prefix 10.21.0.0/24
az network vnet subnet create \ --name myBackendSubnet \ --resource-group myResourceGroupAG \ --vnet-name myVNet \
- --address-prefix 10.0.2.0/24
+ --address-prefix 10.21.1.0/24
az network public-ip create \ --resource-group myResourceGroupAG \ --name myAGPublicIPAddress \
application-gateway Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-portal.md
description: In this quickstart, you learn how to use the Azure portal to create
Previously updated : 01/19/2021 Last updated : 06/14/2021
In this quickstart, you use the Azure portal to create an application gateway. T
The application gateway directs application web traffic to specific resources in a backend pool. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool. + You can also complete this quickstart using [Azure PowerShell](quick-create-powershell.md) or [Azure CLI](quick-create-cli.md). [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
application-gateway Quick Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-powershell.md
description: In this quickstart, you learn how to use Azure PowerShell to create
Previously updated : 01/19/2021 Last updated : 06/14/2021
In this quickstart, you use Azure PowerShell to create an application gateway. T
The application gateway directs application web traffic to specific resources in a backend pool. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public front-end IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool. ++ You can also complete this quickstart using [Azure CLI](quick-create-cli.md) or the [Azure portal](quick-create-portal.md). ## Prerequisites
For Azure to communicate between the resources that you create, it needs a virtu
```azurepowershell-interactive $agSubnetConfig = New-AzVirtualNetworkSubnetConfig ` -Name myAGSubnet `
- -AddressPrefix 10.0.1.0/24
+ -AddressPrefix 10.21.0.0/24
$backendSubnetConfig = New-AzVirtualNetworkSubnetConfig ` -Name myBackendSubnet `
- -AddressPrefix 10.0.2.0/24
+ -AddressPrefix 10.21.1.0/24
New-AzVirtualNetwork ` -ResourceGroupName myResourceGroupAG ` -Location eastus ` -Name myVNet `
- -AddressPrefix 10.0.0.0/16 `
+ -AddressPrefix 10.21.0.0/16 `
-Subnet $agSubnetConfig, $backendSubnetConfig New-AzPublicIpAddress ` -ResourceGroupName myResourceGroupAG `
application-gateway Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/quick-create-template.md
description: In this quickstart, you learn how to use a Resource Manager templat
Previously updated : 01/20/2021 Last updated : 06/14/2021
In this quickstart, you use an Azure Resource Manager template (ARM template) to create an Azure Application Gateway. Then you test the application gateway to make sure it works correctly. + [!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)] You can also complete this quickstart using the [Azure portal](quick-create-portal.md), [Azure PowerShell](quick-create-powershell.md), or [Azure CLI](quick-create-cli.md).
automation Automation Dsc Cd Chocolatey https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-dsc-cd-chocolatey.md
Australia Southeast, Canada Central, North Europe.
Details for VM registration (using the PowerShell DSC VM extension) provided in this [Azure Quickstart
-Template](https://github.com/Azure/azure-quickstart-templates/tree/master/dsc-extension-azure-automation-pullserver).
+Template](https://azure.microsoft.com/blog/automating-vm-configuration-using-powershell-dsc-extension/).
This step registers your new VM with the pull server in the list of State Configuration Nodes. Part of this registration is specifying the node configuration to be applied to the node. This node configuration doesn't have to exist yet in the pull server, so it's fine that step 4 is where this is
azure-maps Creator Facility Ontology https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/creator-facility-ontology.md
Title: Facility Ontology in Microsoft Azure Maps Creator
description: Facility Ontology that describes the feature class definitions for Azure Maps Creator Previously updated : 05/21/2021 Last updated : 06/14/2021
The `verticalPenetration` class feature defines an area that, when used in a set
|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.| | `setId` | string | true | Vertical penetration features must be used in sets to connect multiple levels. Vertical penetration features in the same set are considered to be the same. The `setId` can be any string, and is case-sensitive. Using a GUID as a `setId` is recommended. Maximum length allowed is 1000.| | `levelId` | [level.Id](#level) | true | The ID of a level feature. |
-|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| true | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|
+|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| false | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|
|`navigableBy` | enum ["pedestrian", "wheelchair", "machine", "bicycle", "automobile", "hiredAuto", "bus", "railcar", "emergency", "ferry", "boat"] | false |Indicates the types of navigating agents that can traverse the unit. If unspecified, the unit is traversable by any navigating agent. | |`nonPublic` | boolean| false | If `true`, the unit is navigable only by privileged users. Default value is `false`. | |`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.|
The `verticalPenetration` class feature defines an area that, when used in a set
|`categoryId` | [category.Id](#category) |true | The ID of a [`category`](#category) feature.| | `setId` | string | true | Vertical penetration features must be used in sets to connect multiple levels. Vertical penetration features in the same set are connected. The `setId` can be any string, and is case-sensitive. Using a GUID as a `setId` is recommended. Maximum length allowed is 1000. | | `levelId` | [level.Id](#level) | true | The ID of a level feature. |
-|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| true | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|
+|`direction` | string enum [ "both", "lowToHigh", "highToLow", "closed" ]| false | Travel direction allowed on this feature. The ordinal attribute on the [`level`](#level) feature is used to determine the low and high order.|
|`name` | string | false | Name of the feature in local language. Maximum length allowed is 1000.| |`nameSubtitle` | string | false | Subtitle that shows up under the `name` of the feature. Can be used to display the name in a different language, and so on. Maximum length allowed is 1000.| |`nameAlt` | string | false | Alternate name used for the feature. Maximum length allowed is 1000. |
azure-monitor Data Collection Rule Azure Monitor Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-rule-azure-monitor-agent.md
You can use the Azure portal to create a data collection rule and associate virt
> [!NOTE] > If you wish to send data to Log Analytics, you must create the data collection rule in the **same region** where your Log Analytics workspace resides. The rule can be associated to machines in other supported region(s).
-In the **Azure Monitor** menu in the Azure portal, select **Data Collection Rules** from the **Settings** section. Click **Add** to add a new Data Collection Rule and assignment.
+In the **Azure Monitor** menu in the Azure portal, select **Data Collection Rules** from the **Settings** section. Click **Create** to create a new Data Collection Rule and assignment.
-[![Data Collection Rules](media/data-collection-rule-azure-monitor-agent/data-collection-rules.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rules.png#lightbox)
+[![Data Collection Rules](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png#lightbox)
-Click **Add** to create a new rule and set of associations. Provide a **Rule name** and specify a **Subscription** and **Resource Group**. This specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.
+Click **Add** to create a new rule and set of associations. Provide a **Rule name** and specify a **Subscription**, **Resource Group** and **Region**. This specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.
+Additionally, choose the appropriate **Platform Type** which specifies the type of resources this rule can apply to. Custom will allow for both Windows and Linux types. This allows for pre-curated creation experiences with options scoped to the selected platform type.
-[![Data Collection Rule Basics](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics.png#lightbox)
+[![Data Collection Rule Basics](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png#lightbox)
-In the **Virtual machines** tab, add virtual machines that should have the Data Collection Rule applied. Both Azure virtual machines and Azure Arc enabled servers in your environment should be listed. The Azure Monitor Agent will be installed on virtual machines that don't already have it installed.
+In the **Resources** tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule applied. The Azure Monitor Agent will be installed on resources that don't already have it installed, and will enable Azure Managed Identity as well.
-[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines.png#lightbox)
+[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-updated.png#lightbox)
On the **Collect and deliver** tab, click **Add data source** to add a data source and destination set. Select a **Data source type**, and the corresponding details to select will be displayed. For performance counters, you can select from a predefined set of objects and their sampling rate. For events, you can select from a set of logs or facilities and the severity level.
-[![Data source basic](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic.png#lightbox)
+[![Data source basic](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png#lightbox)
To specify other logs and performance counters from the [currently supported data sources](azure-monitor-agent-overview.md#data-sources-and-destinations) or to filter events using XPath queries, select **Custom**. You can then specify an [XPath ](https://www.w3schools.com/xml/xpath_syntax.asp) for any specific values to collect. See [Sample DCR](data-collection-rule-overview.md#sample-data-collection-rule) for examples.
-[![Data source custom](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom.png#lightbox)
+[![Data source custom](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png#lightbox)
On the **Destination** tab, add one or more destinations for the data source. Windows event and Syslog data sources can only send to Azure Monitor Logs. Performance counters can send to both Azure Monitor Metrics and Azure Monitor Logs.
azure-monitor Annotations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/annotations.md
Annotations show where you deployed a new build, or other significant events. An
Release annotations are a feature of the cloud-based Azure Pipelines service of Azure DevOps.
-If your subscription has an Application Insights resource linked to it and you use one of the following deployment tasks, then you don't need to configure anything else.
+If all the following criteria are met, the deployment task creates the release annotation automatically:
-| Task code | Task name | Versions |
-||-|--|
-| AzureAppServiceSettings | Azure App Service Settings | Any |
-| AzureRmWebAppDeployment | Azure App Service deploy | V3 and above |
-| AzureFunctionApp | Azure Functions | Any |
-| AzureFunctionAppContainer | Azure Functions for container | Any |
-| AzureWebAppContainer | Azure Web App for Containers | Any |
-| AzureWebApp | Azure Web App | Any |
+- The resource you're deploying to is linked to Application Insights (via the `APPINSIGHTS_INSTRUMENTATIONKEY` app setting).
+- The Application Insights resource is in the same subscription as the resource you're deploying to.
+- You're using one of the following Azure DevOps pipeline tasks:
+
+ | Task code | Task name | Versions |
+ ||-|--|
+ | AzureAppServiceSettings | Azure App Service Settings | Any |
+ | AzureRmWebAppDeployment | Azure App Service deploy | V3 and above |
+ | AzureFunctionApp | Azure Functions | Any |
+ | AzureFunctionAppContainer | Azure Functions for container | Any |
+ | AzureWebAppContainer | Azure Web App for Containers | Any |
+ | AzureWebApp | Azure Web App | Any |
> [!NOTE] > If youΓÇÖre still using the Application Insights annotation deployment task, you should delete it. ### Configure release annotations
-If you can't use one the deployment tasks in the pervious section, then you need to add an inline script task in your deployment pipeline.
+If you can't use one the deployment tasks in the previous section, then you need to add an inline script task in your deployment pipeline.
1. Navigate to a new or existing pipeline and select a task. :::image type="content" source="./media/annotations/task.png" alt-text="Screenshot of task in stages selected." lightbox="./media/annotations/task.png":::
You can use the CreateReleaseAnnotation PowerShell script to create annotations
2. Make a local copy of the script below and call it CreateReleaseAnnotation.ps1. ```powershell
- param(
-
-     [parameter(Mandatory = $true)][string]$aiResourceId,
-
-     [parameter(Mandatory = $true)][string]$releaseName,
-
-     [parameter(Mandatory = $false)]$releaseProperties = @()
-
- )
-
- $annotation = @{
-
-     Id = [GUID]::NewGuid();
-
-     AnnotationName = $releaseName;
-
-     EventTime = (Get-Date).ToUniversalTime().GetDateTimeFormats("s")[0];
-
-     Category = "Deployment";
-
-     Properties = ConvertTo-Json $releaseProperties -Compress
-
- }
-
- $body = (ConvertTo-Json $annotation -Compress) -replace '(\\+)"', '$1$1"' -replace "`"", "`"`""
-
- az rest --method put --uri "$($aiResourceId)/Annotations?api-version=2015-05-01" --body "$($body) "
+ param(
+ [parameter(Mandatory = $true)][string]$aiResourceId,
+ [parameter(Mandatory = $true)][string]$releaseName,
+ [parameter(Mandatory = $false)]$releaseProperties = @()
+ )
+
+ $annotation = @{
+ Id = [GUID]::NewGuid();
+ AnnotationName = $releaseName;
+ EventTime = (Get-Date).ToUniversalTime().GetDateTimeFormats("s")[0];
+ Category = "Deployment";
+ Properties = ConvertTo-Json $releaseProperties -Compress
+ }
+
+ $body = (ConvertTo-Json $annotation -Compress) -replace '(\\+)"', '$1$1"' -replace "`"", "`"`""
+
+ az rest --method put --uri "$($aiResourceId)/Annotations?api-version=2015-05-01" --body "$($body) "
``` 3. Call the PowerShell script with the following code, replacing the angle-bracketed placeholders with your values. The -releaseProperties are optional.
azure-monitor Java Standalone Telemetry Processors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-telemetry-processors.md
All specified conditions must evaluate to true to result in a match.
> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked. > [!NOTE]
-> If the `include` or `exclude` configuration donot have `spanNames` specified, then the matching criteria is applied on both `spans` and `logs`.
+> If the `include` or `exclude` configuration do not have `spanNames` specified, then the matching criteria is applied on both `spans` and `logs`.
### Sample usage
For more information, see [Telemetry processor examples](./java-standalone-telem
## Log processor > [!NOTE]
-> This feature is available only in version 3.1.1 and later.
+> Log processors are available starting from version 3.1.1.
The log processor modifies either the log message body or attributes of a log based on the log message body. It can support the ability to include or exclude logs.
All specified conditions must evaluate to true to result in a match.
> If both `include` and `exclude` are specified, the `include` properties are checked before the `exclude` properties are checked. > [!NOTE]
-> Log processors donot support `spanNames`.
+> Log processors do not support `spanNames`.
### Sample usage
For more information, see [Telemetry processor examples](./java-standalone-telem
## Metric filter
+> [!NOTE]
+> Metric filters are available starting from version 3.1.1.
+ Metric filter are used to exclude some metrics in order to help control ingestion cost. Metric filters only support `exclude` criteria. Metrics that match its `exclude` criteria will not be exported.
azure-monitor Deploy Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/deploy-scale.md
To view the built-in policy definitions related to monitoring, perform the follo
![Screenshot of the Azure Policy Definitions page in Azure portal showing a list of policy definitions for the Monitoring category and Built-in Type.](media/deploy-scale/builtin-policies.png)
+## Azure Monitor Agent (preview)
+The [Azure Monitor agent](agents/azure-monitor-agent-overview.md) collects monitoring data from the guest operating system of Azure virtual machines and delivers it to Azure Monitor. It uses [Data Collection Rules](agents/data-collection-rule-overview.md) to configure data to collect from each agent, that enable manageability of collection settings at scale while still enabling unique, scoped configurations for subsets of machines.
+Use the policies and policy initiatives below to automatically install the agent and associate it to a data collection rule, every time you create a virtual machine.
+
+### Built-in policy initiatives
+View prerequisites for agent installation [here](agents/azure-monitor-agent-install.md#prerequisites).
+
+There are policy initiatives for Windows and Linux virtual machines, comprising of individual policies that
+- Install the Azure Monitor agent extension on the virtual machine
+- Create and deploy the association to link the virtual machine to a data collection rule
+
+ ![Partial screenshot from the Azure Policy Definitions page showing two built-in policy initiaves for configuring Azure Monitor Agent.](media/deploy-scale/built-in-ama-dcr-initiatives.png)
+
+### Built-in policy
+You may choose to use the individual policies as per your needs, from the respective policy initiative. For example if you only want to automatically install the agent, simply use the first policy from the initiative as shown below:
+
+ ![Partial screenshot from the Azure Policy Definitions page showing policies contained within the initiative for configuring Azure Monitor Agent.](media/deploy-scale/built-in-ama-dcr-policy.png)
+
+### Remediation
+The initiatives or policies will apply to each virtual machine as it's created. A [remediation task](../governance/policy/how-to/remediate-resources.md) deploys the policy definitions in the initiative to **existing resources**, so this allows you to configure the Azure Monitor agent for any resources that were already created. When you create the assignment using the Azure portal, you have the option of creating a remediation task at the same time. See [Remediate non-compliant resources with Azure Policy](../governance/policy/how-to/remediate-resources.md) for details on the remediation.
+
+![Initiative remediation for AMA](media/deploy-scale/built-in-ama-dcr-remediation.png)
+ ## Diagnostic settings [Diagnostic settings](essentials/diagnostic-settings.md) collect resource logs and metrics from Azure resources to multiple locations, typically to a Log Analytics workspace which allows you to analyze the data with [log queries](logs/log-query-overview.md) and [log alerts](alerts/alerts-log.md). Use Policy to automatically create a diagnostic setting each time you create a resource.
azure-monitor Manage Cost Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/manage-cost-storage.md
Also, some solutions, such as [Azure Defender (Security Center)](https://azure.m
[Log Analytics Dedicated Clusters](logs-dedicated-clusters.md) are collections of workspaces into a single managed Azure Data Explorer cluster to support advanced scenarios such as [Customer-Managed Keys](customer-managed-keys.md). Log Analytics Dedicated Clusters use a commitment tier pricing model that must be configured to at least 1000 GB/day. The cluster commitment tier has a 31-day commitment period after the commitment level is increased. During the commitment period, the commitment tier level cannot be reduced, but it can be increased at any time. When workspaces are associated to a cluster, the data ingestion billing for those workspaces is done at the cluster level using the configured commitment tier level. Learn more about [creating a Log Analytics Clusters](customer-managed-keys.md#create-cluster) and [associating workspaces to it](customer-managed-keys.md#link-workspace-to-cluster). Commitment tier pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
-The cluster commitment tier level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000 GB/day or more in increments of 100 GB/day. This is detailed at [Azure Monitor customer-managed key](customer-managed-keys.md#create-cluster).
+The cluster commitment tier level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000, 2000 or 5000 GB/day. This is detailed at [Creating a cluster](logs-dedicated-clusters.md#creating-a-cluster).
-There are two modes of billing for usage on a cluster. These can be specified by the `billingType` parameter when [configuring your cluster](customer-managed-keys.md#customer-managed-key-operations). The two modes are:
+There are two modes of billing for usage on a cluster. These can be specified by the `billingType` parameter when [creating a cluster](logs-dedicated-clusters.md#creating-a-cluster) or set after creation. The two modes are:
1. **Cluster**: in this case (which is the default), billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster. Per-node allocations from [Azure Defender (Security Center)](../../security-center/index.yml) are applied at the workspace level prior to this aggregation of aggregated data across all workspaces in the cluster.
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
na ms.devlang: na Previously updated : 05/05/2021 Last updated : 06/14/2021 # Create an SMB volume for Azure NetApp Files
Before creating an SMB volume, you need to create an Active Directory connection
![Show advanced selection](../media/azure-netapp-files/volume-create-advanced-selection.png) 4. Click **Protocol** and complete the following information:
- * Select **SMB** as the protocol type for the volume.
- * Select your **Active Directory** connection from the drop-down list.
- * Specify the name of the shared volume in **Share name**.
+ * Select **SMB** as the protocol type for the volume.
+
+ * Select your **Active Directory** connection from the drop-down list.
+
+ * Specify a unique **share name** for the volume. This share name is used when you create mount targets. The requirements for the share name are as follows:
+ - It must be unique within each subnet in the region.
+ - It must start with an alphabetical character.
+ - It can contain only letters, numbers, or dashes (`-`).
+ - The length must not exceed 80 characters.
+
* If you want to enable encryption for SMB3, select **Enable SMB3 Protocol Encryption**. This feature enables encryption for in-flight SMB3 data. SMB clients not using SMB3 encryption will not be able to access this volume. Data at rest is encrypted regardless of this setting. See [SMB encryption](azure-netapp-files-smb-performance.md#smb-encryption) for additional information.
azure-netapp-files Azure Netapp Files Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes.md
na ms.devlang: na Previously updated : 05/05/2021 Last updated : 06/14/2021 # Create an NFS volume for Azure NetApp Files
This article shows you how to create an NFS volume. For SMB volumes, see [Create
3. Click **Protocol**, and then complete the following actions: * Select **NFS** as the protocol type for the volume.
- * Specify the **file path** that will be used to create the export path for the new volume. The export path is used to mount and access the volume.
- The file path name can contain letters, numbers, and hyphens ("-") only. It must be between 16 and 40 characters in length.
-
- The file path must be unique within each subscription and each region.
+ * Specify a unique **file path** for the volume. This path is used when you create mount targets. The requirements for the path are as follows:
+ - It must be unique within each subnet in the region.
+ - It must start with an alphabetical character.
+ - It can contain only letters, numbers, or dashes (`-`).
+ - The length must not exceed 80 characters.
* Select the NFS version (**NFSv3** or **NFSv4.1**) for the volume.
azure-netapp-files Azure Netapp Files Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-faqs.md
Yes, you must create an Active Directory connection before deploying an SMB volu
### How many Active Directory connections are supported?
-Azure NetApp Files does not support multiple Active Directory (AD) connections in a single *region*, even if the AD connections are in different NetApp accounts. However, you can have multiple AD connections in a single *subscription*, as long as the AD connections are in different regions. If you need multiple AD connections in a single region, you can use separate subscriptions to do so.
+You can configure only one Active Directory (AD) connection per subscription and per region. See [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections) for additional information.
-An AD connection is configured per NetApp account; the AD connection is visible only through the NetApp account it is created in.
+However, you can map multiple NetApp accounts that are under the same subscription and same region to a common AD server created in one of the NetApp accounts. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](create-active-directory-connections.md#shared_ad).
### Does Azure NetApp Files support Azure Active Directory?
azure-netapp-files Azure Netapp Files Manage Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-manage-snapshots.md
na ms.devlang: na Previously updated : 02/20/2021 Last updated : 06/14/2021 # Manage snapshots by using Azure NetApp Files
You can create volume snapshots on demand.
You can schedule for volume snapshots to be taken automatically by using snapshot policies. You can also modify a snapshot policy as needed, or delete a snapshot policy that you no longer need.
-### Register the feature
-
-The **snapshot policy** feature is currently in preview. If you are using this feature for the first time, you need to register the feature first.
-
-1. Register the feature:
-
- ```azurepowershell-interactive
- Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSnapshotPolicy
- ```
-
-2. Check the status of the feature registration:
-
- > [!NOTE]
- > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is **Registered** before continuing.
-
- ```azurepowershell-interactive
- Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSnapshotPolicy
- ```
-You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
- ### Create a snapshot policy A snapshot policy enables you to specify the snapshot creation frequency in hourly, daily, weekly, or monthly cycles. You also need to specify the maximum number of snapshots to retain for the volume.
azure-netapp-files Azure Netapp Files Set Up Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md
na ms.devlang: na Previously updated : 09/22/2020 Last updated : 06/14/2021 # Set up a capacity pool
You must have already created a NetApp account.
> [!IMPORTANT] > Setting **QoS type** to **Manual** is permanent. You cannot convert a manual QoS capacity pool to use auto QoS. However, you can convert an auto QoS capacity pool to use manual QoS. See [Change a capacity pool to use manual QoS](manage-manual-qos-capacity-pool.md#change-to-qos).
- > Using the manual QoS type for a capacity pool requires registration. See [Manage a manual QoS capacity pool](manage-manual-qos-capacity-pool.md#register-the-feature).
![New capacity pool](../media/azure-netapp-files/azure-netapp-files-new-capacity-pool.png)
azure-netapp-files Azure Netapp Files Understand Storage Hierarchy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-understand-storage-hierarchy.md
na ms.devlang: na Previously updated : 09/22/2020 Last updated : 06/14/2021 # Storage hierarchy of Azure NetApp Files
The QoS type is an attribute of a capacity pool. Azure NetApp Files provides two
- <a name="manual_qos_type"></a>*Manual* QoS type
- > [!IMPORTANT]
- > Using the manual QoS type for a capacity pool requires registration. See [Manage a manual QoS capacity pool](manage-manual-qos-capacity-pool.md).
- You have the option to use the manual QoS type for a capacity pool. In a manual QoS capacity pool, you can assign the capacity and throughput for a volume independently. The total throughput of all volumes created with a manual QoS capacity pool is limited by the total throughput of the pool. It is determined by the combination of the pool size and the service-level throughput.
azure-netapp-files Create Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/create-active-directory-connections.md
na ms.devlang: na Previously updated : 05/17/2021 Last updated : 06/14/2021 # Create and manage Active Directory connections for Azure NetApp Files
-Several features of Azure NetApp Files require that you have an Active Directory connection. For example, you need to have an Active Directory connection before you can create an [SMB volume](azure-netapp-files-create-volumes-smb.md) or a [dual-protocol volume](create-volumes-dual-protocol.md). This article shows you how to create and manage Active Directory connections for Azure NetApp Files.
+Several features of Azure NetApp Files require that you have an Active Directory connection. For example, you need to have an Active Directory connection before you can create an [SMB volume](azure-netapp-files-create-volumes-smb.md), a [NFSv4.1 Kerberos volume](configure-kerberos-encryption.md), or a [dual-protocol volume](create-volumes-dual-protocol.md). This article shows you how to create and manage Active Directory connections for Azure NetApp Files.
## Before you begin
-You must have already set up a capacity pool.
-[Set up a capacity pool](azure-netapp-files-set-up-capacity-pool.md)
-A subnet must be delegated to Azure NetApp Files.
-[Delegate a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md)
+* You must have already set up a capacity pool. See [Set up a capacity pool](azure-netapp-files-set-up-capacity-pool.md).
+* A subnet must be delegated to Azure NetApp Files. See [Delegate a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md).
## Requirements for Active Directory connections
- The requirements for Active Directory connections are as follows:
+* You can configure only one Active Directory (AD) connection per subscription and per region.
+
+ Azure NetApp Files does not support multiple AD connections in a single *region*, even if the AD connections are in different NetApp accounts. However, you can have multiple AD connections in a single subscription if the AD connections are in different regions. If you need multiple AD connections in a single region, you can use separate subscriptions to do so.
+
+ The AD connection is visible only through the NetApp account it is created in. However, you can enable the Shared AD feature to allow NetApp accounts that are under the same subscription and same region to use an AD server created in one of the NetApp accounts. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](#shared_ad). When you enable this feature, the AD connection becomes visible in all NetApp accounts that are under the same subscription and same region.
* The admin account you use must have the capability to create machine accounts in the organizational unit (OU) path that you will specify.
This setting is configured in the **Active Directory Connections** under **NetAp
1. From your NetApp account, click **Active Directory connections**, then click **Join**.
+ Azure NetApp Files supports only one Active Directory connection within the same region and the same subscription. If Active Directory is already configured by another NetApp account in the same subscription and region, you cannot configure and join a different Active Directory from your NetApp account. However, you can enable the Shared AD feature to allow an Active Directory configuration to be shared by multiple NetApp accounts within the same subscription and the same region. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](#shared_ad).
+ ![Active Directory Connections](../media/azure-netapp-files/azure-netapp-files-active-directory-connections.png) 2. In the Join Active Directory window, provide the following information, based on the Domain Services you want to use:
This setting is configured in the **Active Directory Connections** under **NetAp
Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFBackupOperator ```
- You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
+ You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
* Credentials, including your **username** and **password**
This setting is configured in the **Active Directory Connections** under **NetAp
![Created Active Directory connections](../media/azure-netapp-files/azure-netapp-files-active-directory-connections-created.png)
+## <a name="shared_ad"></a>Map multiple NetApp accounts in the same subscription and region to an AD connection
+
+The Shared AD feature enables all NetApp accounts to share an Active Directory (AD) connection created by one of the NetApp accounts that belong to the same subscription and the same region. For example, using this feature, all NetApp accounts in the same subscription and region can use the common AD configuration to create an [SMB volume](azure-netapp-files-create-volumes-smb.md), a [NFSv4.1 Kerberos volume](configure-kerberos-encryption.md), or a [dual-protocol volume](create-volumes-dual-protocol.md). When you use this feature, the AD connection will be visible in all NetApp accounts that are under the same subscription and same region.
+
+This feature is currently in preview. You need to register the feature before using it for the first time. After registration, the feature is enabled and works in the background. No UI control is required.
+
+1. Register the feature:
+
+ ```azurepowershell-interactive
+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSharedAD
+ ```
+
+2. Check the status of the feature registration:
+
+ > [!NOTE]
+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is **Registered** before continuing.
+
+ ```azurepowershell-interactive
+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSharedAD
+ ```
+You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
+
## Next steps * [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)
azure-netapp-files Create Volumes Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/create-volumes-dual-protocol.md
na ms.devlang: na Previously updated : 06/10/2021 Last updated : 06/14/2021 # Create a dual-protocol (NFSv3 and SMB) volume for Azure NetApp Files
To create NFS volumes, see [Create an NFS volume](azure-netapp-files-create-volu
3. Click **Protocol**, and then complete the following actions: * Select **dual-protocol (NFSv3 and SMB)** as the protocol type for the volume.
- * Specify the **Volume path** for the volume.
- This volume path is the name of the shared volume. The name must start with an alphabetical character, and it must be unique within each subscription and each region.
+ * Specify a unique **Volume Path**. This path is used when you create mount targets. The requirements for the path are as follows:
+
+ - It must be unique within each subnet in the region.
+ - It must start with an alphabetical character.
+ - It can contain only letters, numbers, or dashes (`-`).
+ - The length must not exceed 80 characters.
* Specify the **Security Style** to use: NTFS (default) or UNIX.
azure-netapp-files Manage Manual Qos Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/manage-manual-qos-capacity-pool.md
na ms.devlang: na Previously updated : 02/04/2021 Last updated : 06/14/2021 # Manage a manual QoS capacity pool
This article describes how to manage a capacity pool that uses the manual QoS ty
See [Storage hierarchy of Azure NetApp Files](azure-netapp-files-understand-storage-hierarchy.md) and [Performance considerations for Azure NetApp Files](azure-netapp-files-performance-considerations.md) to understand the considerations about QoS types.
-## Register the feature
-The manual QoS type feature is currently in preview. If you are using this feature for the first time, you need to register the feature first.
-
-1. Register the feature:
-
- ```azurepowershell-interactive
- Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFFlexPool
- ```
-
-2. Check the status of the feature registration:
-
- > [!NOTE]
- > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is **Registered** before continuing.
-
- ```azurepowershell-interactive
- Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFFlexPool
- ```
-You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.
- ## Set up a new manual QoS capacity pool To create a new capacity pool using the manual QoS type:
azure-netapp-files Manual Qos Capacity Pool Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/manual-qos-capacity-pool-introduction.md
na ms.devlang: na Previously updated : 02/04/2021 Last updated : 06/14/2021 # Manual QoS capacity pool
When you [create a capacity pool](azure-netapp-files-set-up-capacity-pool.md), y
Setting the capacity type to manual QoS is a permanent change. You cannot convert a manual QoS type capacity tool to an auto QoS capacity pool.
-Using the manual QoS type requires that you [register the feature](manage-manual-qos-capacity-pool.md#register-the-feature).
- ## Next steps * [Manage a manual QoS capacity pool](manage-manual-qos-capacity-pool.md)
azure-netapp-files Storage Service Add Ons https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/storage-service-add-ons.md
+
+ Title: Storage service add-ons for Azure NetApp Files | Microsoft Docs
+description: Describes the services provided through the storage service add-ons for Azure NetApp Files.
+
+documentationcenter: ''
++
+editor: ''
+
+ms.assetid:
++
+ na
+ms.devlang: na
+ Last updated : 05/06/2021++
+# Storage service add-ons for Azure NetApp Files
+
+The **Storage service add-ons** portal menu of Azure NetApp Files provides a ΓÇ£launching padΓÇ¥ for supported third-party, ecosystem add-ons to the Azure NetApp Files storage service.
+
+## Access storage service add-ons
+
+Clicking a category (for example, **NetApp add-ons**) under **Storage service add-ons** displays tiles for available add-ons in that category. Clicking an add-on tile in the category takes you to a landing page for quick access of that add-on and directs you to the add-on installation page.
+
+![Snapshot that shows how to access to the storage service add-ons menu.](../media/azure-netapp-files/storage-service-add-ons.png)
+
+## Next steps
+
+* [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/whats-new.md
na ms.devlang: na Previously updated : 05/12/2021 Last updated : 06/14/2021
Azure NetApp Files is updated regularly. This article provides a summary about the latest new features and enhancements.
-## May 2021
+## June 2021
+
+* [Azure NetApp Files storage service add-ons](storage-service-add-ons.md)
+
+ The new Azure NetApp Files **Storage service add-ons** menu option provides an Azure portal ΓÇ£launching padΓÇ¥ for supported third-party, ecosystem add-ons to the Azure NetApp Files storage service. With this new portal menu option, you can enter a landing page by clicking an add-on tile to quickly access the add-on.
+
+ **NetApp add-ons** is the first category of add-ons introduced under **Storage service add-ons**. It provides access to **NetApp Cloud Compliance**. Clicking the **NetApp Cloud Compliance** tile opens a new browser and directs you to the add-on installation page.
+
+* Features now generally available (GA)
+
+ The following Azure NetApp Files features are now generally available. You no longer need to register the features before using them:
+ * [Snapshot policy](azure-netapp-files-manage-snapshots.md#manage-snapshot-policies)
+ * [Manual QoS capacity pool](manual-qos-capacity-pool-introduction.md)
+
+* [Shared AD support for multiple accounts to one Active Directory per region per subscription](create-active-directory-connections.md#shared_ad) (Preview)
+
+ To date, Azure NetApp Files supports only a single Active Directory (AD) per region, where only a single NetApp account could be configured to access the AD. The new **Shared AD** feature enables all NetApp accounts to share an AD connection created by one of the NetApp accounts that belong to the same subscription and the same region. For example, using this feature, all NetApp accounts in the same subscription and region can use the common AD configuration to create an SMB volume, a NFSv4.1 Kerberos volume, or a dual-protocol volume. When you use this feature, the AD connection will be visible in all NetApp accounts that are under the same subscription and same region.
+
+## May 2021
* Azure NetApp Files Application Consistent Snapshot tool [(AzAcSnap)](azacsnap-introduction.md) is now generally available.
azure-portal Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/quick-create-template.md
The dashboard you create in the next part of this quickstart requires an existin
-Location "East US" ```
-1. Enter a username and password for the VM. This is a new user name and password; it's not, for example, the account you use to sign in to Azure. For more information, see [username requirements](../virtual-machines/windows/faq.md#what-are-the-username-requirements-when-creating-a-vm) and [password requirements](../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+1. Enter a username and password for the VM. This is a new user name and password; it's not, for example, the account you use to sign in to Azure. For more information, see [username requirements](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-) and [password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
The VM deployment now starts and typically takes a few minutes to complete. After deployment completes, move on to the next section.
azure-portal Quickstart Portal Dashboard Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/quickstart-portal-dashboard-azure-cli.md
az vm create --resource-group myResourceGroup --name SimpleWinVM --image win2016
> The password must be complex. > This is a new user name and password. > It's not, for example, the account you use to sign in to Azure.
-> For more information, see [username requirements](../virtual-machines/windows/faq.md#what-are-the-username-requirements-when-creating-a-vm)
-and [password requirements](../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+> For more information, see [username requirements](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-)
+and [password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
The deployment starts and typically takes a few minutes to complete. After deployment completes, move on to the next section.
azure-portal Quickstart Portal Dashboard Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/quickstart-portal-dashboard-powershell.md
following these steps.
Store login credentials for the VM in a variable. The password must be complex. This is a new user name and password; it's not, for example, the account you use to sign in to Azure. For more
-information, see [username requirements](../virtual-machines/windows/faq.md#what-are-the-username-requirements-when-creating-a-vm)
-and [password requirements](../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+information, see [username requirements](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-)
+and [password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
```azurepowershell-interactive $Cred = Get-Credential
azure-resource-manager Azure Services Resource Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/azure-services-resource-providers.md
Title: Resource providers by Azure services description: Lists all resource provider namespaces for Azure Resource Manager and shows the Azure service for that namespace. Previously updated : 03/16/2021 Last updated : 06/14/2021
The resources providers that are marked with **- registered** are registered by
| Microsoft.IoTSpaces | [Azure Digital Twins](../../digital-twins/index.yml) | | Microsoft.Intune | [Azure Monitor](../../azure-monitor/index.yml) | | Microsoft.KeyVault | [Key Vault](../../key-vault/index.yml) |
-| Microsoft.Kubernetes | [Azure Kubernetes Service (AKS)](../../aks/index.yml) |
-| Microsoft.KubernetesConfiguration | [Azure Kubernetes Service (AKS)](../../aks/index.yml) |
+| Microsoft.Kubernetes | [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/) |
+| Microsoft.KubernetesConfiguration | [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/) |
| Microsoft.Kusto | [Azure Data Explorer](/azure/data-explorer/) | | Microsoft.LabServices | [Azure Lab Services](../../lab-services/index.yml) | | Microsoft.Logic | [Logic Apps](../../logic-apps/index.yml) |
azure-resource-manager Template Tutorial Use Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-use-key-vault.md
To complete this article, you need:
openssl rand -base64 32 ```
- Verify that the generated password meets the VM password requirements. Each Azure service has specific password requirements. For the VM password requirements, see [What are the password requirements when you create a VM?](../../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+ Verify that the generated password meets the VM password requirements. Each Azure service has specific password requirements. For the VM password requirements, see [What are the password requirements when you create a VM?](../../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
## Prepare a key vault
azure-sql Auditing Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/auditing-overview.md
Previously updated : 05/02/2021 Last updated : 06/14/2021 # Auditing for Azure SQL Database and Azure Synapse Analytics
You can use SQL Database auditing to:
- **Analyze** reports. You can find suspicious events, unusual activity, and trends. > [!IMPORTANT]
-> Auditing for Azure SQL Database and Azure Synapse is optimized for availability and performance. During very high activity, or high network load, Azure SQL Database and Azure Synapse allow operations to proceed and may not record some audited events..
+> Auditing for Azure SQL Database, Azure Synapse and Azure SQL Managed Instance is optimized for availability and performance. During very high activity, or high network load, Azure SQL Database, Azure Synapse and Azure SQL Managed Instance allow operations to proceed and may not record some audited events.
### Auditing limitations
azure-sql Ledger Append Only Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-append-only-ledger-tables.md
Title: "Azure SQL Database append-only ledger tables"
-description: This article provides information on append-only ledger table schema and views in Azure SQL Database
+description: This article provides information on append-only ledger table schema and views in Azure SQL Database.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-Append-only ledger tables allow only `INSERT` operations on your tables, ensuring that privileged users such as Database Administrators (DBAs) can't alter data through traditional [Data Manipulation Language (DML)](/sql/t-sql/queries/queries) operations. Append-only ledger tables are ideal for systems that don't update or delete records, such as Security Information Event and Management (SIEM) systems, or blockchain systems where data needs to be replicated from the blockchain to a database. Since there are no `UPDATE` or `DELETE` operations on an append-only table, there's no need for a corresponding history table as there is with [Updatable ledger tables](ledger-updatable-ledger-tables.md).
+Append-only ledger tables allow only `INSERT` operations on your tables, which ensures that privileged users such as database administrators can't alter data through traditional [Data Manipulation Language](/sql/t-sql/queries/queries) operations. Append-only ledger tables are ideal for systems that don't update or delete records, such as security information event and management systems or blockchain systems where data needs to be replicated from the blockchain to a database. Because there are no `UPDATE` or `DELETE` operations on an append-only table, there's no need for a corresponding history table as there is with [updatable ledger tables](ledger-updatable-ledger-tables.md).
-Creating an append-only ledger table can be done through specifying the `LEDGER = ON` argument in your [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql) statement and specifying the `APPEND_ONLY = ON` option.
+You can create an append-only ledger table by specifying the `LEDGER = ON` argument in your [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql) statement and specifying the `APPEND_ONLY = ON` option.
> [!IMPORTANT]
-> Once a table has been created as ledger table, it cannot be reverted back to a table that does not have ledger functionality. This is to ensure an attacker cannot temporarily remove ledger capabilities, make changes to the table, and then re-enable ledger functionality.
+> After a table is created as a ledger table, it can't be reverted to a table that doesn't have ledger functionality. As a result, an attacker can't temporarily remove ledger capabilities, make changes to the table, and then reenable ledger functionality.
### Append-only ledger table schema
-An append-only table needs to have the following [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that contain metadata noting which transactions made changes to the table and the order of operations by which rows were updated by the transaction. When creating an append-only ledger table, `GENERATED ALWAYS` columns will be created in your ledger table. This data is useful for forensics purposes in understanding how data was inserted over time.
+An append-only table needs to have the following [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that contain metadata noting which transactions made changes to the table and the order of operations by which rows were updated by the transaction. When you create an append-only ledger table, `GENERATED ALWAYS` columns will be created in your ledger table. This data is useful for forensics purposes in understanding how data was inserted over time.
-If you do not specify the definitions of the `GENERATED ALWAYS` columns in the [CREATE TABLE](/sql/t-sql/statements/create-table-transact-sql) statement, the system will automatically add them, using the below default names.
+If you don't specify the definitions of the `GENERATED ALWAYS` columns in the [CREATE TABLE](/sql/t-sql/statements/create-table-transact-sql) statement, the system automatically adds them by using the following default names.
| Default column name | Data type | Description | |--|--|--|
-| ledger_start_transaction_id | bigint | The ID of the transaction that created a row version. |
-| ledger_start_sequence_number | bigint | The sequence number of an operation within a transaction that created a row version. |
+| ledger_start_transaction_id | bigint | The ID of the transaction that created a row version |
+| ledger_start_sequence_number | bigint | The sequence number of an operation within a transaction that created a row version |
## Ledger view
-For every append-only ledger table, the system automatically generates a view, called the ledger view. The ledger view reports all row inserts that have occurred on the table. The ledger view is primarily helpful for [updatable ledger tables](ledger-updatable-ledger-tables.md), rather than append-only ledger tables, as append-only ledger tables don't have any `UPDATE` or `DELETE` capabilities. The ledger view for append-only ledger tables is available for consistency between both updatable and append-only ledger tables.
+For every append-only ledger table, the system automatically generates a view, called the ledger view. The ledger view reports all row inserts that have occurred on the table. The ledger view is primarily helpful for [updatable ledger tables](ledger-updatable-ledger-tables.md), rather than append-only ledger tables, because append-only ledger tables don't have any `UPDATE` or `DELETE` capabilities. The ledger view for append-only ledger tables is available for consistency between both updatable and append-only ledger tables.
### Ledger view schema > [!NOTE]
-> The ledger view column names can be customized when creating the table using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true).
+> The ledger view column names can be customized when you create the table by using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true).
| Default column name | Data type | Description | | | | | | ledger_transaction_id | bigint | The ID of the transaction that created or deleted a row version. | | ledger_sequence_number | bigint | The sequence number of a row-level operation within the transaction on the table. |
-| ledger_operation_type_id | tinyint | Contains `0` (**INSERT**) or `1` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view containing `0` in this column. Deleting a row from the ledger table produces a new row in the ledger view containing `1` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `1` (**DELETE**) and the other row contains `1` (**INSERT**) in this column. A DELETE should not occur on an append-only ledger table. |
-| ledger_operation_type_desc | nvarchar(128) | Contains `INSERT` or `DELETE`. See above for details. |
+| ledger_operation_type_id | tinyint | Contains `0` (**INSERT**) or `1` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view that contains `0` in this column. Deleting a row from the ledger table produces a new row in the ledger view that contains `1` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `1` (**DELETE**), and the other row contains `1` (**INSERT**) in this column. A DELETE shouldn't occur on an append-only ledger table. |
+| ledger_operation_type_desc | nvarchar(128) | Contains `INSERT` or `DELETE`. For more information, see the preceding row. |
## Next steps
-
+ - [Create and use append-only ledger tables](ledger-how-to-append-only-ledger-tables.md) - [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md)
azure-sql Ledger Database Ledger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-database-ledger.md
Title: "Database ledger"
-description: This article provides information on ledger database tables and associated views in Azure SQL Database
+description: This article provides information on ledger database tables and associated views in Azure SQL Database.
Last updated "05/25/2021"
-# What is the database ledger
+# What is the database ledger?
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-The database ledger logically uses a blockchain and [Merkle tree data structures](/archive/msdn-magazine/2018/march/blockchain-blockchain-fundamentals). The database ledger incrementally captures the state of the database as it evolves over time while updates occur on ledger tables. To achieve that, the database ledger stores an entry for every transaction, capturing metadata about the transaction such as its commit timestamp and the identity of the user that executed it, but also the Merkle tree root of the rows updated in each ledger table. These entries are then appended to a tamper-evident data structure to allow verification of integrity in the future.
+The database ledger is part of the ledger feature of Azure SQL Database. The database ledger incrementally captures the state of a database as the database evolves over time, while updates occur on ledger tables. It logically uses a blockchain and [Merkle tree data structures](/archive/msdn-magazine/2018/march/blockchain-blockchain-fundamentals).
+To capture the state of the database, the database ledger stores an entry for every transaction. It captures metadata about the transaction, such as its commit timestamp and the identity of the user who executed it. It also captures the Merkle tree root of the rows updated in each ledger table. These entries are then appended to a tamper-evident data structure to allow verification of integrity in the future.
+ For more information on how Azure SQL Database ledger provides data integrity, see [Digest management and database verification](ledger-digest-management-and-database-verification.md). ## Where are database transaction and block data stored?
-The data regarding transactions and blocks is physically stored as rows in two new system catalog views:
+The data for transactions and blocks is physically stored as rows in two system catalog views:
-- [**sys.database_ledger_transactions**](/sql/relational-databases/system-catalog-views/sys-database-ledger-transactions-transact-sql) - maintains a row with the information of each transaction in the ledger, including the ID of the block where this transaction belongs and the ordinal of the transaction within the block. -- [**sys.database_ledger_blocks**](/sql/relational-databases/system-catalog-views/sys-database-ledger-blocks-transact-sql) - maintains a row for every block in the ledger, including the root of the Merkle tree over the transactions within the block, and the hash of the previous block to form a blockchain.
+- [sys.database_ledger_transactions](/sql/relational-databases/system-catalog-views/sys-database-ledger-transactions-transact-sql): Maintains a row with the information of each transaction in the database ledger. The information includes the ID of the block where this transaction belongs and the ordinal of the transaction within the block.
+- [sys.database_ledger_blocks](/sql/relational-databases/system-catalog-views/sys-database-ledger-blocks-transact-sql): Maintains a row for every block in the ledger, including the root of the Merkle tree over the transactions within the block and the hash of the previous block to form a blockchain.
-To view the database ledger, execute the following T-SQL statements in [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
+To view the database ledger, run the following T-SQL statements in [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
> [!IMPORTANT] > Viewing the database ledger requires the **VIEW LEDGER CONTENT** permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
SELECT * FROM sys.database_ledger_blocks
GO ```
-The below is an example of a ledger table that consists of four transactions that made-up one block in the blockchain of the database ledger.
+The following example of a ledger table consists of four transactions that made up one block in the blockchain of the database ledger:
++
+A block is closed every 30 seconds, or when the user manually generates a database digest by running the [sys.sp_generate_database_ledger_digest](/sql/relational-databases/system-stored-procedures/sys-sp-generate-database-ledger-digest-transact-sql) stored procedure.
+
+When a block is closed, new transactions will be inserted in a new block. The block generation process then:
+1. Retrieves all transactions that belong to the *closed* block from both the in-memory queue and the [sys.database_ledger_transactions](/sql/relational-databases/system-catalog-views/sys-database-ledger-transactions-transact-sql) system catalog view.
+1. Computes the Merkle tree root over these transactions and the hash of the previous block.
+1. Persists the closed block in the [sys.database_ledger_blocks](/sql/relational-databases/system-catalog-views/sys-database-ledger-blocks-transact-sql) system catalog view.
-A block is closed every 30 seconds, or when the user manually generates a database digest through executing the [sys.sp_generate_database_ledger_digest](/sql/relational-databases/system-stored-procedures/sys-sp-generate-database-ledger-digest-transact-sql) stored procedure. When a block is closed, new transactions will be inserted in a new block. The block generation process then retrieves all transactions that belong to the *closed* block from both the in-memory queue and the [sys.database_ledger_transactions](/sql/relational-databases/system-catalog-views/sys-database-ledger-transactions-transact-sql) system catalog view, computes the Merkle tree root over these transactions and the hash of the previous block and persists the closed block in the [sys.database_ledger_blocks](/sql/relational-databases/system-catalog-views/sys-database-ledger-blocks-transact-sql) system catalog view. Since this is a regular table update, its durability is automatically guaranteed by the system. To maintain the single chain of blocks, this operation is single-threaded, but it's also efficient, as it only computes the hashes over the transaction information, and happens asynchronously, thus, not impacting the transaction performance.
+Because this is a regular table update, the system automatically guarantees its durability. To maintain the single chain of blocks, this operation is single-threaded. But it's also efficient, because it only computes the hashes over the transaction information and happens asynchronously. It doesn't affect the transaction performance.
## Next steps -- [Digest management and database verification](ledger-digest-management-and-database-verification.md)-- [Azure SQL Database ledger Overview](ledger-overview.md) -- [Security Catalog Views (Transact-SQL)](/sql/relational-databases/system-catalog-views/security-catalog-views-transact-sql)
+- [Azure SQL Database ledger overview](ledger-overview.md)
+- [Security catalog views (Transact-SQL)](/sql/relational-databases/system-catalog-views/security-catalog-views-transact-sql)
azure-sql Ledger Digest Management And Database Verification https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-digest-management-and-database-verification.md
Title: "Digest management and database verification"
-description: This article provides information on ledger database digest and database verification in Azure SQL Database
+description: This article provides information on digest management and database verification for a ledger database in Azure SQL Database.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-Azure SQL Database ledger provides a form of data integrity called forward-integrity, which provides evidence of data tampering on data in your ledger tables. For example, if a banking transaction occurs on a ledger table where a balance has been updated to value `x`, if an attacker later modifies the data, changing the balance from `x` to `y`, this tampering activity will be detected through database verification.
+Azure SQL Database ledger provides a form of data integrity called *forward integrity*, which provides evidence of data tampering on data in your ledger tables. For example, if a banking transaction occurs on a ledger table where a balance has been updated to value `x`, and an attacker later modifies the data by changing the balance from `x` to `y`, database verification will detect this tampering activity.
-The database verification process takes as input one or more previously generated database digests and recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails, indicating that the data has been tampered with, and reports all inconsistencies detected.
+The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.
## Database digests
-The hash of the latest block in the database ledger is known as the database digest, and represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, since it only involves computing the hashes of the blocks that were recently appended. Database digests can be generated either automatically by the system, or manually by the user, and used later for verifying the data integrity of the database. Database digests are generated in the form of a JSON document that contains the hash of the latest block together with metadata regarding the block ID. The metadata includes the time the digest was generated and the commit timestamp of the last transaction in this block.
+The hash of the latest block in the database ledger is called the *database digest*. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended.
-The verification process and the integrity of the database depends on the integrity of the input digests. For this purpose, database digests that are extracted from the database need to be stored in trusted storages that cannot be tampered with by the high privileged users or attackers of the Azure SQL Database server.
+Database digests can be generated either automatically by the system or manually by the user. You can use them later to verify the integrity of the database.
+
+Database digests are generated in the form of a JSON document that contains the hash of the latest block, together with metadata for the block ID. The metadata includes the time that the digest was generated and the commit time stamp of the last transaction in this block.
+
+The verification process and the integrity of the database depend on the integrity of the input digests. For this purpose, database digests that are extracted from the database need to be stored in trusted storage that the high-privileged users or attackers of the Azure SQL Database server can't tamper with.
### Automatic generation and storage of database digests
-Azure SQL Database ledger integrates with [immutable storage for Azure Blob storage](../../storage/blobs/storage-blob-immutable-storage.md) and [Azure Confidential Ledger](../../confidential-ledger/index.yml), providing secure storage services in Azure to protect the database digests from potential tampering. This integration provides a simple and cost-effective way for users to automate digest management without having to worry about their availability and geographic replication.
+Azure SQL Database ledger integrates with the [immutable storage feature of Azure Blob Storage](../../storage/blobs/storage-blob-immutable-storage.md) and [Azure Confidential Ledger](../../confidential-ledger/index.yml). This integration provides secure storage services in Azure to help protect the database digests from potential tampering. This integration provides a simple and cost-effective way for users to automate digest management without having to worry about their availability and geographic replication.
-Configuring automatic generation and storage of database digests can be done through either the Azure portal, PowerShell, or Azure CLI. When configured, database digests are generated on a pre-defined interval of 30 seconds and uploaded to the storage service selected. If no transactions occur in the system in the 30-second interval, then a database digest won't be generated and uploaded, ensuring that database digests are only generated when data has been updated in your database.
+You can configure automatic generation and storage of database digests through the Azure portal, PowerShell, or the Azure CLI. When you configure automatic generation and storage, database digests are generated on a predefined interval of 30 seconds and uploaded to the selected storage service. If no transactions occur in the system in the 30-second interval, a database digest won't be generated and uploaded. This mechanism ensures that database digests are generated only when data has been updated in your database.
> [!IMPORTANT]
-> An [immutability policy](../../storage/blobs/storage-blob-immutability-policies-manage.md) should be configured on your container after provisioning to ensure database digests are protected from tampering.
+> Configure an [immutability policy](../../storage/blobs/storage-blob-immutability-policies-manage.md) on your container after provisioning to ensure that database digests are protected from tampering.
### Manual generation and storage of database digests
-Azure SQL Database ledger also allows users to generate a database digest on demand so that they can manually store the digest in any service or device that they consider a trusted storage destination, such as an on-premises write once read many (WORM) device. Manually generating a database digest is done through executing the [sys.sp_generate_database_ledger_digest](/sql/relational-databases/system-stored-procedures/sys-sp-generate-database-ledger-digest-transact-sql) stored procedure in either [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
+You can also use Azure SQL Database ledger to generate a database digest on demand so that you can manually store the digest in any service or device that you consider a trusted storage destination. For example, you might choose an on-premises write once, read many (WORM) device as a destination. You manually generate a database digest by running the [sys.sp_generate_database_ledger_digest](/sql/relational-databases/system-stored-procedures/sys-sp-generate-database-ledger-digest-transact-sql) stored procedure in either [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
> [!IMPORTANT] > Generating database digests requires the **GENERATE LEDGER DIGEST** permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
Azure SQL Database ledger also allows users to generate a database digest on dem
EXECUTE sp_generate_database_ledger_digest ```
-The result set returned will be a single row of data, which should be saved to the trusted storage location as a JSON document as follows:
+The returned result set is a single row of data. It should be saved to the trusted storage location as a JSON document as follows:
```json {
The result set returned will be a single row of data, which should be saved to t
## Database verification
-The verification process scans all ledger and history tables and recomputes the SHA-256 hashes of their rows and compares them against the database digest files passed to the verification stored procedure. For large ledger tables, database verification can be a resource-intensive process, and should be executed only when users need to verify the integrity of their database. It can be executed hourly or daily for cases where the integrity of the database needs to be frequently monitored, or only when the organization hosting the data goes through an audit and needs to provide cryptographic evidence regarding the integrity of their data. To reduce the cost of verification, ledger exposes options to verify individual ledger tables, or only a subset of the ledger.
+The verification process scans all ledger and history tables. It recomputes the SHA-256 hashes of their rows and compares them against the database digest files passed to the verification stored procedure.
+
+For large ledger tables, database verification can be a resource-intensive process. You should use it only when you need to verify the integrity of a database.
-Database verification is accomplished through two stored procedures, depending on whether [automatic digest storage](#database-verification-using-automatic-digest-storage) is used, or whether [digests are manually managed](#database-verification-using-manual-digest-storage) by the user.
+The verification process can be executed hourly or daily for cases where the integrity of the database needs to be frequently monitored. Or it can be executed only when the organization that's hosting the data goes through an audit and needs to provide cryptographic evidence about the integrity of the data. To reduce the cost of verification, ledger exposes options to verify individual ledger tables or only a subset of the ledger tables.
+
+You accomplish database verification through two stored procedures, depending on whether you [use automatic digest storage](#database-verification-that-uses-automatic-digest-storage) or you [manually manage digests](#database-verification-that-uses-manual-digest-storage).
> [!IMPORTANT]
-> Database verification requires the **VIEW LEDGER CONTENT** permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
+> Database verification requires the *View Ledger Content* permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
+
+### Database verification that uses automatic digest storage
-### Database verification using automatic digest storage
+When you're using automatic digest storage for generating and storing database digests, the location of the digest storage is in the system catalog view [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql) as JSON objects. Running database verification consists of executing the [sp_verify_database_ledger_from_digest_storage](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-from-digest-storage-transact-sql) system stored procedure. Specify the JSON objects from the [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql) system catalog view where database digests are configured to be stored.
-When using automatic digest storage for generating and storing database digests, the location of the digest storage is in the system catalog view [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql) as JSON objects. Running database verification consists of executing the [sp_verify_database_ledger_from_digest_storage](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-from-digest-storage-transact-sql) system stored procedure, specifying the JSON objects from the [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql) system catalog view where database digests are configured to be stored.
+When you use automatic digest storage, you can change storage locations throughout the lifecycle of the ledger tables. For example, if you start by using Azure immutable storage to store your digest files, but later you want to use Azure Confidential Ledger instead, you can do so. This change in location is stored in [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql).
-Using automatic digest storage allows you to change storage locations throughout the lifecycle of the ledger tables. For example, if you start by using Azure Immutable Blob storage to store your digest files, but later you want to use Azure Confidential Ledger instead, you are able to do so. This change in location is stored in [sys.database_ledger_digest_locations](/sql/relational-databases/system-catalog-views/sys-database-ledger-digest-locations-transact-sql). To simplify running verification when multiple digest storage locations have been used, the following script will fetch the locations of the digests and execute verification using those locations.
+To simplify running verification when you use multiple digest storage locations, the following script will fetch the locations of the digests and execute verification by using those locations.
```sql DECLARE @digest_locations NVARCHAR(MAX) = (SELECT * FROM sys.database_ledger_digest_locations FOR JSON AUTO, INCLUDE_NULL_VALUES);
BEGIN CATCH
END CATCH ```
-### Database verification using manual digest storage
+### Database verification that uses manual digest storage
+
+When you're using manual digest storage for generating and storing database digests, the following stored procedure is used to verify the ledger database. The JSON content of the digest is appended in the stored procedure. When you're running database verification, you can choose to verify all tables in the database or verify specific tables.
-When using manual digest storage for generating and storing database digests, the following stored procedure is used to verify the ledger, appending the JSON content of the digest in the stored procedure. When running database verification, you can choose to verify all tables in the database, or specific tables. Below is the syntax for the [sp_verify_database_ledger](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-transact-sql) stored procedure:
+Here's the syntax for the [sp_verify_database_ledger](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-transact-sql) stored procedure:
```sql sp_verify_database_ledger <JSON_document_containing_digests>, <table_name> ```
-Below is an example of running the [sp_verify_database_ledger](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-transact-sql) stored procedure by passing two digests for verification:
+The following code is an example of running the [sp_verify_database_ledger](/sql/relational-databases/system-stored-procedures/sys-sp-verify-database-ledger-transact-sql) stored procedure by passing two digests for verification:
```sql EXECUTE sp_verify_database_ledger N'
EXECUTE sp_verify_database_ledger N'
] ```
-Return codes for `sp_verify_database_ledger` and `sp_verify_database_ledger_from_digest_storage` are `0` (**success**) or `1` (**failure**).
+Return codes for `sp_verify_database_ledger` and `sp_verify_database_ledger_from_digest_storage` are `0` (success) or `1` (failure).
## Next steps
azure-sql Ledger How To Append Only Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-how-to-append-only-ledger-tables.md
Title: "Create and use append-only ledger tables"
-description: How to create and use append-only ledger tables in Azure SQL Database
+description: Learn how to create and use append-only ledger tables in Azure SQL Database.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-This article shows you how to create an [append-only ledger table](ledger-append-only-ledger-tables.md) in Azure SQL Database, insert values into your append-only ledger table, attempt to make updates to the data, and view the results using the ledger view. We'll use an example of a card key access system of a facility, which is an append-only system pattern. Our example will give you a practical look at the relationship between the append-only ledger table and its corresponding ledger view.
+This article shows you how to create an [append-only ledger table](ledger-append-only-ledger-tables.md) in Azure SQL Database. Next, you'll insert values in your append-only ledger table and then attempt to make updates to the data. Finally, you'll view the results by using the ledger view. We'll use an example of a card key access system for a facility, which is an append-only system pattern. Our example will give you a practical look at the relationship between the append-only ledger table and its corresponding ledger view.
For more information, see [Append-only ledger tables](ledger-append-only-ledger-tables.md).
-## Prerequisite
+## Prerequisites
-- Have an existing Azure SQL Database with ledger enabled. See [Quickstart: Create an Azure SQL Database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md) if you haven't already created an Azure SQL Database.-- [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio)
+- Azure SQL Database with ledger enabled. If you haven't already created a database in SQL Database, see [Quickstart: Create a database in Azure SQL Database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md).
+- [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
-## Creating an append-only ledger table
+## Create an append-only ledger table
-We'll create a `KeyCardEvents` table with the following schema.
+We'll create a `KeyCardEvents` table with the following schema.
| Column name | Data type | Description | |--|--|--|
-| EmployeeID | int | The unique ID of the employee accessing the building. |
-| AccessOperationDescription | nvarchar (MAX) | The access operation of the employee. |
+| EmployeeID | int | The unique ID of the employee accessing the building |
+| AccessOperationDescription | nvarchar (MAX) | The access operation of the employee |
| Timestamp | datetime2 | The date and time the employee accessed the building | > [!IMPORTANT]
-> Creating append-only ledger tables requires the **ENABLE LEDGER** permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
+> Creating append-only ledger tables requires the **ENABLE LEDGER** permission. For more information on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
-1. Using either [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio), create a new schema and table called `[AccessControl].[KeyCardEvents]`.
+1. Use [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio) to create a new schema and table called `[AccessControl].[KeyCardEvents]`.
```sql CREATE SCHEMA [AccessControl]
We'll create a `KeyCardEvents` table with the following schema.
); ```
-1. Add a new building access event into the `[AccessControl].[KeyCardEvents]` table with the following values.
+1. Add a new building access event in the `[AccessControl].[KeyCardEvents]` table with the following values.
```sql INSERT INTO [AccessControl].[KeyCardEvents] VALUES ('43869', 'Building42', '2020-05-02T19:58:47.1234567') ```
-1. View the contents of your KeyCardEvents table, specifying the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that are added to your [append-only ledger table](ledger-append-only-ledger-tables.md).
+1. View the contents of your KeyCardEvents table, and specify the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that are added to your [append-only ledger table](ledger-append-only-ledger-tables.md).
```sql SELECT *
We'll create a `KeyCardEvents` table with the following schema.
FROM [AccessControl].[KeyCardEvents] ```
- :::image type="content" source="media/ledger/append-only-how-to-keycardevent-table.png" alt-text="Results from querying KeyCardEvents table":::
+ :::image type="content" source="media/ledger/append-only-how-to-keycardevent-table.png" alt-text="Screenshot that shows results from querying the KeyCardEvents table.":::
1. Try to update the `KeyCardEvents` table by changing the `EmployeeID` from `43869` to `34184.`
We'll create a `KeyCardEvents` table with the following schema.
UPDATE [AccessControl].[KeyCardEvents] SET [EmployeeID] = 34184 ```
- You'll receive and error message stating the updates aren't allowed for your append-only ledger table.
+ You'll receive an error message that states the updates aren't allowed for your append-only ledger table.
- :::image type="content" source="media/ledger/append-only-how-to-1.png" alt-text="append only error message":::
+ :::image type="content" source="media/ledger/append-only-how-to-1.png" alt-text="Screenshot that shows the append-only error message.":::
## Next steps
We'll create a `KeyCardEvents` table with the following schema.
- [Append-only ledger tables](ledger-append-only-ledger-tables.md) - [Updatable ledger tables](ledger-updatable-ledger-tables.md) - [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md)-- [How to access the digests stored in Azure Confidential Ledger (ACL)](ledger-how-to-access-acl-digest.md)-- [How to verify a ledger table to detect tampering](ledger-verify-database.md)
+- [Access the digests stored in Azure Confidential Ledger (ACL)](ledger-how-to-access-acl-digest.md)
+- [Verify a ledger table to detect tampering](ledger-verify-database.md)
azure-sql Ledger How To Updatable Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-how-to-updatable-ledger-tables.md
Title: "Create and use updatable ledger tables"
-description: How to create and use updatable ledger tables in Azure SQL Database
+description: Learn how to create and use updatable ledger tables in Azure SQL Database.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-This article shows you how to create an [updatable ledger table](ledger-updatable-ledger-tables.md) in Azure SQL Database, insert values into your updatable ledger table, make updates to the data, and view the results using the ledger view. We'll use an example of a banking application tracking a banking customers balance in their account. Our example will give you a practical look at the relationship between the updatable ledger table and its corresponding history table and ledger view.
+This article shows you how to create an [updatable ledger table](ledger-updatable-ledger-tables.md) in Azure SQL Database. Next, you'll insert values in your updatable ledger table and then make updates to the data. Finally, you'll view the results by using the ledger view. We'll use an example of a banking application that tracks banking customers' balances in their accounts. Our example will give you a practical look at the relationship between the updatable ledger table and its corresponding history table and ledger view.
-## Prerequisite
+## Prerequisites
-- Have an existing Azure SQL Database with ledger enabled. See [Quickstart: Create an Azure SQL Database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md) if you haven't already created an Azure SQL Database.-- [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio)
+- Azure SQL Database with ledger enabled. If you haven't already created a database in SQL Database, see [Quickstart: Create a database in Azure SQL Database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md).
+- [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
-## Creating an updatable ledger table
+## Create an updatable ledger table
-We'll create an account balance table with the following schema.
+We'll create an account balance table with the following schema.
| Column name | Data type | Description | | -- | -- | -- |
We'll create an account balance table with the following schema.
| Balance | decimal (10,2) | Account balance | > [!IMPORTANT]
-> Creating updatable ledger tables requires the **ENABLE LEDGER** permission. For details on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
+> Creating updatable ledger tables requires the **ENABLE LEDGER** permission. For more information on permissions related to ledger tables, see [Permissions](/sql/relational-databases/security/permissions-database-engine#asdbpermissions).
-1. Using either [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio), create a new schema and table called `[Account].[Balance]`.
+1. Use [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio) to create a new schema and table called `[Account].[Balance]`.
```sql CREATE SCHEMA [Account]
We'll create an account balance table with the following schema.
``` > [!NOTE]
- > Specifying the `LEDGER = ON` argument is optional if you enabled ledger database when you created your Azure SQL Database.
+ > Specifying the `LEDGER = ON` argument is optional if you enabled a ledger database when you created your database in SQL Database.
>
- > In the above example, the system will generate the names of the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns in the table, the name of the [ledger view](ledger-updatable-ledger-tables.md#ledger-view), and the names of the [ledger view columns](ledger-updatable-ledger-tables.md#ledger-view-schema).
+ > In the preceding example, the system generates the names of the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns in the table, the name of the [ledger view](ledger-updatable-ledger-tables.md#ledger-view), and the names of the [ledger view columns](ledger-updatable-ledger-tables.md#ledger-view-schema).
>
- > The ledger view column names can be customized when creating the table using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. The `GENERATED ALWAYS` columns, as well as the [history table](ledger-updatable-ledger-tables.md#history-table) name can be customized. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true##x-creating-a-updatable-ledger-table).
+ > The ledger view column names can be customized when you create the table by using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. The `GENERATED ALWAYS` columns and the [history table](ledger-updatable-ledger-tables.md#history-table) name can be customized. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true##x-creating-a-updatable-ledger-table).
-1. When your [updatable ledger table](ledger-updatable-ledger-tables.md) is created, the corresponding history table and ledger view are also created. Execute the following T-SQL to see the new table and the new view.
+1. When your [updatable ledger table](ledger-updatable-ledger-tables.md) is created, the corresponding history table and ledger view are also created. Run the following T-SQL commands to see the new table and the new view.
```sql SELECT
We'll create an account balance table with the following schema.
JOIN sys.schemas vs ON (vs.[schema_id] = v.[schema_id]) ```
- :::image type="content" source="media/ledger/ledger-updatable-how-to-new-tables.png" alt-text="Query new ledger tables":::
+ :::image type="content" source="media/ledger/ledger-updatable-how-to-new-tables.png" alt-text="Screenshot that shows querying new ledger tables.":::
-1. Insert a customer, `Nick Jones` as a new customer with an opening balance of $50.
+1. Insert the name `Nick Jones` as a new customer with an opening balance of $50.
```sql INSERT INTO [Account].[Balance] VALUES (1, 'Jones', 'Nick', 50) ```
-1. Insert three new customers, `John Smith`, `Joe Smith`, and `Mary Michaels` as new customers with opening balances of $500, $30 and $200, respectively.
+1. Insert the names `John Smith`, `Joe Smith`, and `Mary Michaels` as new customers with opening balances of $500, $30, and $200, respectively.
```sql INSERT INTO [Account].[Balance]
We'll create an account balance table with the following schema.
(4, 'Michaels', 'Mary', 200) ```
-1. View the `[Account].[Balance]` updatable ledger table, specifying the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns added to the table.
+1. View the `[Account].[Balance]` updatable ledger table, and specify the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns added to the table.
```sql SELECT *
We'll create an account balance table with the following schema.
FROM [Account].[Balance] ```
- In the results window, you'll first see the values inserted by your T-SQL commands, along with the system metadata that is used for data lineage purposes.
+ In the results window, you'll first see the values inserted by your T-SQL commands, along with the system metadata that's used for data lineage purposes.
- - `ledger_start_transaction_id` notes the unique transaction ID associated with the transaction that inserted the data. Since `John`, `Joe`, and `Mary` were inserted using the same transaction, they share the same transaction ID.
- - `ledger_start_sequence_number` notes the order by which values were inserted by the transaction.
+ - The `ledger_start_transaction_id` column notes the unique transaction ID associated with the transaction that inserted the data. Because `John`, `Joe`, and `Mary` were inserted by using the same transaction, they share the same transaction ID.
+ - The `ledger_start_sequence_number` column notes the order by which values were inserted by the transaction.
- :::image type="content" source="media/ledger/sql-updatable-how-to-1.png" alt-text="ledger table example 1":::
+ :::image type="content" source="media/ledger/sql-updatable-how-to-1.png" alt-text="Screenshot that shows ledger table example 1.":::
1. Update `Nick`'s balance from `50` to `100`.
We'll create an account balance table with the following schema.
WHERE [CustomerID] = 1 ```
-1. Copy the unique name of your history table. You'll need this for the next step.
+1. Copy the unique name of your history table. You'll need this information for the next step.
```sql SELECT
We'll create an account balance table with the following schema.
JOIN sys.schemas vs ON (vs.[schema_id] = v.[schema_id]) ```
- :::image type="content" source="media/ledger/sql-updatable-how-to-2.png" alt-text="ledger table example 2":::
+ :::image type="content" source="media/ledger/sql-updatable-how-to-2.png" alt-text="Screenshot that shows ledger table example 2.":::
1. View the `[Account].[Balance]` updatable ledger table, along with its corresponding history table and ledger view. > [!IMPORTANT]
- > Replace the `<history_table_name>` with the name you copied in the previous step.
+ > Replace `<history_table_name>` with the name you copied in the previous step.
```sql SELECT *
We'll create an account balance table with the following schema.
``` > [!TIP]
- > We recommend that you query the history of changes through the [ledger view](ledger-updatable-ledger-tables.md#ledger-view), and not the [history table](ledger-updatable-ledger-tables.md#history-table).
+ > We recommend that you query the history of changes through the [ledger view](ledger-updatable-ledger-tables.md#ledger-view) and not the [history table](ledger-updatable-ledger-tables.md#history-table).
-1. `Nick`'s account balance has been successfully updated in the updatable ledger table to `100`.
+1. `Nick`'s account balance was successfully updated in the updatable ledger table to `100`.
1. The history table now shows the previous balance of `50` for `Nick`.
-1. The ledger view shows that updating the ledger table is a `DELETE` of the original row with `50`, as the balance with a corresponding `INSERT` of a new row with `100` with the new balance for `Nick`.
+1. The ledger view shows that updating the ledger table is a `DELETE` of the original row with `50`. The balance with a corresponding `INSERT` of a new row with `100` shows the new balance for `Nick`.
- :::image type="content" source="media/ledger/sql-updatable-how-to-3.png" alt-text="ledger table example 3":::
+ :::image type="content" source="media/ledger/sql-updatable-how-to-3.png" alt-text="Screenshot that shows ledger table example 3.":::
## Next steps -- [Database ledger](ledger-database-ledger.md) -- [Digest management and database verification](ledger-digest-management-and-database-verification.md)
+- [Database ledger](ledger-database-ledger.md)
+- [Digest management and database verification](ledger-digest-management-and-database-verification.md)
- [Updatable ledger tables](ledger-updatable-ledger-tables.md) - [Append-only ledger tables](ledger-append-only-ledger-tables.md) - [Create and use append-only ledger tables](ledger-how-to-append-only-ledger-tables.md) -- [How to access the digests stored in Azure Confidential Ledger (ACL)](ledger-how-to-access-acl-digest.md)-- [How to verify a ledger table to detect tampering](ledger-verify-database.md)
+- [Access the digests stored in Azure Confidential Ledger (ACL)](ledger-how-to-access-acl-digest.md)
+- [Verify a ledger table to detect tampering](ledger-verify-database.md)
azure-sql Ledger Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-overview.md
Title: "Azure SQL Database ledger overview"
-description: Overview of Azure SQL Database ledger
+description: Learn the basics of the Azure SQL Database ledger feature.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview, and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-Establishing trust around the integrity of data stored in database systems has been a long-standing problem for all organizations that manage financial, medical, or other sensitive data. The ledger feature of [Azure SQL Database](sql-database-paas-overview.md) provides tamper-evidence capabilities in your database, enabling the ability to cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with.
+Establishing trust around the integrity of data stored in database systems has been a longstanding problem for all organizations that manage financial, medical, or other sensitive data. The ledger feature of [Azure SQL Database](sql-database-paas-overview.md) provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with.
-Ledger helps protect data from any attacker or high-privileged user, including Database Administrators (DBAs), and system and cloud administrators. Just like a traditional ledger, historical data is preserved such that if a row is updated in the database, its previous value is maintained and protected in a history table. The ledger provides a chronicle of all changes made to the database over time. The ledger and the historical data are managed transparently, offering protection without any application changes. Historical data is maintained in a relational form to support SQL queries for auditing, forensics, and other purposes. Ledger provides cryptographic data integrity guarantees while maintaining the power, flexibility, and performance of Azure SQL Database.
+Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators. As with a traditional ledger, the feature preserves historical data. If a row is updated in the database, its previous value is maintained and protected in a history table. Ledger provides a chronicle of all changes made to the database over time.
+Ledger and the historical data are managed transparently, offering protection without any application changes. The feature maintains historical data in a relational form to support SQL queries for auditing, forensics, and other purposes. It provides guarantees of cryptographic data integrity while maintaining the power, flexibility, and performance of Azure SQL Database.
-## Use case for Azure SQL Database ledger
+
+## Use cases for Azure SQL Database ledger
### Streamlining audits
-Any production system's value is based on the ability to trust the data the system is consuming and producing. If the data in your database has been tampered with by a malicious user, it can have disastrous results in the business processes relying on that data. Maintaining trust in your data requires a combination of enabling the proper security controls to reduce potential attacks, backup and restore practices, and thorough disaster recovery procedures. Ensuring these practices are put in place are often audited by external parties. Audit processes are highly time-intensive activities. Auditing requires on-site inspection of implemented practices such as reviewing audit logs, inspecting authentication and access controls, just to name a few. While these manual processes can expose potential gaps in security, what they can't provide is attestable proof that the data hasn't been maliciously altered. Ledger provides the cryptographic proof of data integrity to auditors, which can help not only streamline the auditing process, but also provides non-repudiation regarding the integrity of the system's data.
+Any production system's value is based on the ability to trust the data that the system is consuming and producing. If a malicious user has tampered with the data in your database, that can have disastrous results in the business processes relying on that data.
+
+Maintaining trust in your data requires a combination of enabling the proper security controls to reduce potential attacks, backup and restore practices, and thorough disaster recovery procedures. Audits by external parties ensure that these practices are put in place.
+
+Audit processes are highly time-intensive activities. Auditing requires on-site inspection of implemented practices such as reviewing audit logs, inspecting authentication, and inspecting access controls. Although these manual processes can expose potential gaps in security, they can't provide attestable proof that the data hasn't been maliciously altered.
+
+Ledger provides the cryptographic proof of data integrity to auditors. This proof can help streamline the auditing process. It also provides nonrepudiation regarding the integrity of the system's data.
-### Multi-party business processes
+### Multiple-party business processes
-Systems where multiple organizations have a business process that must share state with one another, such as supply-chain management systems, struggle with the challenge of how to share and trust data with one another. Many organizations are turning to traditional blockchains, such as Ethereum or Hyperledger Fabric to digitally transform their multi-party business processes. Blockchain is a great solution for multi-party networks where trust is low between parties that participate on the network. However, many of these networks are fundamentally centralized solutions where trust is important, but a fully decentralized infrastructure is a heavy-weight solution. Ledger provides a solution for these networks where participants can verify the data integrity of the centrally housed data, rather than having the complexity and performance implications that network consensus introduces in a blockchain network.
+In some systems, such as supply-chain management systems, multiple organizations must share state from a business process with one another. These systems struggle with the challenge of how to share and trust data. Many organizations are turning to traditional blockchains, such as Ethereum or Hyperledger Fabric, to digitally transform their multiple-party business processes.
+
+Blockchain is a great solution for multiple-party networks where trust is low between parties that participate on the network. Many of these networks are fundamentally centralized solutions where trust is important, but a fully decentralized infrastructure is a heavyweight solution.
+
+Ledger provides a solution for these networks. Participants can verify the integrity of the centrally housed data, without the complexity and performance implications that network consensus introduces in a blockchain network.
### Trusted off-chain storage for blockchain
-Where a blockchain network is necessary for a multi-party business process, having the ability query the data on the blockchain without sacrificing performance is a challenge. Typical patterns for solving this problem involve replicating data from the blockchain to an off-chain store, such as a database. However, once the data is replicated to the database from the blockchain, the data integrity guarantees that a blockchain offer is lost. Ledger provides the data integrity needed for off-chain storage of blockchain networks, ensuring complete data trust through the entire system.
+When a blockchain network is necessary for a multiple-party business process, the ability query the data on the blockchain without sacrificing performance is a challenge.
+
+Typical patterns for solving this problem involve replicating data from the blockchain to an off-chain store, such as a database. But after the data is replicated to the database from the blockchain, the data integrity guarantees that a blockchain offer is lost. Ledger provides data integrity for off-chain storage of blockchain networks, which helps ensure complete data trust through the entire system.
## How it works
-Each transaction that is received by the database is cryptographically hashed (SHA-256). The hash function uses the value of the transaction (including hashes of the rows contained in the transaction), along with the hash of the previous transaction as input to the hash function. The function cryptographically links all transactions together, similar to a blockchain. Cryptographic hashes ([database digests](#database-digests)), which represent the state of the database, are periodically generated and stored outside of Azure SQL Database in a tamper-proof storage location. An example of a storage location would be [Azure Storage immutable blobs](../../storage/blobs/storage-blob-immutable-storage.md) or [Azure Confidential Ledger](../../confidential-ledger/index.yml). Database digests are then later used to verify the integrity of the database by comparing the value of the hash in the digest against the calculated hashes in database.
+Each transaction that the database receives is cryptographically hashed (SHA-256). The hash function uses the value of the transaction, along with the hash of the previous transaction, as input to the hash function. (The value includes hashes of the rows contained in the transaction.) The function cryptographically links all transactions together, like a blockchain.
+
+Cryptographically hashed ([database digests](#database-digests)) represent the state of the database. They're periodically generated and stored outside Azure SQL Database in a tamper-proof storage location. An example of a storage location is the [immutable storage feature of Azure Blob Storage](../../storage/blobs/storage-blob-immutable-storage.md) or [Azure Confidential Ledger](../../confidential-ledger/index.yml). Database digests are later used to verify the integrity of the database by comparing the value of the hash in the digest against the calculated hashes in database.
Ledger functionality is introduced to tables in Azure SQL Database in two forms: -- [**Updatable ledger tables**](ledger-updatable-ledger-tables.md), which allow you to update and delete rows in your tables.-- [**Append-only ledger tables**](ledger-append-only-ledger-tables.md), which only allow inserts to your tables.
+- [Updatable ledger tables](#updatable-ledger-tables), which allow you to update and delete rows in your tables.
+- [Append-only ledger tables](#append-only-ledger-tables), which only allow insertions to your tables.
-Both **updatable ledger tables** and **append-only ledger tables** provide tamper-evidence and digital forensics capabilities. Understanding which transactions submitted by which users that resulted in changes to the database are important if both remediating potential tampering events, or proving to third parties that transactions submitted to the system were by authorized users. The ledger feature enables users, their partners, or auditors to analyze all historical operations and detect potential tampering. Each row operation is accompanied by the ID of the transaction that performed it, allowing users to retrieve more information about the time the transaction was executed, the identity of the user who executed it, and correlate it to other operations performed by this transaction.
+Both updatable ledger tables and append-only ledger tables provide tamper-evidence and digital forensics capabilities. Understanding which transactions submitted by which users resulted in changes to the database is important if you're remediating potential tampering events or proving to third parties that authorized users submitted transactions to the system.
-There are some limitations of ledger tables that you should be aware of. For details on limitations with ledger tables, see [Limitations for Azure SQL Database ledger](ledger-limits.md).
+The ledger feature enables users, their partners, or auditors to analyze all historical operations and detect potential tampering. Each row operation is accompanied by the ID of the transaction that performed it. The ID enables users to get more information about the time that the transaction happened and the identity of the user who executed it. Users can then correlate the ID to other operations that the transaction has performed.
+
+For details about limitations of ledger tables, see [Limitations for Azure SQL Database ledger](ledger-limits.md).
### Ledger database
-A ledger database is a database, in which all user data is tamper evident and stored in ledger tables. A ledger database can only contain ledger tables, and each table is by default created as an updatable ledger table. Ledger databases provide an easy-to-use solution for applications that require the integrity of all data to be protected.
+In a ledger database, all user data is tamper evident and stored in ledger tables. A ledger database can contain only ledger tables. Each table is, by default, created as an updatable ledger table. Ledger databases provide an easy-to-use solution for applications that require the integrity of all data to be protected.
### Updatable ledger tables
-[Updatable ledger tables](ledger-updatable-ledger-tables.md) are ideal for application patterns that expect to issue updates and deletes to tables in your database, such as System of Record (SOR) applications. This means that existing data patterns for your application don't need to change to enable ledger functionality.
+[Updatable ledger tables](ledger-updatable-ledger-tables.md) are ideal for application patterns that expect to issue updates and deletions to tables in your database, such as system of record (SOR) applications. Existing data patterns for your application don't need to change to enable ledger functionality.
+
+Updatable ledger tables track the history of changes to any rows in your database when transactions that perform updates or deletions occur. An updatable ledger table is a system-versioned table that contains a reference to another table with a mirrored schema.
-[Updatable ledger tables](ledger-updatable-ledger-tables.md) track the history of changes to any rows in your database when transactions that perform updates or deletes occur. An updatable ledger table is a system-versioned table that contains a reference to another table with a mirrored schema. The system uses this table to automatically store the previous version of the row each time a row in the ledger table gets updated or deleted. This other table is referred to as the history table. The history table is automatically created when you create an updatable ledger table. The values contained in the updatable ledger table and its corresponding history table provide a chronicle of the values of your database over time. In order to easily query this chronicle of your database, a system-generated ledger view is created, which joins the updatable ledger table and the history table.
+The other table is called the *history table*. The system uses this table to automatically store the previous version of the row each time a row in the ledger table is updated or deleted. The history table is automatically created when you create an updatable ledger table.
-For more information on how to create and use updatable ledger tables, see [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md).
+The values in the updatable ledger table and its corresponding history table provide a chronicle of the values of your database over time. A system-generated ledger view joins the updatable ledger table and the history table so that you can easily query this chronicle of your database.
+
+For more information on updatable ledger tables, see [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md).
### Append-only ledger tables
-[Append-only ledger tables](ledger-append-only-ledger-tables.md) are ideal for application patterns that are insert-only, such as Security Information and Event Management (SEIM) applications. Append-only ledger tables block updates and deletes at the Application Programming Interface (API) level, providing further tampering protection from privileged users such as systems administrators and DBAs. Since only inserts are allowed into the system, append-only ledger tables don't have a corresponding history table as there's no history to capture. Like updatable ledger tables, a ledger view is created providing insights into the transaction that inserted rows into the append-only table, and the user that performed the insert.
+[Append-only ledger tables](ledger-append-only-ledger-tables.md) are ideal for application patterns that are insert-only, such as security information and event management (SIEM) applications. Append-only ledger tables block updates and deletions at the API level. This blocking provides more tampering protection from privileged users such as system administrators and DBAs.
+
+Because only insertions are allowed into the system, append-only ledger tables don't have a corresponding history table because there's no history to capture. As with updatable ledger tables, a ledger view provides insights into the transaction that inserted rows into the append-only table, and the user that performed the insertion.
-For more information on how to create and use append-only ledger tables, see [Create and use append-only ledger tables](ledger-how-to-append-only-ledger-tables.md).
+For more information on append-only ledger tables, see [Create and use append-only ledger tables](ledger-how-to-append-only-ledger-tables.md).
### Database ledger
-The database ledger consists of system tables that store the cryptographic hashes of transactions processed in the system. Since transactions are the unit of [atomicity](/windows/win32/cossdk/acid-properties) for the database engine, this is the unit of work being captured in the database ledger. Specifically, when a transaction commits, the SHA-256 hash of any rows modified by the transaction in the ledger table, together with some metadata for the transaction, such as the identity of the user that executed it and its commit timestamp, is appended as a *transaction entry* in the database ledger. Every 30 seconds, the transactions processed by the database are SHA-256 hashed together using a Merkle tree data structure, producing a root hash. This forms a block, which is then SHA-256 hashed using the root hash of the block along with the root hash of the previous block as input to the hash function, forming a blockchain.
+The [database ledger](ledger-database-ledger.md) consists of system tables that store the cryptographic hashes of transactions processed in the system. Because transactions are the unit of [atomicity](/windows/win32/cossdk/acid-properties) for the database engine, this is the unit of work that the database ledger captures.
-For more information on the database ledger, see [Database ledger](ledger-database-ledger.md).
+Specifically, when a transaction commits, the SHA-256 hash of any rows modified by the transaction in the ledger table is appended as a *transaction entry* in the database ledger. The transaction entry also includes some metadata for the transaction, such as the identity of the user who executed it and its commit time stamp.
+
+Every 30 seconds, the transactions that the database processes are SHA-256 hashed together through a Merkle tree data structure. The result is a root hash that forms a block. The block is then SHA-256 hashed through the root hash of the block, along with the root hash of the previous block as input to the hash function. That hashing forms a blockchain.
### Database digests
-The hash of the latest block in the database ledger is known as the database digest and represents the state of all ledger tables in the database at the time the block was generated. When a block is formed, its associated database digest is then published and stored outside of Azure SQL Database in a tamper-proof storage. Since database digests represent the state of the database at the point in time they were generated, protecting the digests from tampering is paramount. An attacker that has access to modify the digests would be able to tamper with the data in the database, generate the hashes representing the database with the tampered changes, and then modify the digests to represent the updated hash of the transactions in the block. Ledger provides the ability to automatically generate, and store the database digests in [Azure Storage immutable blobs](../../storage/blobs/storage-blob-immutable-storage.md), or [Azure Confidential Ledger](../../confidential-ledger/index.yml) to prevent tampering. Alternatively, users can manually generate database digests, storing them in the location of their choice. Database digests are used for later verifying that the data stored in ledger tables has not been tampered.
+The hash of the latest block in the database ledger is called the [database digest](ledger-digest-management-and-database-verification.md). It represents the state of all ledger tables in the database at the time that the block was generated.
+
+When a block is formed, its associated database digest is published and stored outside Azure SQL Database in tamper-proof storage. Because database digests represent the state of the database at the time that they were generated, protecting the digests from tampering is paramount. An attacker who has access to modify the digests would be able to:
-For more information on the database digests, see [Digest management and database verification](ledger-digest-management-and-database-verification.md).
+1. Tamper with the data in the database.
+2. Generate the hashes that represent the database with those changes.
+3. Modify the digests to represent the updated hash of the transactions in the block.
+
+Ledger provides the ability to automatically generate and store the database digests in [immutable storage](../../storage/blobs/storage-blob-immutable-storage.md) or [Azure Confidential Ledger](../../confidential-ledger/index.yml), to prevent tampering. Alternatively, users can manually generate database digests and store them in the location of their choice. Database digests are used for later verifying that the data stored in ledger tables has not been tampered with.
### Ledger verification
-The ledger feature doesn't allow users to modify the content of the ledger. However, an attacker or system administrator who has control of the machine can bypass all system checks and directly tamper with the data. For example, an attacker or system administrator can edit the database files in storage. Ledger can't prevent such attacks but guarantees that any tampering will be detected when the ledger data is verified. The ledger verification process takes as input one or more previously generated database digests and recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails, indicating that the data has been tampered with, and reports all inconsistencies detected.
+The ledger feature doesn't allow users to modify its content. However, an attacker or system administrator who has control of the machine can bypass all system checks and directly tamper with the data. For example, an attacker or system administrator can edit the database files in storage. Ledger can't prevent such attacks but guarantees that any tampering will be detected when the ledger data is verified.
+
+The [ledger verification](ledger-digest-management-and-database-verification.md) process takes as input one or more previously generated database digests and recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails, indicating that the data has been tampered with. Ledger then reports all inconsistencies that it has detected.
-Since the ledger verification recomputes all of the hashes for transactions in the database, it can be a resource-intensive process for databases with large amounts of data. Running the ledger verification should be done only when users need to verify the integrity of their database rather than in a continuous manner. Ideally, ledger verification should be run only when the organization hosting the data goes through an audit and needs to provide cryptographic evidence regarding the integrity of their data to another party. To reduce the cost of verification, ledger exposes options to verify individual ledger tables, or only a subset of the ledger.
+Because the ledger verification recomputes all of the hashes for transactions in the database, it can be a resource-intensive process for databases with large amounts of data. Users should run the ledger verification only when they need to verify the integrity of their database, rather than running it continuously.
-For more information on ledger verification, see [Digest management and database verification](ledger-digest-management-and-database-verification.md).
+Ideally, users should run ledger verification only when the organization that's hosting the data goes through an audit and needs to provide cryptographic evidence about the integrity of the data to another party. To reduce the cost of verification, the feature exposes options to verify individual ledger tables or only a subset of the ledger tables.
## Next steps -- [Quickstart: Create an Azure SQL Database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md)-- [Updatable ledger tables](ledger-updatable-ledger-tables.md) -- [Append-only ledger tables](ledger-append-only-ledger-tables.md) -- [Database ledger](ledger-database-ledger.md) -- [Digest management and database verification](ledger-digest-management-and-database-verification.md) -- [Limitations for Azure SQL Database ledger](ledger-limits.md)-- [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md)-- [Create and use append-only ledger tables](ledger-how-to-append-only-ledger-tables.md)-- [How to access the digests stored in Azure Confidential Ledger (ACL)](ledger-how-to-access-acl-digest.md)-- [How to verify a ledger table to detect tampering](ledger-verify-database.md)
+- [Quickstart: Create a SQL database with ledger enabled](ledger-create-a-single-database-with-ledger-enabled.md)
+- [Access the digests stored in Azure Confidential Ledger](ledger-how-to-access-acl-digest.md)
+- [Verify a ledger table to detect tampering](ledger-verify-database.md)
azure-sql Ledger Updatable Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-updatable-ledger-tables.md
Title: "Azure SQL Database updatable ledger tables"
-description: This article provides information on updatable ledger tables, ledger schema, and ledger views in Azure SQL Database
+description: This article provides information on updatable ledger tables, ledger schema, and ledger views in Azure SQL Database.
Last updated "05/25/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview and available in West Central US.
-Updatable ledger tables are system-versioned tables that users can perform updates and deletes on while also providing tamper-evidence capabilities. When updates or deletes occur, all earlier versions of a row are preserved in a secondary table, known as the history table. The history table mirrors the schema of the updatable ledger table. When a row is updated, the latest version of the row remains in the ledger table, while its earlier version is inserted into the history table by the system, transparently to the application.
+Updatable ledger tables are system-versioned tables on which users can perform updates and deletes while also providing tamper-evidence capabilities. When updates or deletes occur, all earlier versions of a row are preserved in a secondary table, known as the history table. The history table mirrors the schema of the updatable ledger table. When a row is updated, the latest version of the row remains in the ledger table, while its earlier version is inserted into the history table by the system, transparently to the application.
## Updatable ledger tables vs. temporal tables
-Both updatable ledger tables and [temporal tables](/sql/relational-databases/tables/temporal-tables) are system-versioned tables, for which the Database Engine captures historical row versions in secondary history tables. Either technology provides unique benefits. Updatable ledger tables make both the current and historical data tamper-evident. Temporal tables support querying the data stored at any point in time rather than only the data that is correct at the current moment in time.
+Both updatable ledger tables and [temporal tables](/sql/relational-databases/tables/temporal-tables) are system-versioned tables, for which the Database Engine captures historical row versions in secondary history tables. Either technology provides unique benefits. Updatable ledger tables make both the current and historical data tamper evident. Temporal tables support querying the data stored at any point in time instead of only the data that's correct at the current moment in time.
You can use both technologies together by creating tables that are both updatable ledger tables and temporal tables.
-Creating an updatable ledger table can be accomplished two ways:
+An updatable ledger table can be created in two ways:
-- When creating a new database in the Azure portal by selecting **Enable ledger on all future tables in this database** during ledger configuration, or through specifying the `LEDGER = ON` argument in your [CREATE DATABASE (Transact-SQL)](/sql/t-sql/statements/create-database-transact-sql) statement. This creates a ledger database, ensuring all future tables created in your database are updatable ledger tables by default.-- When creating a new table on a database where ledger isn't enabled at the database-level, by specifying the `LEDGER = ON` argument in your [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql) statement.
+- When you create a new database in the Azure portal by selecting **Enable ledger on all future tables in this database** during ledger configuration, or through specifying the `LEDGER = ON` argument in your [CREATE DATABASE (Transact-SQL)](/sql/t-sql/statements/create-database-transact-sql) statement. This action creates a ledger database and ensures that all future tables created in your database are updatable ledger tables by default.
+- When you create a new table on a database where ledger isn't enabled at the database level by specifying the `LEDGER = ON` argument in your [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql) statement.
-For details on options available when specifying the `LEDGER` argument in your T-SQL statement, see [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql).
+For information on options available when you specify the `LEDGER` argument in your T-SQL statement, see [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql).
> [!IMPORTANT]
-> Once created, a ledger table cannot be converted to a table that is not a ledger table. This is to ensure an attacker cannot temporarily remove ledger capabilities on a ledger table, make changes, and then re-enable ledger functionality.
+> After a ledger table is created, it can't be reverted to a table that isn't a ledger table. As a result, an attacker can't temporarily remove ledger capabilities on a ledger table, make changes, and then reenable ledger functionality.
### Updatable ledger table schema
-An updatable ledger table needs to have the following [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that contain metadata noting which transactions made changes to the table and the order of operations by which rows were updated by the transaction. This data is useful for forensics purposes in understanding how data was inserted over time.
+An updatable ledger table needs to have the following [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns that contain metadata noting which transactions made changes to the table and the order of operations by which rows were updated by the transaction. This data is useful for forensics purposes in understanding how data was inserted over time.
> [!NOTE]
-> If you do not specify the required `GENERATED ALWAYS` columns of the ledger table and ledger history table in the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement, the system will automatically add the columns, and it will use the below default names. For more information, see our examples of [Creating a updatable ledger table](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#x-creating-a-updatable-ledger-table).
+> If you don't specify the required `GENERATED ALWAYS` columns of the ledger table and ledger history table in the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement, the system automatically adds the columns and uses the following default names. For more information, see examples in [Creating an updatable ledger table](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#x-creating-a-updatable-ledger-table).
| Default column name | Data type | Description | | | | |
-| ledger_start_transaction_id | bigint | The ID of the transaction that created a row version. |
-| ledger_end_transaction_id | bigint | The ID of the transaction that deleted a row version. |
-| ledger_start_sequence_number | bigint | The sequence number of an operation within a transaction that created a row version. |
-| ledger_end_sequence_number | bigint | The sequence number of an operation within a transaction that deleted a row version. |
+| ledger_start_transaction_id | bigint | The ID of the transaction that created a row version |
+| ledger_end_transaction_id | bigint | The ID of the transaction that deleted a row version |
+| ledger_start_sequence_number | bigint | The sequence number of an operation within a transaction that created a row version |
+| ledger_end_sequence_number | bigint | The sequence number of an operation within a transaction that deleted a row version |
## History table The history table is automatically created when an updatable ledger table is created. The history table captures the historical values of rows changed because of updates and deletes in the updatable ledger table. The schema of the history table mirrors that of the updatable ledger table it's associated with.
-When creating an updatable ledger table, you can either specify the name of the schema to contain your history table and the name of the history table, or you have the system generate the name of the history table and add it to the same schema as the ledger table. History tables with system-generated names are called anonymous history tables. The naming convention for an anonymous history table is `<schema>`.`<updatableledgertablename>`.MSSQL_LedgerHistoryFor_`<GUID>`.
+When you create an updatable ledger table, you can either specify the name of the schema to contain your history table and the name of the history table or you have the system generate the name of the history table and add it to the same schema as the ledger table. History tables with system-generated names are called anonymous history tables. The naming convention for an anonymous history table is `<schema>`.`<updatableledgertablename>`.MSSQL_LedgerHistoryFor_`<GUID>`.
## Ledger view
-For every updatable ledger table, the system automatically generates a view, called the ledger view. The ledger view is a join of the updatable ledger table and its associated history table. The ledger view reports all row modifications that have occurred on the updatable ledger table by joining the historical data in the history table. This enables users, their partners, or auditors to analyze all historical operations and detect potential tampering. Each row operation is accompanied by the ID of the acting transaction, along with whether the operation was a `DELETE` or an `INSERT`. Users can retrieve more information about the time the transaction was executed, the identity of the user who executed it, and correlate it to other operations performed by this transaction.
+For every updatable ledger table, the system automatically generates a view, called the ledger view. The ledger view is a join of the updatable ledger table and its associated history table. The ledger view reports all row modifications that have occurred on the updatable ledger table by joining the historical data in the history table. This view enables users, their partners, or auditors to analyze all historical operations and detect potential tampering. Each row operation is accompanied by the ID of the acting transaction, along with whether the operation was a `DELETE` or an `INSERT`. Users can retrieve more information about the time the transaction was executed and the identity of the user who executed it and correlate it to other operations performed by this transaction.
-For example, if you wanted to track transaction history for a simple banking scenario, the ledger view is incredibly helpful to provide a chronicle of the transactions over time, rather than having to independently view the updatable ledger table and history tables, or constructing your own view to do so.
+For example, if you want to track transaction history for a banking scenario, the ledger view provides a chronicle of transactions over time. By using the ledger view, you don't have to independently view the updatable ledger table and history tables or construct your own view to do so.
-For an example on using the ledger view, see [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md).
+For an example of using the ledger view, see [Create and use updatable ledger tables](ledger-how-to-updatable-ledger-tables.md).
The ledger view's schema mirrors the columns defined in the updatable ledger and history table, but the [GENERATED ALWAYS](/sql/t-sql/statements/create-table-transact-sql#generate-always-columns) columns are different than those of the updatable ledger and history tables. ### Ledger view schema > [!NOTE]
-> The ledger view column names can be customized when creating the table using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true).
+> The ledger view column names can be customized when you create the table by using the `<ledger_view_option>` parameter with the [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true) statement. For more information, see [ledger view options](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true#ledger-view-options) and the corresponding examples in [CREATE TABLE (Transact-SQL)](/sql/t-sql/statements/create-table-transact-sql?view=azuresqldb-current&preserve-view=true).
| Default column name | Data type | Description | | | | | | ledger_transaction_id | bigint | The ID of the transaction that created or deleted a row version. | | ledger_sequence_number | bigint | The sequence number of a row-level operation within the transaction on the table. |
-| ledger_operation_type_id | tinyint | Contains `0` (**INSERT**) or `1` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view containing `0` in this column. Deleting a row from the ledger table produces a new row in the ledger view containing `1` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `1` (**DELETE**) and the other row contains `1` (**INSERT**) in this column. |
-| ledger_operation_type_desc | nvarchar(128) | Contains `INSERT` or `DELETE`. See above for details. |
+| ledger_operation_type_id | tinyint | Contains `0` (**INSERT**) or `1` (**DELETE**). Inserting a row into the ledger table produces a new row in the ledger view that contains `0` in this column. Deleting a row from the ledger table produces a new row in the ledger view that contains `1` in this column. Updating a row in the ledger table produces two new rows in the ledger view. One row contains `1` (**DELETE**), and the other row contains `1` (**INSERT**) in this column. |
+| ledger_operation_type_desc | nvarchar(128) | Contains `INSERT` or `DELETE`. For more information, see the preceding row. |
## Next steps
azure-sql Sql Data Sync Data Sql Server Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-data-sync-data-sql-server-sql-database.md
Provisioning and deprovisioning during sync group creation, update, and deletion
- Moving servers between different subscriptions isn't supported. - If two primary keys are only different in case (e.g. Foo and foo), Data Sync won't support this scenario. - Truncating tables is not an operation supported by Data Sync (changes won't be tracked).
+- Hyperscale databases are not supported.
#### Unsupported data types
azure-sql Connect Vm Instance Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/connect-vm-instance-configure.md
The easiest way to create a client virtual machine with all necessary tools is t
| **Location** | The location for the resource group | This value is populated based on the resource group selected. | | **Virtual machine name** | Any valid name | For valid names, see [Naming rules and restrictions](/azure/architecture/best-practices/resource-naming).| |**Admin Username**|Any valid username|For valid names, see [Naming rules and restrictions](/azure/architecture/best-practices/resource-naming). Don't use "serveradmin" as that is a reserved server-level role.<br>You use this username any time you [connect to the VM](#connect-to-the-virtual-machine).|
- |**Password**|Any valid password|The password must be at least 12 characters long and meet the [defined complexity requirements](../../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).<br>You use this password any time you [connect to the VM](#connect-to-the-virtual-machine).|
+ |**Password**|Any valid password|The password must be at least 12 characters long and meet the [defined complexity requirements](../../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).<br>You use this password any time you [connect to the VM](#connect-to-the-virtual-machine).|
| **Virtual Machine Size** | Any valid size | The default in this template of **Standard_B2s** is sufficient for this quickstart. | | **Location**|[resourceGroup().location].| Don't change this value. | | **Virtual Network Name**|The virtual network in which you created the managed instance|
azure-sql Instance Create Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/instance-create-quickstart.md
If you don't have an Azure subscription, [create a free account](https://azure.m
| **Managed instance name** | Any valid name.|For valid names, see [Naming rules and restrictions](/azure/architecture/best-practices/resource-naming).| | **Region** |The region in which you want to create the managed instance.|For information about regions, see [Azure regions](https://azure.microsoft.com/regions/).| | **Managed instance admin login** | Any valid username. | For valid names, see [Naming rules and restrictions](/azure/architecture/best-practices/resource-naming). Don't use "serveradmin" because that's a reserved server-level role.|
- | **Password** | Any valid password.| The password must be at least 16 characters long and meet the [defined complexity requirements](../../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).|
+ | **Password** | Any valid password.| The password must be at least 16 characters long and meet the [defined complexity requirements](../../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).|
- Select **Configure Managed Instance** to size compute and storage resources and to review the pricing tiers. Use the sliders or text boxes to specify the amount of storage and the number of virtual cores. When you're finished, select **Apply** to save your selection.
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/linux/frequently-asked-questions-faq.md
- Title: SQL Server on Linux virtual machines FAQ | Microsoft Docs
-description: This article provides answers to frequently asked questions about running SQL Server on Linux virtual machines.
--
-tags: azure-service-management
---- Previously updated : 12/13/2017---
-# Frequently asked questions for SQL Server on Linux virtual machines
-
-> [!div class="op_single_selector"]
-> * [Windows](../windows/frequently-asked-questions-faq.md)
-> * [Linux](frequently-asked-questions-faq.md)
-
-This article provides answers to some of the most common questions about running [SQL Server on Linux virtual machines](sql-server-on-linux-vm-what-is-iaas-overview.md).
--
-## <a id="images"></a> Images
-
-1. **What SQL Server virtual machine gallery images are available?**
-
- Azure maintains virtual machine (VM) images for all supported major releases of SQL Server on all editions for both Linux and Windows. For more details, see the complete list of [Linux VM images](sql-server-on-linux-vm-what-is-iaas-overview.md#create) and [Windows VM images](../windows/sql-server-on-azure-vm-iaas-what-is-overview.md#payasyougo).
-
-1. **Are existing SQL Server virtual machine gallery images updated?**
-
- Every two months, SQL Server images in the virtual machine gallery are updated with the latest Linux and Windows updates. For Linux images, this includes the latest system updates. For Windows images, this includes any updates that are marked as important in Windows Update, including important SQL Server security updates and service packs. SQL Server cumulative updates are handled differently for Linux and Windows. For Linux, SQL Server cumulative updates are also included in the refresh. But at this time, Windows VMs are not updated with SQL Server or Windows Server cumulative updates.
-
-1. **What related SQL Server packages are also installed?**
-
- To see the SQL Server packages that are installed by default on SQL Server on Linux VMs, see [Installed packages](sql-server-on-linux-vm-what-is-iaas-overview.md#packages).
-
-1. **Can SQL Server virtual machine images get removed from the gallery?**
-
- Yes. Azure only maintains one image per major version and edition. For example, when a new SQL Server service pack is released, Azure adds a new image to the gallery for that service pack. The SQL Server image for the previous service pack is immediately removed from the Azure portal. However, it is still available for provisioning from PowerShell for the next three months. After three months, the previous service pack image is no longer available. This removal policy would also apply if a SQL Server version becomes unsupported when it reaches the end of its lifecycle.
-
-## Creation
-
-1. **How do I create a Linux virtual machine with SQL Server?**
-
- The easiest solution is to create a Linux virtual machine that includes SQL Server. For a tutorial on signing up for Azure and creating a SQL Server VM from the portal, see [Provision a Linux virtual machine running SQL Server in the Azure portal](sql-vm-create-portal-quickstart.md). You also have the option of manually installing SQL Server on a VM with either a freely licensed edition (Developer or Express) or by reusing an on-premises license. If you bring your own license, you must have [License Mobility through Software Assurance on Azure](https://azure.microsoft.com/pricing/license-mobility).
-
-1. **Why canΓÇÖt I provision an RHEL or SLES SQL Server VM with an Azure subscription that has a spending limit?**
-
- RHEL and SLES virtual machines require a subscription with no spending limit and a verified payment method (usually a credit card) associated with the subscription. If you provision an RHEL or SLES VM without removing the spending limit, your subscription will get disabled and all VMs/services stopped. If you do run into this state, to re-enable the subscription [remove the spending limit](https://account.windowsazure.com/subscriptions). Your remaining credits will be restored for the current billing cycle but an RHEL or SLES VM image surcharge will go against your credit card if you choose to re-start and continue running it.
-
-## Licensing
-
-1. **How can I install my licensed copy of SQL Server on an Azure VM?**
-
- First, create a Linux OS-only virtual machine. Then run the [SQL Server installation steps](/sql/linux/sql-server-linux-setup#platforms) for your Linux distribution. Unless you are installing one of the freely licensed editions of SQL Server, you must also have a SQL Server license and [License Mobility through Software Assurance on Azure](https://azure.microsoft.com/pricing/license-mobility/).
-
-1. **Are there Bring-Your-Own-License (BYOL) Linux virtual machine images for SQL Server?**
-
- At this time, there are no BYOL Linux virtual machine images for SQL Server. However, you can manually install SQL Server on a Linux-only VM as discussed in the previous questions.
-
-1. **Can I change a VM to use my own SQL Server license if it was created from one of the pay-as-you-go gallery images?**
-
- No. You cannot switch from pay-per-second licensing to using your own license. You must create a new Linux VM, install SQL Server, and migrate your data. See the previous question for more details about bringing your own license.
-
-## Administration
-
-1. **Can I manage a Linux virtual machine running SQL Server with SQL Server Management Studio (SSMS)?**
-
- Yes, but SSMS is currently a Windows-only tool. You must connect remotely from a Windows machine to use SSMS with Linux VMs running SQL Server. Locally on Linux, the new [mssql-conf](/sql/linux/sql-server-linux-configure-mssql-conf) tool can perform many administrative tasks. For a cross-platform database management tool, see [Azure Data Studio](/sql/azure-data-studio/what-is).
-
-1. **Can I remove SQL Server completely from a SQL Server VM?**
-
- Yes, but you will continue to be charged for your SQL Server VM as described in [Pricing guidance for SQL Server Azure VMs](../windows/pricing-guidance.md?toc=%2fazure%2fvirtual-machines%2flinux%2fsql%2ftoc.json). If you no longer need SQL Server, you can deploy a new virtual machine and migrate the data and applications to the new virtual machine. Then you can remove the SQL Server virtual machine.
-
-## Updating and patching
-
-1. **How do I upgrade to a new version/edition of the SQL Server in an Azure VM?**
-
- Currently, there is no in-place upgrade for SQL Server running in an Azure VM. Create a new Azure virtual machine with the desired SQL Server version/edition, and then migrate your databases to the new server using [standard data migration techniques](/sql/linux/sql-server-linux-migrate-overview).
-
-## General
-
-1. **Are SQL Server high-availability solutions supported on Azure VMs?**
-
- Not at this time. Always On availability groups and Failover Clustering both require a clustering solution in Linux, such as Pacemaker. The supported Linux distributions for SQL Server do not support their high availability add-ons in the cloud.
-
-## Resources
-
-**Linux VMs**:
-
-* [Overview of SQL Server on a Linux VM](sql-server-on-linux-vm-what-is-iaas-overview.md)
-* [Provision SQL Server on a Linux VM](sql-vm-create-portal-quickstart.md)
-* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
-
-**Windows VMs**:
-
-* [Overview of SQL Server on a Windows VM](../windows/sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [Provision SQL Server on a Windows VM](../windows/sql-vm-create-portal-quickstart.md)
-* [FAQ (Windows)](../windows/frequently-asked-questions-faq.md)
azure-sql Sql Server On Linux Vm What Is Iaas Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/linux/sql-server-on-linux-vm-what-is-iaas-overview.md
Get started with SQL Server on Linux virtual machines:
Get answers to commonly asked questions about SQL Server VMs on Linux:
-* [SQL Server on Azure Virtual Machines FAQ](frequently-asked-questions-faq.md)
+* [SQL Server on Azure Virtual Machines FAQ](frequently-asked-questions-faq.yml)
azure-sql Availability Group Quickstart Template Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-quickstart-template-configure.md
After you make these changes, try to deploy the Azure quickstart template once m
To learn more, see: * [Overview of SQL Server VMs](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server VMs](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server VMs](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server VMs](pricing-guidance.md) * [Release notes for SQL Server VMs](../../database/doc-changes-updates-release-notes.md) * [Switching licensing models for a SQL Server VM](licensing-model-azure-hybrid-benefit-ahb-change.md)
azure-sql Change Sql Server Edition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/change-sql-server-edition.md
Once you've changed the edition of SQL Server using the installation media, and
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](doc-changes-updates-release-notes.md)
azure-sql Change Sql Server Version https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/change-sql-server-version.md
After you change the version of SQL Server, register your SQL Server VM with the
For more information, see the following articles: - [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)-- [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+- [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
- [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) - [Release notes for SQL Server on a Windows VM](doc-changes-updates-release-notes.md)
azure-sql Create Sql Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/create-sql-vm-portal.md
This guide covers options available for using the Azure portal to provision SQL
Use this guide to create your own SQL Server VM. Or, use it as a reference for the available options in the Azure portal. > [!TIP]
-> If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+> If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
On the **Basics** tab, provide the following information:
> [!IMPORTANT] > The estimated monthly cost displayed on the **Choose a size** window does not include SQL Server licensing costs. This estimate is the cost of the VM alone. For the Express and Developer editions of SQL Server, this estimate is the total estimated cost. For other editions, see the [Windows Virtual Machines pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/windows/) and select your target edition of SQL Server. Also see the [Pricing guidance for SQL Server Azure VMs](pricing-guidance.md) and [Sizes for virtual machines](../../../virtual-machines/sizes.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json).
-* Under **Administrator account**, provide a username and password. The password must be at least 12 characters long and meet the [defined complexity requirements](../../../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+* Under **Administrator account**, provide a username and password. The password must be at least 12 characters long and meet the [defined complexity requirements](../../../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
![Administrator account](./media/create-sql-vm-portal/basics-administrator-account.png)
The following sections show how to connect over the internet to your SQL Server
## Next steps
-For other information about using SQL Server in Azure, see [SQL Server on Azure Virtual Machines](sql-server-on-azure-vm-iaas-what-is-overview.md) and the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+For other information about using SQL Server in Azure, see [SQL Server on Azure Virtual Machines](sql-server-on-azure-vm-iaas-what-is-overview.md) and the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Dedicated Host https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/dedicated-host.md
A: Customers can use the value of their existing Windows Server and SQL Server l
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](doc-changes-updates-release-notes.md)
azure-sql Doc Changes Updates Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/doc-changes-updates-release-notes.md
Azure allows you to deploy a virtual machine (VM) with an image of SQL Server bu
* [Overview of SQL Server on a Linux VM](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md) * [Provision SQL Server on a Linux virtual machine](../linux/sql-vm-create-portal-quickstart.md)
-* [FAQ (Linux)](../linux/frequently-asked-questions-faq.md)
+* [FAQ (Linux)](../linux/frequently-asked-questions-faq.yml)
* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/frequently-asked-questions-faq.md
- Title: SQL Server on Windows Virtual Machines in Azure FAQ | Microsoft Docs
-description: This article provides answers to frequently asked questions about running SQL Server on Azure VMs.
--
-tags: azure-service-management
---- Previously updated : 08/05/2019--
-# Frequently asked questions for SQL Server on Azure VMs
-
-> [!div class="op_single_selector"]
-> * [Windows](frequently-asked-questions-faq.md)
-> * [Linux](../linux/frequently-asked-questions-faq.md)
-
-This article provides answers to some of the most common questions about running [SQL Server on Windows Azure Virtual Machines (VMs)](https://azure.microsoft.com/services/virtual-machines/sql-server/).
--
-## <a id="images"></a> Images
-
-1. **What SQL Server virtual machine gallery images are available?**
-
- Azure maintains virtual machine images for all supported major releases of SQL Server on all editions for both Windows and Linux. For more information, see the complete list of [Windows VM images](sql-server-on-azure-vm-iaas-what-is-overview.md#payasyougo) and [Linux VM images](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md#create).
-
-1. **Are existing SQL Server virtual machine gallery images updated?**
-
- Every two months, SQL Server images in the virtual machine gallery are updated with the latest Windows and Linux updates. For Windows images, this includes any updates that are marked important in Windows Update, including important SQL Server security updates and service packs. For Linux images, this includes the latest system updates. SQL Server cumulative updates are handled differently for Linux and Windows. For Linux, SQL Server cumulative updates are also included in the refresh. But at this time, Windows VMs are not updated with SQL Server or Windows Server cumulative updates.
-
-1. **Can SQL Server virtual machine images get removed from the gallery?**
-
- Yes. Azure only maintains one image per major version and edition. For example, when a new SQL Server service pack is released, Azure adds a new image to the gallery for that service pack. The SQL Server image for the previous service pack is immediately removed from the Azure portal. However, it is still available for provisioning from PowerShell for the next three months. After three months, the previous service pack image is no longer available. This removal policy would also apply if a SQL Server version becomes unsupported when it reaches the end of its lifecycle.
--
-1. **Is it possible to deploy an older image of SQL Server that is not visible in the Azure portal?**
-
- Yes, by using PowerShell. For more information about deploying SQL Server VMs using PowerShell, see [How to provision SQL Server virtual machines with Azure PowerShell](create-sql-vm-powershell.md).
-
-1. **Is it possible to create a generalized Azure Marketplace SQL Server image of my SQL Server VM and use it to deploy VMs?**
-
- Yes, but you must then [register each SQL Server VM with the SQL IaaS Agent extension](sql-agent-extension-manually-register-single-vm.md) to manage your SQL Server VM in the portal, as well as utilize features such as automated patching and automatic backups. When registering with the extension, you will also need to specify the license type for each SQL Server VM.
-
-1. **How do I generalize SQL Server on Azure VM and use it to deploy new VMs?**
-
- You can deploy a Windows Server VM (without SQL Server installed on it) and use the [SQL sysprep](/sql/database-engine/install-windows/install-sql-server-using-sysprep) process to generalize SQL Server on Azure VM (Windows) with the SQL Server installation media. Customers who have [Software Assurance](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default?rtc=1&activetab=software-assurance-default-pivot%3aprimaryr3) can obtain their installation media from the [Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). Customers who don't have Software Assurance can use the setup media from an Azure Marketplace SQL Server VM image that has the desired edition.
-
- Alternatively, use one of the SQL Server images from Azure Marketplace to generalize SQL Server on Azure VM. Note that you must delete the following registry key in the source image before creating your own image. Failure to do so can result in the bloating of the SQL Server setup bootstrap folder and/or SQL IaaS extension in failed state.
-
- Registry Key path:
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrepExternal\Specialize`
-
- > [!NOTE]
- > SQL Server on Azure VMs, including those deployed from custom generalized images, should be [registered with the SQL IaaS Agent extension](./sql-agent-extension-manually-register-single-vm.md?tabs=azure-cli%252cbash) to meet compliance requirements and to utilize optional features such as automated patching and automatic backups. The extension also allows you to [specify the license type](./licensing-model-azure-hybrid-benefit-ahb-change.md?tabs=azure-portal) for each SQL Server VM.
-
-1. **Can I use my own VHD to deploy a SQL Server VM?**
-
- Yes, but you must then [register each SQL Server VM with the SQL IaaS Agent extension](sql-agent-extension-manually-register-single-vm.md) to manage your SQL Server VM in the portal, as well as utilize features such as automated patching and automatic backups.
-
-1. **Is it possible to set up configurations not shown in the virtual machine gallery (for example Windows 2008 R2 + SQL Server 2012)?**
-
- No. For virtual machine gallery images that include SQL Server, you must select one of the provided images either through the Azure portal or via [PowerShell](create-sql-vm-powershell.md). However, you have the ability to deploy a Windows VM and self-install SQL Server to it. You must then [register your SQL Server VM with the SQL IaaS Agent extension](sql-agent-extension-manually-register-single-vm.md) to manage your SQL Server VM in the Azure portal, as well as utilize features such as automated patching and automatic backups.
--
-## Creation
-
-1. **How do I create an Azure virtual machine with SQL Server?**
-
- The easiest method is to create a virtual machine that includes SQL Server. For a tutorial on signing up for Azure and creating a SQL Server VM from the portal, see [Provision a SQL Server virtual machine in the Azure portal](create-sql-vm-portal.md). You can select a virtual machine image that uses pay-per-second SQL Server licensing, or you can use an image that allows you to bring your own SQL Server license. You also have the option of manually installing SQL Server on a VM with either a freely licensed edition (Developer or Express) or by reusing an on-premises license. Be sure to [register your SQL Server VM with the SQL IaaS Agent extension](sql-agent-extension-manually-register-single-vm.md) to manage your SQL Server VM in the portal, as well as utilize features such as automated patching and automatic backups. If you bring your own license, you must have [License Mobility through Software Assurance on Azure](https://azure.microsoft.com/pricing/license-mobility/). For more information, see [Pricing guidance for SQL Server Azure VMs](pricing-guidance.md).
-
-1. **How can I migrate my on-premises SQL Server database to the cloud?**
-
- First create an Azure virtual machine with a SQL Server instance. Then migrate your on-premises databases to that instance. For data migration strategies, see [Migrate a SQL Server database to SQL Server in an Azure VM](migrate-to-vm-from-sql-server.md).
-
-## Licensing
-
-1. **How can I install my licensed copy of SQL Server on an Azure VM?**
-
- There are three ways to do this. If you're an Enterprise Agreement (EA) customer, you can provision one of the [virtual machine images that supports licenses](sql-server-on-azure-vm-iaas-what-is-overview.md#BYOL), which is also known as bring-your-own-license (BYOL). If you have [Software Assurance](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default), you can enable the [Azure Hybrid Benefit](licensing-model-azure-hybrid-benefit-ahb-change.md) on an existing pay-as-you-go (PAYG) image. Or you can copy the SQL Server installation media to a Windows Server VM, and then install SQL Server on the VM. Be sure to register your SQL Server VM with the [extension](sql-agent-extension-manually-register-single-vm.md) for features such as portal management, automated backup and automated patching.
--
-1. **Does a customer need SQL Server Client Access Licenses (CALs) to connect to a SQL Server pay-as-you-go image that is running on Azure Virtual Machines?**
-
- No. Customers need CALs when they use bring-your-own-license and move their SQL Server SA server / CAL VM to Azure VMs.
-
-1. **Can I change a VM to use my own SQL Server license if it was created from one of the pay-as-you-go gallery images?**
-
- Yes. You can easily switch a pay-as-you-go (PAYG) gallery image to bring-your-own-license (BYOL) by enabling the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/faq/). For more information, see [How to change the licensing model for a SQL Server VM](licensing-model-azure-hybrid-benefit-ahb-change.md). Currently, this facility is only available for public and Azure Government cloud customers.
--
-1. **Will switching licensing models require any downtime for SQL Server?**
-
- No. [Changing the licensing model](licensing-model-azure-hybrid-benefit-ahb-change.md) does not require any downtime for SQL Server as the change is effective immediately and does not require a restart of the VM. However, to register your SQL Server VM with the SQL IaaS Agent extension, the [SQL IaaS extension](sql-server-iaas-agent-extension-automate-management.md) is a prerequisite and installing the SQL IaaS extension in _full_ mode restarts the SQL Server service. As such, if the SQL IaaS extension needs to be installed, either install it in _lightweight_ mode for limited functionality, or install it in _full_ mode during a maintenance window. The SQL IaaS extension installed in _lightweight_ mode can be upgraded to _full_ mode at any time, but requires a restart of the SQL Server service.
-
-1. **Is it possible to switch licensing models on a SQL Server VM deployed using classic model?**
-
- No. Changing licensing models is not supported on a classic VM. You may migrate your VM to the Azure Resource Manager model and register with the SQL IaaS Agent extension. Once the VM is registered with the SQL IaaS Agent extension, licensing model changes will be available on the VM.
-
-1. **Can I use the Azure portal to manage multiple instances on the same VM?**
-
- No. Portal management is a feature provided by the SQL IaaS Agent extension, which relies on the SQL Server IaaS Agent extension. As such, the same limitations apply to the extension as to the extension. The portal can either only manage one default instance, or one named instance, as long as it was configured correctly. For more information on these limitations, see [SQL Server IaaS agent extension](sql-server-iaas-agent-extension-automate-management.md).
-
-1. **Can CSP subscriptions activate the Azure Hybrid Benefit?**
-
- Yes, the Azure Hybrid Benefit is available for CSP subscriptions. CSP customers should first deploy a pay-as-you-go image, and then [change the licensing model](licensing-model-azure-hybrid-benefit-ahb-change.md) to bring-your-own-license.
-
-
-1. **Do I have to pay to license SQL Server on an Azure VM if it is only being used for standby/failover?**
-
- To have a free passive license for a standby secondary availability group or failover clustered instance, you must meet all of the following criteria as outlined by the [Product Licensing Terms](https://www.microsoft.com/licensing/product-licensing/products):
-
- 1. You have [license mobility](https://www.microsoft.com/licensing/licensing-programs/software-assurance-license-mobility?activetab=software-assurance-license-mobility-pivot:primaryr2) through [Software Assurance](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default?activetab=software-assurance-default-pivot%3aprimaryr3).
- 1. The passive SQL Server instance does not serve SQL Server data to clients or run active SQL Server workloads. It is only used to synchronize with the primary server and otherwise maintain the passive database in a warm standby state. If it is serving data, such as reports to clients running active SQL Server workloads, or performing any work other than what is specified in the product terms, it must be a paid licensed SQL Server instance. The following activity is permitted on the secondary instance: database consistency checks or CheckDB, full backups, transaction log backups, and monitoring resource usage data. You may also run the primary and corresponding disaster recovery instance simultaneously for brief periods of disaster recovery testing every 90 days.
- 1. The active SQL Server license is covered by Software Assurance and allows for **one** passive secondary SQL Server instance, with up to the same amount of compute as the licensed active server, only.
- 1. The secondary SQL Server VM utilizes the [Disaster Recovery](business-continuity-high-availability-disaster-recovery-hadr-overview.md#free-dr-replica-in-azure) license in the Azure portal.
-
-1. **What is considered a passive instance?**
-
- The passive SQL Server instance does not serve SQL Server data to clients or run active SQL Server workloads. It is only used to synchronize with the primary server and otherwise maintain the passive database in a warm standby state. If it is serving data, such as reports to clients running active SQL Server workloads, or performing any work other than what is specified in the product terms, it must be a paid licensed SQL Server instance. The following activity is permitted on the secondary instance: database consistency checks or CheckDB, full backups, transaction log backups, and monitoring resource usage data. You may also run the primary and corresponding disaster recovery instance simultaneously for brief periods of disaster recovery testing every 90 days.
-
-
-1. **What scenarios can utilize the Disaster Recovery (DR) benefit?**
-
- The [licensing guide](https://aka.ms/sql2019licenseguide) provides scenarios in which the Disaster Recovery Benefit can be utilized. Refer to your Product Terms and talk to your licensing contacts or account manager for more information.
-
-1. **Which subscriptions support the Disaster Recovery (DR) benefit?**
-
- Comprehensive programs that offer Software Assurance equivalent subscription rights as a fixed benefit support the DR benefit. This includes. but is not limited to, the Open Value (OV), Open Value Subscription (OVS), Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), and the Server and Cloud Enrollment (SCE). Refer to the [product terms](https://www.microsoft.com/licensing/product-licensing/products) and talk to your licensing contacts or account manager for more information.
-
-
- ## Extension
-
-1. **Will registering my VM with the new SQL IaaS Agent extension bring additional costs?**
-
- No. The SQL IaaS Agent extension just enables additional manageability for SQL Server on Azure VM with no additional charges.
-
-1. **Is the SQL IaaS Agent extension available for all customers?**
-
- Yes, as long as the SQL Server VM was deployed on the public cloud using the Resource Manager model, and not the classic model. All other customers are able to register with the new SQL IaaS Agent extension. However, only customers with the [Software Assurance](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default?activetab=software-assurance-default-pivot%3aprimaryr3) benefit can use their own license by activating the [Azure Hybrid Benefit (AHB)](https://azure.microsoft.com/pricing/hybrid-benefit/) on a SQL Server VM.
-
-1. **What happens to the extension (_Microsoft.SqlVirtualMachine_) resource if the VM resource is moved or dropped?**
-
- When the Microsoft.Compute/VirtualMachine resource is dropped or moved, then the associated Microsoft.SqlVirtualMachine resource is notified to asynchronously replicate the operation.
-
-1. **What happens to the VM if the extension (_Microsoft.SqlVirtualMachine_) resource is dropped?**
-
- The Microsoft.Compute/VirtualMachine resource is not impacted when the Microsoft.SqlVirtualMachine resource is dropped. However, the licensing changes will default back to the original image source.
-
-1. **Is it possible to register self-deployed SQL Server VMs with the SQL IaaS Agent extension?**
-
- Yes. If you deployed SQL Server from your own media, and installed the SQL IaaS extension you can register your SQL Server VM with the extension to get the manageability benefits provided by the SQL IaaS extension.
--
-## Administration
-
-1. **Can I install a second instance of SQL Server on the same VM? Can I change installed features of the default instance?**
-
- Yes. The SQL Server installation media is located in a folder on the **C** drive. Run **Setup.exe** from that location to add new SQL Server instances or to change other installed features of SQL Server on the machine. Note that some features, such as Automated Backup, Automated Patching, and Azure Key Vault Integration, only operate against the default instance, or a named instance that was configured properly (See Question 3). Customers using [Software Assurance through the Azure Hybrid Benefit](licensing-model-azure-hybrid-benefit-ahb-change.md) or the **pay-as-you-go** licensing model can install multiple instances of SQL Server on the virtual machine without incurring extra licensing costs. Additional SQL Server instances may strain system resources unless configured correctly.
-
-1. **What is the maximum number of instances on a VM?**
- SQL Server 2012 to SQL Server 2019 can support [50 instances](/sql/sql-server/editions-and-components-of-sql-server-version-15#RDBMSSP) on a stand-alone server. This is the same limit regardless of in Azure on-premises. See [best practices](./performance-guidelines-best-practices-checklist.md) to learn how to better prepare your environment.
-
-1. **Can I uninstall the default instance of SQL Server?**
-
- Yes, but there are some considerations. First, SQL Server-associated billing may continue to occur depending on the license model for the VM. Second, as stated in the previous answer, there are features that rely on the [SQL Server IaaS Agent Extension](sql-server-iaas-agent-extension-automate-management.md). If you uninstall the default instance without removing the IaaS extension also, the extension continues to look for the default instance and may generate event log errors. These errors are from the following two sources: **Microsoft SQL Server Credential Management** and **Microsoft SQL Server IaaS Agent**. One of the errors might be similar to the following:
-
- A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible.
-
- If you do decide to uninstall the default instance, also uninstall the [SQL Server IaaS Agent Extension](sql-server-iaas-agent-extension-automate-management.md) as well.
-
-1. **Can I use a named instance of SQL Server with the IaaS extension?**
-
- Yes, if the named instance is the only instance on the SQL Server, and if the original default instance was [uninstalled properly](sql-server-iaas-agent-extension-automate-management.md#named-instance-support). If there is no default instance and there are multiple named instances on a single SQL Server VM, the SQL Server IaaS agent extension will fail to install.
-
-1. **Can I remove SQL Server and the associated license billing from a SQL Server VM?**
-
- Yes, but you'll need to take additional steps to avoid being charged for your SQL Server instance as described in [Pricing guidance](pricing-guidance.md). If you want to completely remove the SQL Server instance, you can migrate to another Azure VM without SQL Server pre-installed on the VM and delete the current SQL Server VM. If you want to keep the VM but stop SQL Server billing, follow these steps:
-
- 1. Back up all of your data, including system databases, if necessary.
- 1. Uninstall SQL Server completely, including the SQL IaaS extension (if present).
- 1. Install the free [SQL Express edition](https://www.microsoft.com/sql-server/sql-server-downloads).
- 1. Register with the SQL IaaS Agent extension in [lightweight mode](sql-agent-extension-manually-register-single-vm.md).
- 1. [Change the edition of SQL Server](change-sql-server-edition.md#change-edition-in-portal) in the [Azure portal](https://portal.azure.com) to Express to stop billing.
- 1. (optional) Disable the Express SQL Server service by disabling service startup.
-
-1. **Can I use the Azure portal to manage multiple instances on the same VM?**
-
- No. Portal management is provided by the SQL IaaS Agent extension, which relies on the SQL Server IaaS Agent extension. As such, the same limitations apply to the extension as the extension. The portal can either only manage one default instance, or one named instance as long as its configured correctly. For more information, see [SQL Server IaaS Agent extension](sql-server-iaas-agent-extension-automate-management.md)
--
-## Updating and patching
-
-1. **How do I change to a different version/edition of SQL Server in an Azure VM?**
-
- Customers can change their version/edition of SQL Server by using setup media that contains their desired version or edition of SQL Server. Once the edition has been changed, use the Azure portal to modify the edition property of the VM to accurately reflect billing for the VM. For more information, see [change edition of a SQL Server VM](change-sql-server-edition.md). There is no billing difference for different versions of SQL Server, so once the version of SQL Server has been changed, no further action is needed.
-
-1. **Where can I get the setup media to change the edition or version of SQL Server?**
-
- Customers who have [Software Assurance](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default) can obtain their installation media from the [Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). Customers that do not have Software Assurance can use the setup media from an Azure Marketplace SQL Server VM image that has their desired edition.
-
-1. **How are updates and service packs applied on a SQL Server VM?**
-
- Virtual machines give you control over the host machine, including when and how you apply updates. For the operating system, you can manually apply windows updates, or you can enable a scheduling service called [Automated Patching](automated-patching.md). Automated Patching installs any updates that are marked important, including SQL Server updates in that category. Other optional updates to SQL Server must be installed manually.
-
-1. **Can I upgrade my SQL Server 2008 / 2008 R2 instance after registering it with the SQL IaaS Agent extension?**
-
- If the OS is Windows Server 2008 R2 or later, yes. You can use any setup media to upgrade the version and edition of SQL Server, and then you can upgrade your [SQL IaaS extension mode](sql-server-iaas-agent-extension-automate-management.md#management-modes)) from _no agent_ to _full_. Doing so will give you access to all the benefits of the SQL IaaS extension such as portal manageability, automated backups, and automated patching. If the OS version is Windows Server 2008, only NoAgent mode is supported.
-
-1. **How can I get free extended security updates for my end of support SQL Server 2008 and SQL Server 2008 R2 instances?**
-
- You can get [free extended security updates](sql-server-2008-extend-end-of-support.md) by moving your SQL Server as-is to an Azure virtual machine. For more information, see [end of support options](/sql/sql-server/end-of-support/sql-server-end-of-life-overview).
-
-
-
-## General
-
-1. **Are SQL Server failover cluster instances (FCI) supported on Azure VMs?**
-
- Yes. You can configure a [failover cluster instance](failover-cluster-instance-overview.md) using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md), [premium file shares (PFS)](failover-cluster-instance-premium-file-share-manually-configure.md), or [storage spaces direct (S2D)](failover-cluster-instance-storage-spaces-direct-manually-configure.md) for the storage subsystem. Premium file shares provide IOPS and throughput capacities that meet the needs of many workloads. For IO-intensive workloads, consider using storage spaces direct based on managed premium or ultra-disks. Alternatively, you can use third-party clustering or storage solutions as described in [High availability and disaster recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md#azure-only-high-availability-solutions).
-
- > [!IMPORTANT]
- > At this time, the _full_ [SQL Server IaaS Agent Extension](sql-server-iaas-agent-extension-automate-management.md) is not supported for SQL Server FCI on Azure. We recommend that you uninstall the _full_ extension from VMs that participate in the FCI, and install the extension in _lightweight_ mode instead. This extension supports features, such as Automated Backup and Patching and some portal features for SQL Server. These features will not work for SQL Server VMs after the _full_ agent is uninstalled.
-
-1. **What is the difference between SQL Server VMs and the SQL Database service?**
-
- Conceptually, running SQL Server on an Azure virtual machine is not that different from running SQL Server in a remote datacenter. In contrast, [Azure SQL Database](../../database/sql-database-paas-overview.md) offers database-as-a-service. With SQL Database, you do not have access to the machines that host your databases. For a full comparison, see [Choose a cloud SQL Server option: Azure SQL (PaaS) Database or SQL Server on Azure VMs (IaaS)](../../azure-sql-iaas-vs-paas-what-is-overview.md).
-
-1. **How do I install SQL Data tools on my Azure VM?**
-
- Download and install the SQL Data tools from [Microsoft SQL Server Data Tools - Business Intelligence for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=42313).
-
-1. **Are distributed transactions with MSDTC supported on SQL Server VMs?**
-
- Yes. Local DTC is supported for SQL Server 2016 SP2 and greater. However, applications must be tested when utilizing Always On availability groups, as transactions in-flight during a failover will fail and must be retried. Clustered DTC is available starting with Windows Server 2019.
-
-1. **Does Azure SQL virtual machine move or store customer data out of region?**
-
- No. In fact, Azure SQL virtual machine and the SQL IaaS Agent Extension do not store any customer data.
-
-## SQL Server IaaS Agent extension
-
-1. **Should I register my SQL Server VM provisioned from a SQL Server image in Azure Marketplace?**
-
- No. Microsoft automatically registers VMs provisioned from the SQL Server images in Azure Marketplace. Registering with the extension is required only if the VM was *not* provisioned from the SQL Server images in Azure Marketplace and SQL Server was self-installed.
-
-1. **Is the SQL IaaS Agent extension available for all customers?**
-
- Yes. Customers should register their SQL Server VMs with the extension if they did not use a SQL Server image from Azure Marketplace and instead self-installed SQL Server, or if they brought their custom VHD. VMs owned by all types of subscriptions (Direct, Enterprise Agreement, and Cloud Solution Provider) can register with the SQL IaaS Agent extension.
-
-1. **What is the default management mode when registering with the SQL IaaS Agent extension?**
-
- The default management mode when you register with the SQL IaaS Agent extension is *lightweight*. If the SQL Server management property isn't set when you register with the extension, the mode will be set as lightweight, and your SQL Server service will not restart. It is recommended to register with the SQL IaaS Agent extension in lightweight mode first, and then upgrade to full during a maintenance window. Likewise, the default management is also lightweight when using the [automatic registration feature](sql-agent-extension-automatic-registration-all-vms.md).
-
-1. **What are the prerequisites to register with the SQL IaaS Agent extension?**
-
- There are no prerequisites to registering with the SQL IaaS Agent extension other than having SQL Server installed on the VM. Note that if the SQL IaaS agent extension is installed in full mode the SQL Server service will restart, so doing so during a maintenance window is recommended.
-
-1. **Will registering with the SQL IaaS Agent extension install an agent on my VM?**
-
- Yes, registering with the SQL IaaS Agent extension in full manageability mode installs an agent to the VM. Registering in lightweight, or NoAgent mode does not.
-
- Registering with the SQL IaaS Agent extension in lightweight mode only copies the SQL IaaS Agent extension *binaries* to the VM, it does not install the agent. These binaries are then used to install the agent when the management mode is upgraded to full.
--
-1. **Will registering with the SQL IaaS Agent extension restart SQL Server on my VM?**
-
- It depends on the mode specified during registration. If lightweight or NoAgent mode is specified, then the SQL Server service will not restart. However, specifying the management mode as full will cause the SQL Server service to restart. The automatic registration feature registers your SQL Server VMs in lightweight mode, unless the Windows Server version is 2008, in which case the SQL Server VM will be registered in NoAgent mode.
-
-1. **What is the difference between lightweight and NoAgent management modes when registering with the SQL IaaS Agent extension?**
-
- NoAgent management mode is the only available management mode for SQL Server 2008 and SQL Server 2008 R2 on Windows Server 2008. For all later versions of Windows Server, the two available manageability modes are lightweight and full.
-
- NoAgent mode requires SQL Server version and edition properties to be set by the customer. Lightweight mode queries the VM to find the version and edition of the SQL Server instance.
-
-1. **Can I register with the SQL IaaS Agent extension without specifying the SQL Server license type?**
-
- No. The SQL Server license type is not an optional property when you're registering with the SQL IaaS Agent extension. You have to set the SQL Server license type as pay-as-you-go or Azure Hybrid Benefit when registering with the SQL IaaS Agent extension in all manageability modes (NoAgent, lightweight, and full). If you have any of the free versions of SQL Server installed, such as Developer or Evaluation edition, you must register with pay-as-you-go licensing. Azure Hybrid Benefit is only available for paid versions of SQL Server such as Enterprise and Standard editions.
-
-1. **What is the default license type when using the automatic registration feature?**
-
- The license type automatically defaults to that of the VM image. If you use a pay-as-you-go image for your VM, then your license type will be `PAYG`, otherwise your license type will be `AHUB` by default.
-
-1. **Can I upgrade the SQL Server IaaS extension from NoAgent mode to full mode?**
-
- No. Upgrading the manageability mode to full or lightweight is not available for NoAgent mode. This is a technical limitation of Windows Server 2008. You will need to upgrade the OS first to Windows Server 2008 R2 or greater, and then you will be able to upgrade to full management mode.
-
-1. **Can I upgrade the SQL Server IaaS extension from lightweight mode to full mode?**
-
- Yes. Upgrading the manageability mode from lightweight to full is supported via Azure PowerShell or the Azure portal. This will trigger a restart of the SQL Server service.
-
-1. **Can I downgrade the SQL Server IaaS extension from full mode to NoAgent or lightweight management mode?**
-
- No. Downgrading the SQL Server IaaS extension manageability mode is not supported. The manageability mode can't be downgraded from full mode to lightweight or NoAgent mode, and it can't be downgraded from lightweight mode to NoAgent mode.
-
- To change the manageability mode from full manageability, [unregister](sql-agent-extension-manually-register-single-vm.md#unregister-from-extension) the SQL Server VM from the SQL IaaS Agent extension by dropping the SQL virtual machine _resource_ and re-register the SQL Server VM with the SQL IaaS Agent extension again in a different management mode.
-
-1. **Can I register with the SQL IaaS Agent extension from the Azure portal?**
-
- No. Registering with the SQL IaaS Agent extension is not available in the Azure portal. Registering with the SQL IaaS Agent extension is only supported with the Azure CLI or Azure PowerShell.
-
-1. **Can I register a VM with the SQL IaaS Agent extension before SQL Server is installed?**
-
- No. A VM must have at least one SQL Server (Database Engine) instance to successfully register with the SQL IaaS Agent extension. If there is no SQL Server instance on the VM, the new Microsoft.SqlVirtualMachine resource will be in a failed state.
-
-1. **Can I register a VM with the SQL IaaS Agent extension if there are multiple SQL Server instances?**
-
- Yes, provided there is a default instance on the VM. The SQL IaaS Agent extension will register only one SQL Server (Database Engine) instance. The SQL IaaS Agent extension will register the default SQL Server instance in the case of multiple instances.
-
-1. **Can I register a SQL Server failover cluster instance with the SQL IaaS Agent extension?**
-
- Yes. SQL Server failover cluster instances on an Azure VM can be registered with the SQL IaaS Agent extension in lightweight mode. However, SQL Server failover cluster instances can't be upgraded to full manageability mode.
-
-1. **Can I register my VM with the SQL IaaS Agent extension if an Always On availability group is configured?**
-
- Yes. There are no restrictions to registering a SQL Server instance on an Azure VM with the SQL IaaS Agent extension if you're participating in an Always On availability group configuration.
-
-1. **What is the cost for registering with the SQL IaaS Agent extension, or with upgrading to full manageability mode?**
-
- None. There is no fee associated with registering with the SQL IaaS Agent extension, or with using any of the three manageability modes. Managing your SQL Server VM with the extension is completely free.
-
-1. **What is the performance impact of using the different manageability modes?**
-
- There is no impact when using the *NoAgent* and *lightweight* manageability modes. There is minimal impact when using the *full* manageability mode from two services that are installed to the OS. These can be monitored via task manager and seen in the built-in Windows Services console.
-
- The two service names are:
- - `SqlIaaSExtensionQuery` (Display name - `Microsoft SQL Server IaaS Query Service`)
- - `SQLIaaSExtension` (Display name - `Microsoft SQL Server IaaS Agent`)
-
-1. **How do I remove the extension?**
-
- Remove the extension by [unregistering](sql-agent-extension-manually-register-single-vm.md#unregister-from-extension) the SQL Server VM from the SQL IaaS Agent extension.
-
-## Resources
-
-**Windows VMs**:
-
-* [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [Provision SQL Server on a Windows VM](create-sql-vm-portal.md)
-* [Migrating a Database to SQL Server on an Azure VM](migrate-to-vm-from-sql-server.md)
-* [High Availability and Disaster Recovery for SQL Server on Azure Virtual Machines](business-continuity-high-availability-disaster-recovery-hadr-overview.md)
-* [Performance best practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md)
-* [Application Patterns and Development Strategies for SQL Server on Azure Virtual Machines](application-patterns-development-strategies.md)
-
-**Linux VMs**:
-
-* [Overview of SQL Server on a Linux VM](../linux/sql-server-on-linux-vm-what-is-iaas-overview.md)
-* [Provision SQL Server on a Linux VM](../linux/sql-vm-create-portal-quickstart.md)
-* [FAQ (Linux)](../linux/frequently-asked-questions-faq.md)
-* [SQL Server on Linux documentation](/sql/linux/sql-server-linux-overview)
azure-sql Licensing Model Azure Hybrid Benefit Ahb Change https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change.md
You'll need to register your subscription with the resource provider, and then [
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](../../database/doc-changes-updates-release-notes.md) * [Overview of SQL IaaS Agent Extension](./sql-server-iaas-agent-extension-automate-management.md)
azure-sql Manage Sql Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/manage-sql-vm-portal.md
To access the deprecated **SQL Server configuration** tab, go to the **Virtual m
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](doc-changes-updates-release-notes.md)
azure-sql Migrate To Vm From Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/migrate-to-vm-from-sql-server.md
Use the [Windows Import/Export Service method](../../../import-export/storage-im
For more information, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). > [!TIP]
-> If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+> If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
For instructions on creating SQL Server on an Azure Virtual Machine from a captured image, see [Tips & Tricks on ΓÇÿcloningΓÇÖ Azure SQL virtual machines from captured images](/archive/blogs/psssql/tips-tricks-on-cloning-azure-sql-virtual-machines-from-captured-images) on the CSS SQL Server Engineers blog.
azure-sql Move Sql Vm Different Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/move-sql-vm-different-region.md
To avoid billing charges, remove the SQL Server VM from the vault, and delete an
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [SQL Server on a Windows VM FAQ](frequently-asked-questions-faq.md)
+* [SQL Server on a Windows VM FAQ](frequently-asked-questions-faq.yml)
* [SQL Server on a Windows VM pricing guidance](pricing-guidance.md) * [SQL Server on a Windows VM release notes](doc-changes-updates-release-notes.md)
azure-sql Performance Guidelines Best Practices Checklist https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist.md
To learn more, see the other articles in this series:
For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Performance Guidelines Best Practices Collect Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-collect-baseline.md
To learn more, see the other articles in this series:
For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Performance Guidelines Best Practices Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-storage.md
For security best practices, see [Security considerations for SQL Server on Azur
For detailed testing of SQL Server performance on Azure VMs with TPC-E and TPC_C benchmarks, refer to the blog [Optimize OLTP performance](https://techcommunity.microsoft.com/t5/sql-server/optimize-oltp-performance-with-sql-server-on-azure-vm/ba-p/916794).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Performance Guidelines Best Practices Vm Size https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size.md
To learn more, see the other articles in this series:
For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
-Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Pricing Guidance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/pricing-guidance.md
To create an Azure VM running SQL Server 2017 with one of these pay-as-you-go im
**Bringing your own SQL Server license through License Mobility**, also referred to as **BYOL**, means using an existing SQL Server Volume License with Software Assurance in an Azure VM. A SQL Server VM using BYOL only charges for the cost of running the VM, not for SQL Server licensing, given that you have already acquired licenses and Software Assurance through a Volume Licensing program or through a Cloud Solution Partner (CSP). > [!NOTE]
-> The BYOL images are currently only available for Windows virtual machines. However, you can manually install SQL Server on a Linux-only VM. See the guidelines in the [SQL Server on a Linux VM FAQ](../linux/frequently-asked-questions-faq.md).
+> The BYOL images are currently only available for Windows virtual machines. However, you can manually install SQL Server on a Linux-only VM. See the guidelines in the [SQL Server on a Linux VM FAQ](../linux/frequently-asked-questions-faq.yml).
Bringing your own SQL Server licensing through License Mobility is recommended for:
azure-sql Security Considerations Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/security-considerations-best-practices.md
To learn more, see the other articles in this series:
- [HADR settings](hadr-cluster-best-practices.md) - [Collect baseline](performance-guidelines-best-practices-collect-baseline.md)
-For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
azure-sql Sql Agent Extension Manually Register Single Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm.md
Remove-AzSqlVM -ResourceGroupName <resource_group_name> -Name <VM_name>
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](../../database/doc-changes-updates-release-notes.md)
azure-sql Sql Agent Extension Manually Register Vms Bulk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk.md
Copy the full script and save it as `RegisterSqLVMs.psm1`.
For more information, see the following articles: * [Overview of SQL Server on a Windows VM](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on a Windows VM](frequently-asked-questions-faq.yml)
* [Pricing guidance for SQL Server on a Windows VM](pricing-guidance.md) * [Release notes for SQL Server on a Windows VM](../../database/doc-changes-updates-release-notes.md)
azure-sql Sql Server 2008 Extend End Of Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-server-2008-extend-end-of-support.md
Get started with SQL Server on Azure Virtual Machines:
Get answers to commonly asked questions about SQL Server VMs:
-* [FAQ for SQL Server on Azure Virtual Machines](frequently-asked-questions-faq.md)
+* [FAQ for SQL Server on Azure Virtual Machines](frequently-asked-questions-faq.yml)
Find out more about end of support options, and extended security updates:
azure-sql Sql Server Iaas Agent Extension Automate Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md
The following table details these benefits:
| Feature | Description | | | | | **Portal management** | Unlocks [management in the portal](manage-sql-vm-portal.md), so that you can view all of your SQL Server VMs in one place, and so that you can enable and disable SQL specific features directly from the portal. <br/> Management mode: Lightweight & full|
-| **Automated backup** |Automates the scheduling of backups for all databases for either the default instance or a [properly installed](frequently-asked-questions-faq.md#administration) named instance of SQL Server on the VM. For more information, see [Automated backup for SQL Server in Azure virtual machines (Resource Manager)](automated-backup-sql-2014.md). <br/> Management mode: Full|
+| **Automated backup** |Automates the scheduling of backups for all databases for either the default instance or a [properly installed](/azure/azure-sql/virtual-machines/windows/frequently-asked-questions-faq#administration) named instance of SQL Server on the VM. For more information, see [Automated backup for SQL Server in Azure virtual machines (Resource Manager)](automated-backup-sql-2014.md). <br/> Management mode: Full|
| **Automated patching** |Configures a maintenance window during which important Windows and SQL Server security updates to your VM can take place, so you can avoid updates during peak times for your workload. For more information, see [Automated patching for SQL Server in Azure virtual machines (Resource Manager)](automated-patching.md). <br/> Management mode: Full| | **Azure Key Vault integration** |Enables you to automatically install and configure Azure Key Vault on your SQL Server VM. For more information, see [Configure Azure Key Vault integration for SQL Server on Azure Virtual Machines (Resource Manager)](azure-key-vault-integration-configure.md). <br/> Management mode: Full| | **View disk utilization in portal** | Allows you to view a graphical representation of the disk utilization of your SQL data files in the Azure portal. <br/> Management mode: Full |
To install the SQL Server IaaS extension to SQL Server on Azure VMs, see the art
For more information about running SQL Server on Azure Virtual Machines, see the [What is SQL Server on Azure Virtual Machines?](sql-server-on-azure-vm-iaas-what-is-overview.md).
-To learn more, see [frequently asked questions](frequently-asked-questions-faq.md).
+To learn more, see [frequently asked questions](frequently-asked-questions-faq.yml).
azure-sql Sql Server On Azure Vm Iaas What Is Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md
For details, see:
- [Create a SQL Server virtual machine](sql-vm-create-portal-quickstart.md) ## <a id="lifecycle"></a> SQL Server VM image refresh policy
-Azure only maintains one virtual machine image for each supported operating system, version, and edition combination. This means that over time images are refreshed, and older images are removed. For more information, see the **Images** section of the [SQL Server VMs FAQ](frequently-asked-questions-faq.md#images).
+Azure only maintains one virtual machine image for each supported operating system, version, and edition combination. This means that over time images are refreshed, and older images are removed. For more information, see the **Images** section of the [SQL Server VMs FAQ](/azure/azure-sql/virtual-machines/windows/frequently-asked-questions-faq#images).
## Customer experience improvement program (CEIP) The Customer Experience Improvement Program (CEIP) is enabled by default. This periodically sends reports to Microsoft to help improve SQL Server. There is no management task required with CEIP unless you want to disable it after provisioning. You can customize or disable the CEIP by connecting to the VM with remote desktop. Then run the **SQL Server Error and Usage Reporting** utility. Follow the instructions to disable reporting. For more information about data collection, see the [SQL Server Privacy Statement](/sql/sql-server/sql-server-privacy).
Get started with SQL Server on Azure Virtual Machines:
Get answers to commonly asked questions about SQL Server VMs:
-* [SQL Server on Azure Virtual Machines FAQ](frequently-asked-questions-faq.md)
+* [SQL Server on Azure Virtual Machines FAQ](frequently-asked-questions-faq.yml)
View Reference Architectures for running N-tier applications on SQL Server in IaaS
azure-sql Sql Vm Create Portal Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-vm-create-portal-quickstart.md
This quickstart steps through creating a SQL Server virtual machine (VM) in the
> [!TIP] > - This quickstart provides a path for quickly provisioning and connecting to a SQL VM. For more information about other SQL VM provisioning choices, see the [Provisioning guide for SQL Server on Windows VM in the Azure portal](create-sql-vm-portal.md).
- > - If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+ > - If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
## <a id="subscription"></a> Get an Azure subscription
On the **Basics** tab, provide the following information:
![Instance details](./media/sql-vm-create-portal-quickstart/basics-instance-details.png)
-1. Under **Administrator account**, provide a username, such as _azureuser_ and a password. The password must be at least 12 characters long and meet the [defined complexity requirements](../../../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm).
+1. Under **Administrator account**, provide a username, such as _azureuser_ and a password. The password must be at least 12 characters long and meet the [defined complexity requirements](../../../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).
![Administrator account](./media/sql-vm-create-portal-quickstart/basics-administrator-account.png)
azure-sql Sql Vm Create Powershell Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/sql-vm-create-powershell-quickstart.md
This quickstart steps through creating a SQL Server virtual machine (VM) with Az
> [!TIP] > - This quickstart provides a path for quickly provisioning and connecting to a SQL VM. For more information about other Azure PowerShell options for creating SQL VMs, see the [Provisioning guide for SQL Server VMs with Azure PowerShell](create-sql-vm-powershell.md).
-> - If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
+> - If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.yml).
## <a id="subscription"></a> Get an Azure subscription
azure-video-analyzer Get Started Detect Motion Emit Events Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/get-started-detect-motion-emit-events-portal.md
After completing the setup steps, you'll be able to run the simulated live video
* An active Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/). [!INCLUDE [the video analyzer account and storage account must be in the same subscription and region](./includes/note-account-storage-same-subscription.md)]
-* An x86-64 or an ARM64 device running one of the [supported Linux operating systems](../../iot-edge/support.md#operating-systems), on which you have an administrative privileges.
-* [Create and setup IoT Hub](../../iot-hub/iot-hub-create-through-portal.md)
-* [Register IoT Edge device](../../iot-edge/how-to-register-device.md)
-* [Install the Azure IoT Edge runtime on Debian-based Linux systems](../../iot-edge/how-to-install-iot-edge.md)
+* An IoT Edge device on which you have admin privileges
+ * [Deploy to an IoT Edge device](deploy-iot-edge-device.md)
+ * [Deploy to an IoT Edge for Linux on Windows](deploy-iot-edge-linux-on-windows.md)
* [Visual Studio Code](https://code.visualstudio.com/), with the following extensions: * [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools)
You can try to invoke `pipelineTopologyList` and observe that the module contain
* Try the [quickstart for recording videos to the cloud when motion is detected](detect-motion-record-video-clips-cloud.md) * Try the [quickstart for analyzing live video](analyze-live-video-use-your-model-http.md)
-* Learn more about [diagnostic messages](monitor-log-edge.md)
+* Learn more about [diagnostic messages](monitor-log-edge.md)
batch Batch Cli Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-cli-templates.md
Title: Run jobs end-to-end using templates description: With only CLI commands, you can create a pool, upload input data, create jobs and associated tasks, and download the resulting output data. Previously updated : 10/08/2020 Last updated : 06/14/2021 # Use Azure Batch CLI templates and file transfer
ffmpeg installed. To use it, supply only a pool ID string and the number of VMs
"vmSize": "STANDARD_D3_V2", "targetDedicatedNodes": "[parameters('nodeCount')]", "enableAutoScale": false,
- "taskSlotsPerNode": 1,
+ "maxTasksPerNode": 1,
"packageReferences": [ { "type": "aptPackage",
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md
na Previously updated : 5/26/2021 Last updated : 6/14/2021 # Azure Guest OS The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in.
+## June 2021 Guest OS
+
+>[!NOTE]
+
+>The June Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the June Guest OS. This list is subject to change.
+
+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
+| | | | | |
+| Rel 21-06 | [5003646] | Latest Cumulative Update(LCU) | 6.32 | June 8, 2021 |
+| Rel 21-06 | [4580325] | Flash update | 3.98, 4.91, 5.56, 6.32 | Oct 13, 2020 |
+| Rel 21-06 | [5003636] | IE Cumulative Updates | 2.111, 3.98, 4.91 | June 8, 2021 |
+| Rel 21-06 | [5003638] | Latest Cumulative Update(LCU) | 5.56 | June 8, 2021 |
+| Rel 21-06 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | 2.111 | Oct 13, 2020 |
+| Rel 21-06 | [4578955] | .NET Framework 4.5.2 Security and Quality Rollup  | 2.111 | Oct 13, 2020 |
+| Rel 21-06 | [4578953] | .NET Framework 3.5 Security and Quality Rollup  | 4.91 | Oct 13, 2020 |
+| Rel 21-06 | [4578956] | .NET Framework 4.5.2 Security and Quality Rollup  | 4.91 | Oct 13, 2020 |
+| Rel 21-06 | [4578950] | .NET Framework 3.5 Security and Quality Rollup  | 3.98 | Oct 13, 2020 |
+| Rel 21-06 | [4578954] | . NET Framework 4.5.2 Security and Quality Rollup  | 3.98 | Oct 13, 2020 |
+| Rel 21-06 | [4601060] | . NET Framework 3.5 and 4.7.2 Cumulative Update  | 6.32 | Feb 9, 2021 |
+| Rel 21-06 | [5003667] | Monthly Rollup  | 2.111 | June 8, 2021 |
+| Rel 21-06 | [5003697] | Monthly Rollup  | 3.98 | June 8, 2021 |
+| Rel 21-06 | [5003671] | Monthly Rollup  | 4.91 | June 8, 2021 |
+| Rel 21-06 | [5001401] | Servicing Stack update  | 3.98 | Apr 13, 2021 |
+| Rel 21-06 | [5001403] | Servicing Stack update  | 4.91 | Apr 13, 2021 |
+| Rel 21-06 OOB | [4578013] | Standalone Security Update  | 4.91 | Aug 19, 2020 |
+| Rel 21-06 | [5001402] | Servicing Stack update  | 5.56 | Apr 13, 2021 |
+| Rel 21-06 | [4592510] | Servicing Stack update  | 2.111 | Dec 8, 2020 |
+| Rel 21-06 | [5003711] | Servicing Stack update  | 6.32 | June 8, 2021 |
+| Rel 21-06 | [4494175] | Microcode  | 5.56 | Sep 1, 2020 |
+| Rel 21-06 | [4494174] | Microcode  | 6.32 | Sep 1, 2020 |
+| Rel 21-06 | [4052623] | Update for Microsoft Defender antimalware platform | 6.32, 5.56 | May 13, 2021 |
+
+[5003646]: https://support.microsoft.com/kb/5003646
+[4580325]: https://support.microsoft.com/kb/4580325
+[5003636]: https://support.microsoft.com/kb/5003636
+[5003638]: https://support.microsoft.com/kb/5003638
+[4578952]: https://support.microsoft.com/kb/4578952
+[4578955]: https://support.microsoft.com/kb/4578955
+[4578953]: https://support.microsoft.com/kb/4578953
+[4578956]: https://support.microsoft.com/kb/4578956
+[4578950]: https://support.microsoft.com/kb/4578950
+[4578954]: https://support.microsoft.com/kb/4578954
+[4601060]: https://support.microsoft.com/kb/4601060
+[5003667]: https://support.microsoft.com/kb/5003667
+[5003697]: https://support.microsoft.com/kb/5003697
+[5003671]: https://support.microsoft.com/kb/5003671
+[5001401]: https://support.microsoft.com/kb/5001401
+[5001403]: https://support.microsoft.com/kb/5001403
+[4578013]: https://support.microsoft.com/kb/4578013
+[5001402]: https://support.microsoft.com/kb/5001402
+[4592510]: https://support.microsoft.com/kb/4592510
+[5003711]: https://support.microsoft.com/kb/5003711
+[4494175]: https://support.microsoft.com/kb/4494175
+[4494174]: https://support.microsoft.com/kb/4494174
+[4052623]: https://support.microsoft.com/kb/4052623
+ ## May 2021 Guest OS | Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | |
-| Rel 21-05 | [5003171] | Latest Cumulative Update(LCU) | [6.31] | 5/11/2021 |
+| Rel 21-05 | [5003171] | Latest Cumulative Update(LCU) | [6.31] | May 11, 2021 |
| Rel 21-05 | [4580325] | Flash update | [3.97], [4.90], [5.55], [6.31] | Oct 13, 2020 |
-| Rel 21-05 | [5003165] | IE Cumulative Updates | [2.110], [3.97], [4.90] | 5/11/2021 |
-| Rel 21-05 | [5003197] | Latest Cumulative Update(LCU) | [5.55] | 5/11/2021 |
+| Rel 21-05 | [5003165] | IE Cumulative Updates | [2.110], [3.97], [4.90] | May 11, 2021 |
+| Rel 21-05 | [5003197] | Latest Cumulative Update(LCU) | [5.55] | May 11, 2021 |
| Rel 21-05 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | [2.110] | Oct 13, 2020 | | Rel 21-05 | [4578955] | .NET Framework 4.5.2 Security and Quality Rollup  | [2.110] | Oct 13, 2020 | | Rel 21-05 | [4578953] | .NET Framework 3.5 Security and Quality Rollup  | [4.90] | Oct 13, 2020 |
cognitive-services Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/troubleshooting.md
If you delete an Azure Cognitive Search index, the operation is final and the in
<summary><b>I deleted my `testkb` index in my Search service. How can I fix this?</b></summary> **Answer**:
-Your old data can't be recovered. Create a new QnA Maker resource and create your knowledge base again.
+In case you deleted the `testkb` index in your Search service, you can restore the data from the last published KB. Please use the recovery tool [RestoreTestKBIndex](https://github.com/pchoudhari/QnAMakerBackupRestore/tree/master/RestoreTestKBFromProd) available on GitHub.
</details>
If you delete an Azure Cognitive Search index, the operation is final and the in
</details> <details>
-<summary><b>I deleted my `testkb` index in my Search service. How can I fix this?</b></summary>
+<summary><b>I deleted my `testkbv2` index in my Search service. How can I fix this?</b></summary>
**Answer**:
-Your old data can't be recovered. Create a new QnA Maker resource and create your knowledge base again.
+In case you deleted the `testkbv2` index in your Search service, you can restore the data from the last published KB. Please use the recovery tool [RestoreTestKBIndex](https://github.com/pchoudhari/QnAMakerBackupRestore/tree/master/RestoreTestKBFromProd) available on GitHub.
</details>
cognitive-services Deploy Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/deploy-label-tool.md
Follow these steps to create a new resource using the Azure portal:
* Server URL - Set this to `https://mcr.microsoft.com` * Username (Optional) - Create a username. * Password (Optional) - Create a secure password that you'll remember.
-* Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest`
+* Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-2.1`
* Continuous Deployment - Set this to **On** if you want to receive automatic updates when the development team makes changes to the sample labeling tool. * Startup command - Set this to `./run.sh eula=accept`
DNS_NAME_LABEL=aci-demo-$RANDOM
az container create \ --resource-group <resource_group_name> \ --name <name> \
- --image mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest \
+ --image mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-2.1 \
--ports 3000 \ --dns-name-label $DNS_NAME_LABEL \ --location <region name> \
DNS_NAME_LABEL=aci-demo-$RANDOM
az container create \ --resource-group <resource_group_name> \ --name <name> \
- --image mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool \
+ --image mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest \
--ports 3000 \ --dns-name-label $DNS_NAME_LABEL \ --location <region name> \
The OCR Form Labeling Tool is also available as an open-source project on GitHub
## Next steps
-Use the [Train with labels](label-tool.md) quickstart to learn how to use the tool to manually label training data and perform supervised learning.
+Use the [Train with labels](label-tool.md) quickstart to learn how to use the tool to manually label training data and perform supervised learning.
cognitive-services Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/label-tool.md
You'll use the Docker engine to run the sample labeling tool. Follow these steps
### [v2.1](#tab/v2-1) ```console
- docker pull mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest
+ docker pull mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-2.1
``` ### [v2.0](#tab/v2-0)
docker pull mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool
### [v2.1](#tab/v2-1) ```console
- docker run -it -p 3000:80 mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest eula=accept
+ docker run -it -p 3000:80 mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-2.1 eula=accept
``` ### [v2.0](#tab/v2-0)
cognitive-services Plan Manage Costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/plan-manage-costs.md
For more information, see [Azure Cognitive Services pricing](https://azure.micro
## Understand the full billing model for Cognitive Services
-Cognitive Services runs on Azure infrastructure that [accrues costs](https://azure.microsoft.com/pricing/details/cognitive-services/) when you deploy the new resource. It's important to understand that additional infrastructure might accrue cost. You need to manage that cost when you make changes to deployed resources.
+Cognitive Services runs on Azure infrastructure that [accrues costs](https://azure.microsoft.com/pricing/details/cognitive-services/) when you deploy the new resource. It's important to understand that more infrastructure might accrue costs. You need to manage that cost when you make changes to deployed resources.
+
+### How you're charged for Cognitive Services
+
+When you create or use Cognitive Services resources, you might get charged for the following meters based on the services that you use:
+
+| Service | Meter(s) | Billing information |
+||-||
+| **Vision** | | |
+| [Computer Vision](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/) | Free, Standard (S1) | Billed by the number of transactions. Price per transaction varies per feature (Read, OCR, Spatial Analysis). For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/computer-vision/). |
+| [Custom Vision](https://azure.microsoft.com/pricing/details/cognitive-services/custom-vision-service/) | Free, Standard | <li>Predictions are billed by the number of transactions.</li><li>Training is billed by compute hour(s).</li><li>Image storage is billed by number of images (up to 6 MB per image).</li>|
+| [Face](https://azure.microsoft.com/pricing/details/cognitive-services/face-api/) | Free, Standard | Billed by the number of transactions. |
+| **Speech** | | |
+| [Speech service](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) | Free, Standard | Billing varies by feature (speech-to-text, text-to-speech, speech translation, speaker recognition). Primarily, billing is by transaction count or character count. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). |
+| **Language** | | |
+| [Language Understanding (LUIS)](https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/) | Free Authoring, Free Prediction, Standard | Billed by number of transactions. Price per transaction varies by feature (speech requests, text requests). For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/). |
+| [QnA Maker](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/) | Free, Standard | Subscription fee billed monthly. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/). |
+| [Text Analytics](https://azure.microsoft.com/pricing/details/cognitive-services/text-analytics/) | Free, Standard | Billed by number of text records. |
+| [Translator](https://azure.microsoft.com/pricing/details/cognitive-services/translator/) | Free, Pay-as-you-go (S1), Volume discount (S2, S3, S4, C2, C3, C4, D3) | Pricing varies by meter and feature. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/). <li>Text translation is billed by number of characters translated.</li><li>Document translation is billed by characters translated.</li><li>Custom translation is billed by characters of source and target training data.</li> |
+| **Decision** | | |
+| [Anomaly Detector](https://azure.microsoft.com/pricing/details/cognitive-services/anomaly-detector/) | Free, Standard | Billed by the number of transactions. |
+| [Content Moderator](https://azure.microsoft.com/pricing/details/cognitive-services/content-moderator/) | Free, Standard | Billed by the number of transactions. |
+| [Personalizer](https://azure.microsoft.com/pricing/details/cognitive-services/personalizer/) | Free, Standard (S0) | Billed by transactions per month. There are storage and transaction quotas. For full details, see [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/personalizer/). |
+ ### Costs that typically accrue with Cognitive Services Typically, after you deploy an Azure resource, costs are determined by your pricing tier and the API calls you make to your endpoint. If the service you're using has a commitment tier, going over the allotted calls in your tier may incur an overage charge.
-Additional costs may accrue when using these
+Extra costs may accrue when using these
#### QnA Maker
After you delete QnA Maker resources, the following resources might continue to
### Using Azure Prepayment credit with Cognitive Services
-You can pay for Cognitive Services charges with your Azure Prepayment (previously called monetary commitment) credit. However, you can't use Azure Prepayment credit to pay for charges for third party products and services including those from the Azure Marketplace.
+You can pay for Cognitive Services charges with your Azure Prepayment (previously called monetary commitment) credit. However, you can't use Azure Prepayment credit to pay for charges for third-party products and services including those from the Azure Marketplace.
## Monitor costs
In the preceding example, you see the current cost for the service. Costs by Azu
You can create [budgets](../cost-management-billing/costs/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.
-Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you additional money. For more about the filter options when you when create a budget, see [Group and filter options](../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you more money. For more about the filter options when you create a budget, see [Group and filter options](../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
## Export cost data
-You can also [export your cost data](../cost-management-billing/costs/tutorial-export-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to a storage account. This is helpful when you need or others to do additional data analysis for costs. For example, finance teams can analyze the data using Excel or Power BI. You can export your costs on a daily, weekly, or monthly schedule and set a custom date range. Exporting cost data is the recommended way to retrieve cost datasets.
+You can also [export your cost data](../cost-management-billing/costs/tutorial-export-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to a storage account. This is helpful when you or others need to do more data analysis for costs. For example, finance teams can analyze the data using Excel or Power BI. You can export your costs on a daily, weekly, or monthly schedule and set a custom date range. Exporting cost data is the recommended way to retrieve cost datasets.
## Next steps
cognitive-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/language-support.md
Previously updated : 06/10/2021 Last updated : 06/14/2021 # Text Analytics API v3 language support
+> [!NOTE]
+> Languages are added as new model versions are released for specific Text Analytics features. See [Model versioning](concepts/model-versioning.md) for the latest model version for the features you're using, and for more information.
+ #### [Sentiment Analysis](#tab/sentiment-analysis) | Language | Language code | v3 support | Starting v3 model version: | Notes |
cognitive-services Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/whats-new-docs.md
Title: "Cognitive
-description: "What's new in the Cognitive Services docs for February 1, 2020 - February 28, 2020."
+description: "What's new in the Cognitive Services docs for May 1, 2021 - May 31, 2021."
Previously updated : 03/08/2021 Last updated : 06/14/2021
-# Cognitive Services docs: What's new for February 1, 2021 - February 28, 2021
+# Cognitive Services docs: What's new for May 1, 2021 - May 31, 2021
-Welcome to what's new in the Cognitive Services docs from February 1, 2021 through February 28, 2021. This article lists some of the major changes to docs during this period.
+Welcome to what's new in the Cognitive Services docs from May 1, 2021 through May 31, 2021. This article lists some of the major changes to docs during this period.
-## Cognitive Services
+## Containers
### New articles -- [Azure Policy Regulatory Compliance controls for Azure Cognitive Services](security-controls-policy.md)
+- [Install and run Translator containers](translator/containers/translator-how-to-install-container.md)
+- [Configure Translator Docker containers](translator/containers/translator-container-configuration.md)
+- [Container: Translator translate method](translator/containers/translator-container-supported-parameters.md)
-## Containers
++
+### Updated articles
+
+- [Azure Cognitive Services container image tags and release notes](/azure/cognitive-services/containers/container-image-tags.md)
+
+## Form Recognizer
### New articles -- [Azure Cognitive Services containers frequently asked questions (FAQ)](./containers/container-faq.yml)
+- [Reference: Azure Form Recognizer client library v3.0.0 and REST API v2.0](/azure/cognitive-services/form-recognizer/api-v2-0/reference-sdk-api-v2-0.md)
### Updated articles -- [Azure Cognitive Services container image tags and release notes](./containers/container-image-tags.md)
+- [Form Recognizer prebuilt business cards model](/azure/cognitive-services/form-recognizer/concept-business-cards.md)
+- [Quickstart: Get started with the client library SDKs or REST API](/azure/cognitive-services/form-recognizer/quickstarts/client-library.md)
+- [What's new in Form Recognizer](/azure/cognitive-services/form-recognizer/whats-new.md)
+- [Form Recognizer landing page](/azure/cognitive-services/form-recognizer/form-recognizer.md)
-## Form Recognizer
+## Translator
+
+### New articles
+
+- [Frequently asked questionsΓÇöTranslator API](translator/translator-faq.md)
### Updated articles -- [Deploy the sample labeling tool](./form-recognizer/deploy-label-tool.md)-- [What is Form Recognizer?](./form-recognizer/overview.md)-- [Train a Form Recognizer model with labels using the sample labeling tool](./form-recognizer/label-tool.md)
+#### Document Translation is now GA
+- [Get started with Document Translation](translator/document-translation/get-started-with-document-translation.md)
+- All nine reference pages have been updated to remove the preview parameter from the REST API endpoint.
+## Personalizer
+
+### Updated articles
+
+- [What's new in Personalizer](/azure/cognitive-services/personalizer/whats-new.md)
## Text Analytics ### Updated articles -- [Text Analytics API v3 language support](./text-analytics/language-support.md)-- [How to call the Text Analytics REST API](./text-analytics/how-tos/text-analytics-how-to-call-api.md)
+- [Tutorial: Integrate Power BI with the Text Analytics Cognitive Service](/azure/cognitive-services/text-analytics/tutorials/tutorial-power-bi-key-phrases.md)
+- [Extract information in Excel using Text Analytics and Power Automate](/azure/cognitive-services/text-analytics/tutorials/extract-excel-information.md)
+- [How to call the Text Analytics REST API](/azure/cognitive-services/text-analytics/how-tos/text-analytics-how-to-call-api.md)
+- [How to use Named Entity Recognition in Text Analytics](/azure/cognitive-services/text-analytics/how-tos/text-analytics-how-to-entity-linking.md)
+- [What's new in the Text Analytics API?](/azure/cognitive-services/text-analytics/whats-new.md)
+
+## Community contributors
+
+The following people contributed to the Cognitive Services docs during this period. Thank you! Learn how to contribute by following the links under "Get involved" in the [what's new landing page](index.yml).
+
+- [enzocanoo](https://github.com/enzocanoo) - Enzo Cano (2)
+- [hyoshioka0128](https://github.com/hyoshioka0128) - Hiroshi Yoshioka (2)
+- [sassdawe](https://github.com/sassdawe) - DavidSass (1)
+- [SzymonSel](https://github.com/SzymonSel) - Szymon Seliga (1)
+- [thomash0815](https://github.com/thomash0815) (1)
communication-services Troubleshooting Info https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/troubleshooting-info.md
When developing for Android, your logs are stored in `.blog` files. Note that yo
On Android Studio, navigate to the Device File Explorer by selecting View > Tool Windows > Device File Explorer from both the simulator and the device. The `.blog` file will be located within your application's directory, which should look something like `/data/data/[app_name_space:com.contoso.com.acsquickstartapp]/files/acs_sdk.blog`. You can attach this file to your support request. ++ ## Enable and access call logs (Windows) When developing for Windows, your logs are stored in `.blog` files. Note that you can't view the logs directly because they're encrypted.
These can be accessed by looking at where your app is keeping its local data. Th
5. Open the folder with the logs by typing `start ` followed by the path returned by the step 3. For example: `start C:\Users\myuser\AppData\Local\Packages\e84000dd-df04-4bbc-bf22-64b8351a9cd9_k2q8b5fxpmbf6` 6. Please attach all the `*.blog` and `*.etl` files to your Azure support request. - ## Calling SDK error codes
cosmos-db How To Always Encrypted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-always-encrypted.md
The Azure Cosmos DB service never sees the plain text of properties encrypted wi
- **Randomized encryption:** It uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents queries from filtering on encrypted properties.
+See [Generating the initialization vector (IV)](/sql/relational-databases/security/encryption/always-encrypted-cryptography#step-1-generating-the-initialization-vector-iv) to learn more about deterministic and randomized encryption in Always Encrypted.
+ ## Setup Azure Key Vault The first step to get started with Always Encrypted is to create your CMKs in Azure Key Vault:
cosmos-db Local Emulator https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/local-emulator.md
The Azure Cosmos DB Emulator by default runs on the local machine ("localhost")
## <a id="run-on-linux-macos"></a>Use the emulator on Linux or macOS
-Currently, the Azure Cosmos DB Emulator can only be run on Windows. Currently, the Azure Cosmos DB Emulator can only be run on Windows. If you are using Linux or macOS, we recommend you use the [Linux Emulator (Preview)](linux-emulator.md) or run the emulator in a Windows virtual machine hosted in a hypervisor such as Parallels or VirtualBox.
+Currently, the Azure Cosmos DB Emulator can only be run on Windows. If you are using Linux or macOS, we recommend you use the [Linux Emulator (Preview)](linux-emulator.md) or run the emulator in a Windows virtual machine hosted in a hypervisor such as Parallels or VirtualBox.
> [!NOTE] > Every time you restart the Windows virtual machine that is hosted in a hypervisor, you have to reimport the certificate because the IP address of the virtual machine changes. Importing the certificate isn't required in case you have configured the virtual machine to preserve the IP address.
cosmos-db Migrate Java V4 Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/migrate-java-v4-sdk.md
Previously updated : 06/11/2020 Last updated : 06/13/2021
> For more information about this SDK, please view the Azure Cosmos DB Java SDK v4 [Release notes](sql-api-sdk-java-v4.md), [Maven repository](https://mvnrepository.com/artifact/com.azure/azure-cosmos), Azure Cosmos DB Java SDK v4 [performance tips](performance-tips-java-sdk-v4-sql.md), and Azure Cosmos DB Java SDK v4 [troubleshooting guide](troubleshoot-java-sdk-v4-sql.md). >
+> [!IMPORTANT]
+> Because Azure Cosmos DB Java SDK v4 has up to 20% enhanced throughput, TCP-based direct mode, and support for the latest backend service features, we recommend you upgrade to v4 at the next opportunity. Continue reading below to learn more.
+>
+ This article explains how to upgrade your existing Java application that is using an older Azure Cosmos DB Java SDK to the newer Azure Cosmos DB Java SDK 4.0 for Core (SQL) API. Azure Cosmos DB Java SDK v4 corresponds to the `com.azure.cosmos` package. You can use the instructions in this doc if you are migrating your application from any of the following Azure Cosmos DB Java SDKs: * Sync Java SDK 2.x.x
This article explains how to upgrade your existing Java application that is usin
The following table lists different Azure Cosmos DB Java SDKs, the package name and the release information:
-| Java SDK| Release Date | Bundled APIs | Maven Jar | Java package name |API Reference | Release Notes |
-|-||--|--|--|-||
-| Async 2.x.x | June 2018 | Async(RxJava) | `com.microsoft.azure::azure-cosmosdb` | `com.microsoft.azure.cosmosdb.rx` | [API](https://azure.github.io/azure-cosmosdb-jav) |
-| Sync 2.x.x | Sept 2018 | Sync | `com.microsoft.azure::azure-documentdb` | `com.microsoft.azure.cosmosdb` | [API](https://azure.github.io/azure-cosmosdb-jav) |
-| 3.x.x | July 2019 | Async(Reactor)/Sync | `com.microsoft.azure::azure-cosmos` | `com.azure.data.cosmos` | [API](https://azure.github.io/azure-cosmosdb-java/3.0.0/) | - |
-| 4.0 | June 2020 | Async(Reactor)/Sync | `com.azure::azure-cosmos` | `com.azure.cosmos` | - | [API](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-cosmos/4.0.1/https://docsupdatetracker.net/index.html) |
+| Java SDK| Release Date | Bundled APIs | Maven Jar | Java package name |API Reference | Release Notes | Retire date |
+|-||--|--|--|-||--|
+| Async 2.x.x | June 2018 | Async(RxJava) | `com.microsoft.azure::azure-cosmosdb` | `com.microsoft.azure.cosmosdb.rx` | [API](https://azure.github.io/azure-cosmosdb-jav) | August 30, 2024 |
+| Sync 2.x.x | Sept 2018 | Sync | `com.microsoft.azure::azure-documentdb` | `com.microsoft.azure.cosmosdb` | [API](https://azure.github.io/azure-cosmosdb-jav) | February 29, 2024 |
+| 3.x.x | July 2019 | Async(Reactor)/Sync | `com.microsoft.azure::azure-cosmos` | `com.azure.data.cosmos` | [API](https://azure.github.io/azure-cosmosdb-java/3.0.0/) | - | August 30, 2024 |
+| 4.0 | June 2020 | Async(Reactor)/Sync | `com.azure::azure-cosmos` | `com.azure.cosmos` | - | [API](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-cosmos/4.0.1/https://docsupdatetracker.net/index.html) | - |
## SDK level implementation changes
data-factory Concepts Data Flow Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/concepts-data-flow-monitoring.md
Previously updated : 04/11/2021 Last updated : 06/11/2021 # Monitor Data Flows
After you have completed building and debugging your data flow, you want to sche
When you execute your pipeline, you can monitor the pipeline and all of the activities contained in the pipeline including the Data Flow activity. Click on the monitor icon in the left-hand Azure Data Factory UI panel. You can see a screen similar to the one below. The highlighted icons allow you to drill into the activities in the pipeline, including the Data Flow activity.
-![Screenshot shows icons to select for pipelines for more information.](media/data-flow/mon001.png "Data Flow Monitoring")
+![Screenshot shows icons to select for pipelines for more information.](media/data-flow/monitor-new-001.png "Data Flow Monitoring")
You see statistics at this level as well including the run times and status. The Run ID at the activity level is different than the Run ID at the pipeline level. The Run ID at the previous level is for the pipeline. Selecting the eyeglasses gives you deep details on your data flow execution.
When you're in the graphical node monitoring view, you can see a simplified view
![Screenshot shows the view-only version of the graph.](media/data-flow/mon003.png "Data Flow Monitoring")
-Here is a video overview of monitoring performance of your data flows from the ADF monitoring screen:
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4u4mH]
- ## View Data Flow Execution Plans
-When your Data Flow is executed in Spark, Azure Data Factory determines optimal code paths based on the entirety of your data flow. Additionally, the execution paths may occur on different scale-out nodes and data partitions. Therefore, the monitoring graph represents the design of your flow, taking into account the execution path of your transformations. When you select individual nodes, you can see "groupings" that represent code that was executed together on the cluster. The timings and counts that you see represent those groups as opposed to the individual steps in your design.
+When your Data Flow is executed in Spark, Azure Data Factory determines optimal code paths based on the entirety of your data flow. Additionally, the execution paths may occur on different scale-out nodes and data partitions. Therefore, the monitoring graph represents the design of your flow, taking into account the execution path of your transformations. When you select individual nodes, you can see "stages" that represent code that was executed together on the cluster. The timings and counts that you see represent those groups or stages as opposed to the individual steps in your design.
-![Screenshot shows the page for a data flow.](media/data-flow/mon004.png "Data Flow Monitoring")
+![Screenshot shows the page for a data flow.](media/data-flow/monitor-new-005.png "Data Flow Monitoring")
* When you select the open space in the monitoring window, the stats in the bottom pane display timing and row counts for each Sink and the transformations that led to the sink data for transformation lineage.
When you select a sink transformation icon in your map, the slide-in panel on th
* Pre SQL duration & Post SQL duration: The time spent running pre/post SQL commands * Pre commands duration & post commands duration: The time spent running any pre/post operations for file based source/sinks. For example move or delete files after processing. * Merge duration: The time spent merging the file, merge files are used for file based sinks when writing to single file or when "File name as column data" is used. If significant time is spent in this metric, you should avoid using these options.
+* Stage time: Total amount of time spent inside of Spark to complete the operation as a stage.
+* Temporary staging stable: Name of the temporary table used by data flows to stage data in the database.
## Error rows
databox-online Azure Stack Edge Gpu Deploy Arc Kubernetes Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md
Previously updated : 03/05/2021 Last updated : 06/11/2021
Follow these steps to configure the Kubernetes cluster for Azure Arc management:
`Set-HcsKubernetesAzureArcAgent -SubscriptionId "<Your Azure Subscription Id>" -ResourceGroupName "<Resource Group Name>" -ResourceName "<Azure Arc resource name (shouldn't exist already)>" -Location "<Region associated with resource group>" -TenantId "<Tenant Id of service principal>" -ClientId "<App id of service principal>" -ClientSecret "<Password of service principal>"`
+ Add the `CloudEnvironment` parameter if you are using a cloud other than Azure public. You can set this parameter to `AZUREPUBLICCLOUD`, `AZURECHINACLOUD`, `AZUREGERMANCLOUD`, and `AZUREUSGOVERNMENTCLOUD`.
> [!NOTE] > - To deploy Azure Arc on your device, make sure that you are using a [Supported region for Azure Arc](../azure-arc/kubernetes/overview.md#supported-regions). > - Use the `az account list-locations` command to figure out the exact location name to pass in the `Set-HcsKubernetesAzureArcAgent` cmdlet. Location names are typically formatted without any spaces.
+ > - `ClientId` and `ClientSecret` are required parameters. `ClientSecret` is a secure string.
Here is an example: ```powershell [10.128.44.240]: PS>Set-HcsKubernetesAzureArcAgent -SubscriptionId "062c67a6-019b-40af-a775-c4dc1abe56ed" -ResourceGroupName "myaserg1" -ResourceName "myasetestresarc" -Location "westeurope" -TenantId "72f988bf-86f1-41af-91ab-2d7cd011db47" -ClientId "aa8a082e-0fa1-4a82-b51c-e8b2a9fdaa8b" -ClientSecret "<password>"
- [10.128.44.240]: PS>
+ [10.128.44.240]: PS>
``` In the Azure portal, a resource should be created with the name you provided in the preceding command.
databox-online Azure Stack Edge Gpu Deploy Virtual Machine Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-portal.md
Follow these steps to create a VM after you've created a VM image.
|Size | Choose from the [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md). | |Username | Use the default username **azureuser** for the admin to sign in to the VM. | |Authentication type | Choose from an SSH public key or a user-defined password. |
- |Password | Enter a password to sign in to the VM. The password must be at least 12 characters long and meet the defined [complexity requirements](../virtual-machines/windows/faq.md#what-are-the-password-requirements-when-creating-a-vm). |
+ |Password | Enter a password to sign in to the VM. The password must be at least 12 characters long and meet the defined [complexity requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-). |
|Confirm password | Enter the password again. |
digital-twins Concepts Data Explorer Plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-data-explorer-plugin.md
Combining data from a twin graph in Azure Digital Twins with time series data in
In order to get the plugin running on your own ADX cluster that contains time series data, start by running the following command in ADX in order to enable the plugin: ```kusto
-.enable plugin azure_digital_twins_query_request.
+.enable plugin azure_digital_twins_query_request
``` This command requires **All Databases admin** permission. For more information on the command, see the [.enable plugin documentation](/azure/data-explorer/kusto/management/enable-plugin).
-Once the plugin is enabled, you can invoke it within an ADX Kusto query like this:
+Once the plugin is enabled, you can invoke it within an ADX Kusto query with the following command. There are two placeholders, `<Azure-Digital-Twins-endpoint>` and `<Azure-Digital-Twins-query>`, which are strings representing the Azure Digital Twins instance endpoint and Azure Digital Twins query, respectively.
```kusto
-evaluate azure_digital_twins_query_request(Azure Digital Twinsendpoint, Azure Digital Twinsquery)
+evaluate azure_digital_twins_query_request(<Azure-Digital-Twins-endpoint>, <Azure-Digital-Twins-query>)
```
-where `Azure Digital Twinsendpoint` and `Azure Digital Twinsquery` are strings representing the Azure Digital Twins instance endpoint and Azure Digital Twins query, respectively.
- The plugin works by calling the [Azure Digital Twins query API](/rest/api/digital-twins/dataplane/query), and the [query language structure](concepts-query-language.md) is the same as when using the API. >[!IMPORTANT] >The user of the plugin must be granted the **Azure Digital Twins Data Reader** role or the **Azure Digital Twins Data Owner** role, as the user's Azure AD token is used to authenticate. Information on how to assign this role can be found in [Concepts: Security for Azure Digital Twins solutions](concepts-security.md#authorization-azure-roles-for-azure-digital-twins).
+For more information on using the plugin, see the [Kusto documentation for the azure_digital_twins_query_request plugin](/azure/data-explorer/kusto/query/azure-digital-twins-query-request-plugin).
+ To see example queries and complete a walkthrough with sample data, see [Azure Digital Twins query plugin for ADX: Sample queries and walkthrough](https://github.com/Azure-Samples/azure-digital-twins-getting-started/tree/main/adt-adx-queries) in GitHub. ## Using ADX IoT data with Azure Digital Twins
There are various ways to ingest IoT data into ADX. Here are two that you might
If you're ingesting time series data directly into ADX, you'll likely need to convert this raw time series data into a schema suitable for joint Azure Digital Twins/ADX queries.
-An [update policy](/azure/data-explorer/kusto/management/updatepolicy.md) in ADX allows you to automatically transform and append data to a target table whenever new data is inserted into a source table.
+An [update policy](/azure/data-explorer/kusto/management/updatepolicy) in ADX allows you to automatically transform and append data to a target table whenever new data is inserted into a source table.
You can use an update policy to enrich your raw time series data with the corresponding **twin ID** from Azure Digital Twins, and persist it to a target table. Using the twin ID, the target table can then be joined against the digital twins selected by the Azure Digital Twins plugin.
For instance, if you want to represent a property with three fields for roll, pi
## Next steps
-View sample queries using the Azure Digital Twins query plugin for ADX, including a walkthrough that runs the queries in an example scenario:
-* [Azure Digital Twins query plugin for ADX: Sample queries and walkthrough](https://github.com/Azure-Samples/azure-digital-twins-getting-started/tree/main/adt-adx-queries)
+* View the plugin documentation for the Kusto language in ADX: [azure_digital_twins_query_request plugin](/azure/data-explorer/kusto/query/azure-digital-twins-query-request-plugin)
+
+* View sample queries using the plugin, including a walkthrough that runs the queries in an example scenario: [Azure Digital Twins query plugin for ADX: Sample queries and walkthrough](https://github.com/Azure-Samples/azure-digital-twins-getting-started/tree/main/adt-adx-queries)
-Read about another strategy for analyzing historical data in Azure Digital Twins:
-* [How-to: Integrate with Azure Time Series Insights](how-to-integrate-time-series-insights.md)
+* Read about another strategy for analyzing historical data in Azure Digital Twins: [How-to: Integrate with Azure Time Series Insights](how-to-integrate-time-series-insights.md)
digital-twins Concepts Models https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-models.md
The extending interface cannot change any of the definitions of the parent inter
## Modeling best practices
-While designing models to reflect the entities in your environment, it can be useful to look ahead and consider the [query](concepts-query-language.md) implications of your design. You may want to design properties in a way that will avoid large result sets from graph traversal. You may also want to model relationships that will to be answered in a single query as single-level relationships.
+While designing models to reflect the entities in your environment, it can be useful to look ahead and consider the [query](concepts-query-language.md) implications of your design. You may want to design properties in a way that will avoid large result sets from graph traversal. You may also want to model relationships that will need to be answered in a single query as single-level relationships.
### Validating models
This section describes the current set of samples in more detail.
Once you are finished creating, extending, or selecting your models, you can upload them to your Azure Digital Twins instance to make them available for use in your solution. This is done using the [Azure Digital Twins APIs](concepts-apis-sdks.md), as described in [How-to: Manage DTDL models](how-to-manage-model.md#upload-models).
-However, if you have many models to uploadΓÇöor if they have many interdependencies that would make ordering individual uploads complicatedΓÇöyou can use this [Azure Digital Twins Model Uploader sample](https://github.com/Azure/opendigitaltwins-building-tools/tree/master/ModelUploader) to upload many models at once. Follow the instructions provided with the sample to configure and use this project to upload models into your own instance.
+However, if you have many models to uploadΓÇöor if they have many interdependencies that would make ordering individual uploads complicatedΓÇöyou can use the [Azure Digital Twins Model Uploader sample](https://github.com/Azure/opendigitaltwins-tools/tree/master/ADTTools#uploadmodels) to upload many models at once. Follow the instructions provided with the sample to configure and use this project to upload models into your own instance.
### Model visualizer
digital-twins How To Set Up Instance Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-set-up-instance-portal.md
This version of this article goes through these steps manually, one by one, usin
## Create the Azure Digital Twins instance
-In this section, you will **create a new instance of Azure Digital Twins** using the [Azure portal](https://ms.portal.azure.com/). Navigate to the portal and log in with your credentials.
-Once in the portal, start by selecting _Create a resource_ in the Azure services home page menu.
+3. On the following **Create Resource** page, fill in the values given below:
+ * **Subscription**: The Azure subscription you're using
+ - **Resource group**: A resource group in which to deploy the instance. If you don't already have an existing resource group in mind, you can create one here by selecting the *Create new* link and entering a name for a new resource group
+ * **Location**: An Azure Digital Twins-enabled region for the deployment. For more details on regional support, visit [Azure products available by region (Azure Digital Twins)](https://azure.microsoft.com/global-infrastructure/services/?products=digital-twins).
+ * **Resource name**: A name for your Azure Digital Twins instance. If your subscription has another Azure Digital Twins instance in the region that's
+ already using the specified name, you'll be asked to pick a different name.
+ * **Grant access to resource**: Checking the box in this section will give your Azure account permission to access and manage data in the instance. If you're the one that will be managing the instance, you should check this box now. If it's greyed out because you don't have permission in the subscription, you can continue creating the resource and have someone with the required permissions grant you the role later. For more information about this role and assigning roles to your instance, see the next section, [Set up user access permissions](#set-up-user-access-permissions).
+ :::image type="content" source= "media/how-to-set-up-instance/portal/create-azure-digital-twins-2.png" alt-text="Screenshot of the Create Resource process for Azure Digital Twins in the Azure portal. The described values are filled in.":::
-Search for *Azure Digital Twins* in the search box, and choose the **Azure Digital Twins** service from the results. Select the _Create_ button to create a new instance of the service.
+4. When you're finished, you can select **Review + create** if you don't want to configure any more settings for your instance. This will take you to a summary page, where you can review the instance details you've entered and finish with **Create**.
-
-On the following **Create Resource** page, fill in the values given below:
-* **Subscription**: The Azure subscription you're using
- - **Resource group**: A resource group in which to deploy the instance. If you don't already have an existing resource group in mind, you can create one here by selecting the *Create new* link and entering a name for a new resource group
-* **Location**: An Azure Digital Twins-enabled region for the deployment. For more details on regional support, visit [Azure products available by region (Azure Digital Twins)](https://azure.microsoft.com/global-infrastructure/services/?products=digital-twins).
-* **Resource name**: A name for your Azure Digital Twins instance. If your subscription has another Azure Digital Twins instance in the region that's
- already using the specified name, you'll be asked to pick a different name.
-* **Grant access to resource**: Checking the box in this section will give your Azure account permission to access and manage data in the instance. If you're the one that will be managing the instance, you should check this box now. If it's greyed out because you don't have permission in the subscription, you can continue creating the resource and have someone with the required permissions grant you the role later. For more information about this role and assigning roles to your instance, see the next section, [Set up user access permissions](#set-up-user-access-permissions).
--
-When you're finished, you can select **Review + create** if you don't want to configure any more settings for your instance. This will take you to a summary page, where you can review the instance details you've entered and finish with **Create**.
-
-If you do want to configure more details for your instance, the next section describes the remaining setup tabs.
+ If you do want to configure more details for your instance, the next section describes the remaining setup tabs.
### Additional setup options
digital-twins Quickstart Azure Digital Twins Explorer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/quickstart-azure-digital-twins-explorer.md
You'll also need to download the materials for the sample graph used in the quic
:::image type="content" source="media/quickstart-azure-digital-twins-explorer/download-building-scenario.png" alt-text="Screenshot of the digital-twins-explorer/client/examples/buildingScenario.xlsx file in GitHub. The Download button is highlighted." lightbox="media/quickstart-azure-digital-twins-explorer/download-building-scenario.png":::
-## Set up Azure Digital Twins and Azure Digital Twins Explorer
+## Set up Azure Digital Twins
-The first step in working with Azure Digital Twins is to set up an Azure Digital Twins instance. After you create an instance of the service, you can connect to the instance in Azure Digital Twins Explorer and populate it with the sample data later in the quickstart.
+The first step in working with Azure Digital Twins is to create an Azure Digital Twins instance. After you create an instance of the service, you can connect to the instance in Azure Digital Twins Explorer, which you'll use to work with the instance throughout the quickstart.
The rest of this section walks you through these steps.
-### Set up an Azure Digital Twins instance
+### Create an Azure Digital Twins instance
-To work with Azure Digital Twins in this article, you first need to *set up an Azure Digital Twins instance*. You also need the required permissions for using it.
-Follow the instructions in [Set up an instance and authentication](how-to-set-up-instance-portal.md). The instructions contain information to help you verify that you've completed each step successfully.
+3. Fill in the fields on the **Basics** tab of setup, including your Subscription, Resource group, Location, and a Resource name for your new instance. Check the **Assign Azure Digital Twins Data Owner Role** box to give yourself permissions to manage data in the instance.
+
+ >[!NOTE]
+ > If the Assign Azure Digital Twins Data Owner Role box is greyed out, it means you don't have permissions in your Azure subscription to manage user access to resources. You can continue creating the instance in this section, and then should have someone with the necessary permissions [assign you this role on the instance](how-to-set-up-instance-portal.md#assign-the-role-using-azure-identity-management-iam) before completing the rest of this quickstart.
+ >
+ > Common roles that meet this requirement are **Owner**, **Account admin**, or the combination of **User Access Administrator** and **Contributor**.
+
+4. Select **Review + Create** to finish creating your instance.
+
+ :::image type="content" source= "media/quickstart-azure-digital-twins-explorer/create-azure-digital-twins-basics.png" alt-text="Screenshot of the Create Resource process for Azure Digital Twins in the Azure portal. The described values are filled in.":::
+
+5. You will see a summary page showing the details you've entered. Confirm and create the instance by selecting **Create**.
+
+This will take you to an Overview page tracking deployment status of the instance.
### Open instance in Azure Digital Twins Explorer
-Next, open Azure Digital Twins Explorer for your instance in the [Azure portal](https://portal.azure.com).
+When the instance is finished deploying, use the **Go to resource** button to navigate to the instance's Overview page in the portal.
-To do this, go to the Azure portal and navigate to your new Azure Digital Twins instance, by searching for its name in the portal search bar.
Next, select the **Open Azure Digital Twins Explorer (preview)** button.
event-hubs Event Hubs Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-diagnostic-logs.md
Title: Set up diagnostic logs - Azure Event Hub | Microsoft Docs description: Learn how to set up activity logs and diagnostic logs for event hubs in Azure. Previously updated : 02/25/2021 Last updated : 06/13/2021 # Set up diagnostic logs for an Azure event hub
Diagnostic logs are disabled by default. To enable diagnostic logs, follow these
For more information about configuring diagnostics, see the [overview of Azure diagnostic logs](../azure-monitor/essentials/platform-logs-overview.md). ## Diagnostic logs categories-
-Event Hubs captures diagnostic logs for the following categories:
-
-| Category | Description |
-| -- | -- |
-| Archive Logs | Captures information about [Event Hubs Capture](event-hubs-capture-overview.md) operations, specifically, logs related to capture errors. |
-| Operational Logs | Capture all management operations that are performed on the Azure Event Hubs namespace. Data operations aren't captured, because of the high volume of data operations that are conducted on Azure Event Hubs. |
-| Auto scale logs | Captures auto-inflate operations done on an Event Hubs namespace. |
-| Kafka coordinator logs | Captures Kafka coordinator operations related to Event Hubs. |
-| Kafka user error logs | Captures information about Kafka APIs called on Event Hubs. |
-| Event Hubs virtual network (VNet) connection event | Captures information about IP addresses and virtual networks sending traffic to Event Hubs. |
-| Customer-managed key user logs | Captures operations related to customer-managed key. |
--
-All logs are stored in JavaScript Object Notation (JSON) format. Each entry has string fields that use the format described in the following sections.
-
-## Archive logs schema
-
-Archive log JSON strings include elements listed in the following table:
-
-Name | Description
-- | -
-`TaskName` | Description of the task that failed
-`ActivityId` | Internal ID, used for tracking
-`trackingId` | Internal ID, used for tracking
-`resourceId` | Azure Resource Manager resource ID
-`eventHub` | Event hub full name (includes namespace name)
-`partitionId` | Event Hub partition being written to
-`archiveStep` | possible values: ArchiveFlushWriter, DestinationInit
-`startTime` | Failure start time
-`failures` | Number of times the failure occurred
-`durationInSeconds` | Duration of failure
-`message` | Error message
-`category` | ArchiveLogs
-
-The following code is an example of an archive log JSON string:
-
-```json
-{
- "TaskName": "EventHubArchiveUserError",
- "ActivityId": "000000000-0000-0000-0000-0000000000000",
- "trackingId": "0000000-0000-0000-0000-00000000000000000",
- "resourceId": "/SUBSCRIPTIONS/000000000-0000-0000-0000-0000000000000/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs Namespace Name>",
- "eventHub": "<Event Hub full name>",
- "partitionId": "1",
- "archiveStep": "ArchiveFlushWriter",
- "startTime": "9/22/2016 5:11:21 AM",
- "failures": 3,
- "durationInSeconds": 360,
- "message": "Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (404) Not Found. > System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n at Microsoft.WindowsAzure.Storage.Shared.Protocol.HttpResponseParsers.ProcessExpectedStatusCodeNoException[T](HttpStatusCode expectedStatusCode, HttpStatusCode actualStatusCode, T retVal, StorageCommandBase`1 cmd, Exception ex)\r\n at Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob.<PutBlockImpl>b__3e(RESTCommand`1 cmd, HttpWebResponse resp, Exception ex, OperationContext ctx)\r\n at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.EndGetResponse[T](IAsyncResult getResponseResult)\r\n End of inner exception stack trace \r\n at Microsoft.WindowsAzure.Storage.Core.Util.StorageAsyncResult`1.End()\r\n at Microsoft.WindowsAzure.Storage.Core.Util.AsyncExtensions.<>c__DisplayClass4.<CreateCallbackVoid>b__3(IAsyncResult ar)\r\n End of stack trace from previous location where exception was thrown \r\n at System.",
- "category": "ArchiveLogs"
-}
-```
-
-## Operational logs schema
-
-Operational log JSON strings include elements listed in the following table:
-
-Name | Description
-- | -
-`ActivityId` | Internal ID, used for tracking purposes |
-`EventName` | Operation name. For a list of values for this element, see the [Event names](#event-names) |
-`resourceId` | Azure Resource Manager resource ID |
-`SubscriptionId` | Subscription ID |
-`EventTimeString` | Operation time |
-`EventProperties` |Properties for the operation. This element provides more information about the event as shown in the following example. |
-`Status` | Operation status. The value can be either **Succeeded** or **Failed**. |
-`Caller` | Caller of operation (Azure portal or management client) |
-`Category` | OperationalLogs |
-
-The following code is an example of an operational log JSON string:
-
-```json
-Example:
-{
- "ActivityId": "00000000-0000-0000-0000-00000000000000",
- "EventName": "Create EventHub",
- "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-0000000000000/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace name>",
- "SubscriptionId": "000000000-0000-0000-0000-000000000000",
- "EventTimeString": "9/28/2016 8:40:06 PM +00:00",
- "EventProperties": "{\"SubscriptionId\":\"0000000000-0000-0000-0000-000000000000\",\"Namespace\":\"<Namespace Name>\",\"Via\":\"https://<Namespace Name>.servicebus.windows.net/f8096791adb448579ee83d30e006a13e/?api-version=2016-07\",\"TrackingId\":\"5ee74c9e-72b5-4e98-97c4-08a62e56e221_G1\"}",
- "Status": "Succeeded",
- "Caller": "ServiceBus Client",
- "category": "OperationalLogs"
-}
-```
-
-### Event names
-Event name is populated as operation type + resource type from the following enumerations. For example, `Create Queue`, `Retrieve Event Hu`, or `Delete Rule`.
-
-| Operation type | Resource type |
-| -- | - |
-| <ul><li>Create</li><li>Update</li><li>Delete</li><li>Retrieve</li><li>Unknown</li></ul> | <ul><li>Namespace</li><li>Queue</li><li>Topic</li><li>Subscription</li><li>EventHub</li><li>EventHubSubscription</li><li>NotificationHub</li><li>NotificationHubTier</li><li>SharedAccessPolicy</li><li>UsageCredit</li><li>NamespacePnsCredentials</li>Rule</li>ConsumerGroup</li> |
-
-## Autoscale logs schema
-Autoscale log JSON includes elements listed in the following table:
-
-| Name | Description |
-| - | -- |
-| `TrackingId` | Internal ID, which is used for tracing purposes |
-| `ResourceId` | Azure Resource Manager resource ID. |
-| `Message` | Informational message, which provides details about auto-inflate action. The message contains previous and current value of throughput unit for a given namespace and what triggered the inflate of the TU. |
-
-Here's an example autoscale event:
-
-```json
-{
- "TrackingId": "fb1b3676-bb2d-4b17-85b7-be1c7aa1967e",
- "Message": "Scaled-up EventHub TUs (UpdateStartTimeUTC: 5/13/2020 7:48:36 AM, PreviousValue: 1, UpdatedThroughputUnitValue: 2, AutoScaleReason: 'IncomingMessagesPerSecond reached 2170')",
- "ResourceId": "/subscriptions/0000000-0000-0000-0000-000000000000/resourcegroups/testrg/providers/microsoft.eventhub/namespaces/namespace-name"
-}
-```
-
-## Kafka coordinator logs schema
-Kafka coordinator log JSON includes elements listed in the following table:
-
-| Name | Description |
-| - | -- |
-| `RequestId` | Request ID, which is used for tracing purposes |
-| `ResourceId` | Azure Resource Manager resource ID |
-| `Operation` | Name of the operation that's done during the group coordination |
-| `ClientId` | Client ID |
-| `NamespaceName` | Namespace name |
-| `SubscriptionId` | Azure subscription ID |
-| `Message` | Informational or warning message, which provides details about actions done during the group coordination. |
-
-### Example
-
-```json
-{
- "RequestId": "FE01001A89E30B020000000304620E2A_KafkaExampleConsumer#0",
- "Operation": "Join.Start",
- "ClientId": "KafkaExampleConsumer#0",
- "Message": "Start join group for new member namespace-name:c:$default:I:KafkaExampleConsumer#0-cc40856f7f3c4607915a571efe994e82, current group size: 0, API version: 2, session timeout: 10000ms, rebalance timeout: 300000ms.",
- "SubscriptionId": "0000000-0000-0000-0000-000000000000",
- "NamespaceName": "namespace-name",
- "ResourceId": "/subscriptions/0000000-0000-0000-0000-000000000000/resourcegroups/testrg/providers/microsoft.eventhub/namespaces/namespace-name",
- "Category": "KafkaCoordinatorLogs"
-}
-```
-
-## Kafka user error logs schema
-Kafka user error log JSON includes elements listed in the following table:
-
-| Name | Description |
-| - | -- |
-| `TrackingId` | Tracking ID, which is used for tracing purposes. |
-| `NamespaceName` | Namespace name |
-| `Eventhub` | Event hub name |
-| `PartitionId` | Partition ID |
-| `GroupId` | Group ID |
-| `ClientId` | Client ID |
-| `ResourceId` | Azure Resource Manager resource ID. |
-| `Message` | Informational message, which provides details about an error |
-
-## Event Hubs virtual network connection event schema
-Event Hubs virtual network (VNet) connection event JSON includes elements listed in the following table:
-
-| Name | Description |
-| | -- |
-| `SubscriptionId` | Azure subscription ID |
-| `NamespaceName` | Namespace name |
-| `IPAddress` | IP address of a client connecting to the Event Hubs service |
-| `Action` | Action done by the Event Hubs service when evaluating connection requests. Supported actions are **Accept Connection** and **Deny Connection**. |
-| `Reason` | Provides a reason why the action was done |
-| `Count` | Number of occurrences for the given action |
-| `ResourceId` | Azure Resource Manager resource ID. |
-
-Virtual network logs are generated only if the namespace allows access from **selected networks** or from **specific IP addresses** (IP filter rules). If you don't want to restrict the access to your namespace using these features and still want to get virtual network logs to track IP addresses of clients connecting to the Event Hubs namespace, you could use the following workaround. [Enable IP filtering](event-hubs-ip-filtering.md), and add the total addressable IPv4 range (1.0.0.0/1 - 255.0.0.0/1). Event Hubs IP filtering doesn't support IPv6 ranges. Note that you may see private endpoint addresses in the IPv6 format in the log.
-
-### Example
-
-```json
-{
- "SubscriptionId": "0000000-0000-0000-0000-000000000000",
- "NamespaceName": "namespace-name",
- "IPAddress": "1.2.3.4",
- "Action": "Deny Connection",
- "Reason": "IPAddress doesn't belong to a subnet with Service Endpoint enabled.",
- "Count": "65",
- "ResourceId": "/subscriptions/0000000-0000-0000-0000-000000000000/resourcegroups/testrg/providers/microsoft.eventhub/namespaces/namespace-name",
- "Category": "EventHubVNetConnectionEvent"
-}
-```
-
-## Customer-managed key user logs
-Customer-managed key user log JSON includes elements listed in the following table:
-
-| Name | Description |
-| - | -- |
-| `Category` | Type of category for a message. It's one of the following values: **error** and **info** |
-| `ResourceId` | Internal resource ID, which includes Azure subscription ID and namespace name |
-| `KeyVault` | Name of the Key Vault resource |
-| `Key` | Name of the Key Vault key. |
-| `Version` | Version of the Key Vault key |
-| `Operation` | The name of an operation done to serve requests |
-| `Code` | Status code |
-| `Message` | Message, which provides details about an error or informational message |
event-hubs Event Hubs Metrics Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-metrics-azure-monitor.md
- Title: Metrics in Azure Monitor - Azure Event Hubs | Microsoft Docs
-description: This article provides information on how to use Azure Monitoring to monitor Azure Event Hubs
- Previously updated : 02/25/2021--
-# Azure Event Hubs metrics in Azure Monitor
-
-Event Hubs metrics give you the state of Event Hubs resources in your Azure subscription. With a rich set of metrics data, you can assess the overall health of your event hubs not only at the namespace level, but also at the entity level. These statistics can be important as they help you to monitor the state of your event hubs. Metrics can also help troubleshoot root-cause issues without needing to contact Azure support.
-
-Azure Monitor provides unified user interfaces for monitoring across various Azure services. For more information, see [Monitoring in Microsoft Azure](../azure-monitor/overview.md) and the [Retrieve Azure Monitor metrics with .NET](https://github.com/Azure-Samples/monitor-dotnet-metrics-api) sample on GitHub.
-
-## Access metrics
-
-Azure Monitor provides multiple ways to access metrics. You can either access metrics through the [Azure portal](https://portal.azure.com), or use the Azure Monitor APIs (REST and .NET) and analysis solutions such as Log Analytics and Event Hubs. For more information, see [Monitoring data collected by Azure Monitor](../azure-monitor/data-platform.md).
-
-Metrics are enabled by default, and you can access the most recent 30 days of data. If you need to keep data for a longer period of time, you can archive metrics data to an Azure Storage account. This setting can be configured in [diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md) in Azure Monitor.
--
-## Access metrics in the portal
-
-You can monitor metrics over time in the [Azure portal](https://portal.azure.com). The following example shows how to view successful requests and incoming requests at the account level:
-
-![View successful metrics][1]
-
-You can also access metrics directly via the namespace. To do so, select your namespace and then select **Metrics**. To display metrics filtered to the scope of the event hub, select the event hub and then select **Metrics**.
-
-For metrics supporting dimensions, you must filter with the desired dimension value as shown in the following example:
-
-![Filter with dimension value][2]
-
-## Billing
-
-Using metrics in Azure Monitor is currently free. However, if you use other solutions that ingest metrics data, you may be billed by these solutions. For example, you are billed by Azure Storage if you archive metrics data to an Azure Storage account. You are also billed by Azure if you stream metrics data to Azure Monitor logs for advanced analysis.
-
-The following metrics give you an overview of the health of your service.
-
-> [!NOTE]
-> We are deprecating several metrics as they are moved under a different name. This might require you to update your references. Metrics marked with the "deprecated" keyword will not be supported going forward.
-
-All metrics values are sent to Azure Monitor every minute. The time granularity defines the time interval for which metrics values are presented. The supported time interval for all Event Hubs metrics is 1 minute.
-
-## Azure Event Hubs metrics
-For a list of metrics supported by the service, see [Azure Event Hubs](../azure-monitor/essentials/metrics-supported.md#microsofteventhubnamespaces)
-
-> [!NOTE]
-> When a user error occurs, Azure Event Hubs updates the **User Errors** metric, but doesn't log any other diagnostic information. Therefore, you need to capture details on user errors in your applications. Or, you can also convert the telemetry generated when messages are sent or received into application insights. For an example, see [Tracking with Application Insights](../service-bus-messaging/service-bus-end-to-end-tracing.md#tracking-with-azure-application-insights).
-
-## Azure Monitor integration with SIEM tools
-Routing your monitoring data (activity logs, diagnostics logs, and so on.) to an event hub with Azure Monitor enables you to easily integrate with Security Information and Event Management (SIEM) tools. For more information, see the following articles/blog posts:
--- [Stream Azure monitoring data to an event hub for consumption by an external tool](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md)-- [Introduction to Azure Log Integration](/previous-versions/azure/security/fundamentals/azure-log-integration-overview)-- [Use Azure Monitor to integrate with SIEM tools](https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/)-
-In the scenario where an SIEM tool consumes log data from an event hub, if you see no incoming messages or you see incoming messages but no outgoing messages in the metrics graph, follow these steps:
--- If there are **no incoming messages**, it means that the Azure Monitor service isn't moving audit/diagnostics logs into the event hub. Open a support ticket with the Azure Monitor team in this scenario. -- if there are incoming messages, but **no outgoing messages**, it means that the SIEM application isn't reading the messages. Contact the SIEM provider to determine whether the configuration of the event hub those applications is correct.--
-## Next steps
-
-* See the [Azure Monitoring overview](../azure-monitor/overview.md).
-* [Retrieve Azure Monitor metrics with .NET](https://github.com/Azure-Samples/monitor-dotnet-metrics-api) sample on GitHub.
-
-For more information about Event Hubs, visit the following links:
--- Get started with an Event Hubs tutorial
- - [.NET Core](event-hubs-dotnet-standard-getstarted-send.md)
- - [Java](event-hubs-java-get-started-send.md)
- - [Python](event-hubs-python-get-started-send.md)
- - [JavaScript](event-hubs-node-get-started-send.md)
-* [Event Hubs FAQ](event-hubs-faq.yml)
-* [Sample applications that use Event Hubs](https://github.com/Azure/azure-event-hubs/tree/master/samples)
-
-[1]: ./media/event-hubs-metrics-azure-monitor/event-hubs-monitor1.png
-[2]: ./media/event-hubs-metrics-azure-monitor/event-hubs-monitor2.png
event-hubs Monitor Event Hubs Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/monitor-event-hubs-reference.md
+
+ Title: Monitoring Azure Event Hubs data reference
+description: Important reference material needed when you monitor Azure Event Hubs.
++ Last updated : 06/11/2021+++
+# Monitoring Azure Event Hubs data reference
+See [Monitoring Azure Event Hubs](monitor-event-hubs.md) for details on collecting and analyzing monitoring data for Azure Event Hubs.
+
+## Metrics
+This section lists all the automatically collected platform metrics collected for Azure Event Hubs. The resource provider for these metrics is **Microsoft.EventHub/clusters** or **Microsoft.EventHub/clusters**.
+
+### Request metrics
+Counts the number of data and management operations requests.
+
+| Metric Name | Exportable via diagnostic settings | Unit | Aggregation type | Description | Dimensions |
+| - | - | -- | | | |
+| Incoming Requests| Yes | Count | Total | The number of requests made to the Event Hubs service over a specified period. | Entity name|
+| Successful Requests| No | Count | Total | The number of successful requests made to the Event Hubs service over a specified period. | Entity name<br/><br/>Operation Result |
+| Throttled Requests| No | Count | Total | The number of requests that were throttled because the usage was exceeded. | Entity name<br/><br/>Operation Result |
+
+The following two types of errors are classified as **user errors**:
+
+1. Client-side errors (In HTTP that would be 400 errors).
+2. Errors that occur while processing messages.
++
+### Message metrics
+| Metric Name | Exportable via diagnostic settings | Unit | Aggregation type | Description | Dimensions |
+| - | - | -- | | | |
+|Incoming Messages| Yes | Count | Total | The number of events or messages sent to Event Hubs over a specified period. | Entity name|
+|Outgoing Messages| Yes | Count | Total | The number of events or messages received from Event Hubs over a specified period. | Entity name |
+| Captured Messages| No | Count| Total | The number of captured messages. | Entity name |
+|Incoming Bytes | Yes | Bytes | Total | Incoming bytes for an event hub over a specified period. | Entity name|
+|Outgoing Bytes | Yes | Bytes | Total |Outgoing bytes for an event hub over a specified period. | Entity name |
+| Size | No | Bytes | Average | Size of an event hub in bytes.|Entity name |
++
+> [!NOTE]
+> These values are point-in-time values. Incoming messages that were consumed immediately after that point-in-time may not be reflected in these metrics.
+
+### Capture metrics
+| Metric Name | Exportable via diagnostic settings | Unit | Aggregation type | Description | Dimensions |
+| - | -- | | | | |
+| Captured Messages| No | Count| Total | The number of captured messages. | Entity name |
+| Captured Bytes | No | Bytes | Total | Captured bytes for an event hubs | Entity name |
+| Capture Backlog | No | Count| Total | Capture backlog for an event hubs | Entity name |
++
+### Connection metrics
+| Metric Name | Exportable via diagnostic settings | Unit | Aggregation type | Description | Dimensions |
+| - | -- | | | | |
+|Active Connections| No | Count | Average | The number of active connections on a namespace and on an entity (event hub) in the namespace. Value for this metric is a point-in-time value. Connections that were active immediately after that point-in-time may not be reflected in the metric.| Entity name |
+|Connections Opened | No | Count | Average | The number of open connections. | Entity name |
+|Connections Closed | No | Count | Average| The number of closed connections. | Entity name |
+
+### Error metrics
+| Metric Name | Exportable via diagnostic settings | Unit | Aggregation type | Description | Dimensions |
+| - | -- | | | | |
+|Server Errors| No | Count | Total | The number of requests not processed because of an error in the Event Hubs service over a specified period. | Entity name<br/><br/>Operation Result |
+|User Errors | No | Count | Total | The number of requests not processed because of user errors over a specified period. | Entity name<br/><br/>Operation Result|
+|Quota Exceeded Errors | No |Count | Total | The number of errors caused by exceeding quotas over a specified period. | Entity name<br/><br/>Operation Result|
++
+## Metric dimensions
+
+Azure Event Hubs supports the following dimensions for metrics in Azure Monitor. Adding dimensions to your metrics is optional. If you don't add dimensions, metrics are specified at the namespace level.
+
+|Dimension name|Description|
+| - | -- |
+|Entity Name| Name of the event hub.|
+
+## Resource logs
+++
+## Azure Monitor Logs tables
+Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#event-hubs).
++
+## Next steps
+- For details on monitoring Azure Event Hubs, see [Monitoring Azure Event Hubs](monitor-event-hubs.md).
+- For details on monitoring Azure resources, see [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).
event-hubs Monitor Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/monitor-event-hubs.md
+
+ Title: Monitoring Azure Event Hubs
+description: Learn how to use Azure Monitor to view, analyze, and create alerts on metrics from Azure Event Hubs.
++ Last updated : 06/13/2021++
+# Monitor Azure Event Hubs
+When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by Azure Event Hubs and how to analyze and alert on this data with Azure Monitor.
+
+## What is Azure Monitor?
+Azure Event Hubs creates monitoring data using [Azure Monitor](../azure-monitor/overview.md), which is a full stack monitoring service in Azure. Azure Monitor provides a complete set of features to monitor your Azure resources. It can also monitor resources in other clouds and on-premises.
+
+Start with the article [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md), which describes the following concepts:
+
+- What is Azure Monitor?
+- Costs associated with monitoring
+- Monitoring data collected in Azure
+- Configuring data collection
+- Standard tools in Azure for analyzing and alerting on monitoring data
+
+The following sections build on this article by describing the specific data gathered for Azure Event Hubs. These sections also provide examples for configuring data collection and analyzing this data with Azure tools.
+
+> [!TIP]
+> To understand costs associated with Azure Monitor, see [Usage and estimated costs](../azure-monitor//usage-estimated-costs.md). To understand the time it takes for your data to appear in Azure Monitor, see [Log data ingestion time](../azure-monitor/logs/data-ingestion-time.md).
+
+## Monitoring data from Azure Event Hubs
+Azure Event Hubs collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data).
+
+See [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md) for a detailed reference of the logs and metrics created by Azure Event Hubs.
+
+## Collection and routing
+Platform metrics and the activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.
+
+Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.
+
+See [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Event Hubs are listed in [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md#resource-logs).
+
+If you use **Azure Storage** to store the diagnostic logging information, the information is stored in containers named **insights-logs-operationlogs** and **insights-metrics-pt1m**. Sample URL for an operation log: `https://<Azure Storage account>.blob.core.windows.net/insights-logs-operationallogs/resourceId=/SUBSCRIPTIONS/<Azure subscription ID>/RESOURCEGROUPS/<Resource group name>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<Namespace name>/y=<YEAR>/m=<MONTH-NUMBER>/d=<DAY-NUMBER>/h=<HOUR>/m=<MINUTE>/PT1H.json`. The URL for a metric log is similar.
+
+If you use **Azure Event Hubs** to store the diagnostic logging information, the information is stored in event hubs named **insights-logs-operationlogs** and **insights-metrics-pt1m**. You can also select your own event hub.
+
+If you use **Log Analytics** to store the diagnostic logging information, the information is stored in tables named **AzureDiagnostics** and **AzureMetrics**.
+
+> [!IMPORTANT]
+> Enabling these settings requires additional Azure services (storage account, event hub, or Log Analytics), which may increase your cost. To calculate an estimated cost, visit the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator).
+
+> [!NOTE]
+> When you enable metrics in a diagnostic setting, dimension information is not currently included as part of the information sent to a storage account, event hub, or log analytics.
+
+The metrics and logs you can collect are discussed in the following sections.
+
+## Analyzing metrics
+You can analyze metrics for Azure Event Hubs, along with metrics from other Azure services, by selecting **Metrics** from the **Azure Monitor** section on the home page for your Event Hubs namespace. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool. For a list of the platform metrics collected, see [Monitoring Azure Event Hubs data reference metrics](monitor-event-hubs-reference.md#metrics).
+
+![Metrics Explorer with Event Hubs namespace selected](./media/monitor-event-hubs/metrics.png)
+
+For reference, you can see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
+
+> [!TIP]
+> Azure Monitor metrics data is available for 90 days. However, when creating charts only 30 days can be visualized. For example, if you want to visualize a 90 day period, you must break it into three charts of 30 days within the 90 day period.
+
+### Filtering and splitting
+For metrics that support dimensions, you can apply filters using a dimension value. For example, add a filter with `EntityName` set to the name of an event hub. You can also split a metric by dimension to visualize how different segments of the metric compare with each other. For more information of filtering and splitting, see [Advanced features of Azure Monitor](../azure-monitor/essentials/metrics-charts.md).
++
+## Analyzing logs
+Using Azure Monitor Log Analytics requires you to create a diagnostic configuration and enable __Send information to Log Analytics__. For more information, see the [Collection and routing](#collection-and-routing) section. Data in Azure Monitor Logs is stored in tables, with each table having its own set of unique properties. Azure Event Hubs stores data in the following tables: **AzureDiagnostics** and **AzureMetrics**.
+
+> [!IMPORTANT]
+> When you select **Logs** from the Azure Event Hubs menu, Log Analytics is opened with the query scope set to the current workspace. This means that log queries will only include data from that resource. If you want to run a query that includes data from other databases or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.
+
+For a detailed reference of the logs and metrics, see [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md).
+
+### Sample Kusto queries
+
+> [!IMPORTANT]
+> When you select **Logs** from the Azure Event Hubs menu, Log Analytics is opened with the query scope set to the current Azure Event Hubs namespace. This means that log queries will only include data from that resource. If you want to run a query that includes data from other workspaces or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.
+
+Following are sample queries that you can use to help you monitor your Azure Event Hubs resources:
+++ Get errors from the past 7 days+
+ ```Kusto
+ AzureDiagnostics
+ | where TimeGenerated > ago(7d)
+ | where ResourceProvider =="MICROSOFT.EVENTHUB"
+ | where Category == "OperationalLogs"
+ | summarize count() by "EventName"
+ ```
+++ Get access attempts to a key vault that resulted in "key not found" error.+
+ ```Kusto
+ AzureDiagnostics
+ | where ResourceProvider == "MICROSOFT.EVENTHUB"
+ | where Category == "Error" and OperationName == "wrapkey"
+ | project Message
+ ```
+++ Get operations performed with a key vault to disable or restore the key.+
+ ```Kusto
+ AzureDiagnostics
+ | where ResourceProvider == "MICROSOFT.EVENTHUB"
+ | where Category == "info" and OperationName == "disable" or OperationName == "restore"
+ | project Message
+ ```
++ Get capture failures and their duration in seconds+
+ ```kusto
+ AzureDiagnostics
+ | where ResourceProvider == "MICROSOFT.EVENTHUB"
+ | where Category == "ArchiveLogs"
+ | summarize count() by "failures", "durationInSeconds"
+ ```
+
+## Alerts
+You can access alerts for Azure Event Hubs by selecting **Alerts** from the **Azure Monitor** section on the home page for your Event Hubs namespace. See [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/alerts/alerts-metric.md) for details on creating alerts.
++
+## Next steps
+
+- For a reference of the logs and metrics, see [Monitoring Azure Event Hubs data reference](monitor-event-hubs-reference.md).
+- For details on monitoring Azure resources, see [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).
germany Germany Image Gallery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/germany/germany-image-gallery.md
To uncover any programmatic differences with endpoints when you're working with
For more information on deploying from the Marketplace or creating your own VHD, see these resources: * [Deploying a Windows virtual machine](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json)
-* [Windows virtual machines FAQ](../virtual-machines/windows/faq.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json)
+* [Windows virtual machines FAQ](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json)
* [Create a Linux VM custom image](../virtual-machines/linux/create-upload-generic.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json)
healthcare-apis Fhir Features Supported https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/fhir-features-supported.md
Currently, the allowed actions for a given role are applied *globally* on the AP
* **Concurrent connections and Instances** - By default, you have 15 concurrent connections on two instances in the cluster (for a total of 30 concurrent requests). If you need more concurrent requests, open a support ticket and provide details about your needs.
-## Performance expectations
-
-The performance of the system is dependent on the number of RUs, concurrent connections, and the type of operations you're performing (Put, Post, etc.). Below are some general ranges of what you can expect based on configured RUs. In general, performance scales linearly with an increase in RUs:
-
-| # of RUs | Resources/sec | Max Storage (GB)* |
-|-||--|
-| 400 | 5-10 | 10 |
-| 1,000 | 100-150 | 25 |
-| 10,000 | 225-400 | 250 |
-| 100,000 | 2,500-4,000 | 2,500 |
-
-Note: Per Cosmos DB requirement, there is a requirement of a minimum throughput of 40 RU/s per GB of storage.
- ## Next steps In this article, you've read about the supported FHIR features in Azure API for FHIR. Next deploy the Azure API for FHIR.
iot-hub Iot Hub Node Node Device Management Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-node-node-device-management-get-started.md
At the end of this tutorial, you have two Node.js console apps:
In this section, you:
-* Create a Node.js console app that responds to a direct method called by the cloud
+* Create a Node.js console app that responds to a direct method called by the cloud.
-* Trigger a simulated device reboot
+* Trigger a simulated device reboot.
-* Use the reported properties to enable device twin queries to identify devices and when they last rebooted
+* Use the reported properties to enable device twin queries to identify devices and when they last rebooted.
1. Create an empty folder called **manageddevice**. In the **manageddevice** folder, create a package.json file using the following command at your command prompt. Accept all the defaults:
lighthouse Managed Services Offers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/concepts/managed-services-offers.md
Title: Managed Service offers in Azure Marketplace
-description: Managed Service offers let you sell resource management offers to customers in Azure Marketplace.
+description: Offer your Azure Lighthouse management services to customers through Managed Services offers in Azure Marketplace.
Last updated 05/11/2021
lighthouse Tenants Users Roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/concepts/tenants-users-roles.md
Title: Tenants, users, and roles in Azure Lighthouse scenarios
-description: Understand the concepts of Azure Active Directory tenants, users, and roles, as well as how they can be used in Azure Lighthouse scenarios.
+description: Understand how Azure Active Directory tenants, users, and roles can be used in Azure Lighthouse scenarios.
Last updated 05/11/2021
lighthouse Manage Hybrid Infrastructure Arc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/manage-hybrid-infrastructure-arc.md
Title: Manage hybrid infrastructure at scale with Azure Arc
-description: Learn how to effectively manage your customers' machines and Kubernetes clusters outside of Azure.
+description: Azure Lighthouse helps you effectively manage customers' machines and Kubernetes clusters outside of Azure.
Last updated 03/12/2021
lighthouse Manage Sentinel Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/manage-sentinel-workspaces.md
Title: Manage Azure Sentinel workspaces at scale
-description: Learn how to effectively manage Azure Sentinel on delegated customer resources.
+description: Azure Lighthouse helps you effectively manage Azure Sentinel across delegated customer resources.
Last updated 03/02/2021
lighthouse Migration At Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/migration-at-scale.md
Title: Manage Azure Migrate projects at scale
-description: Learn how to effectively use Azure Migrate on delegated customer resources.
+description: Azure Lighthouse helps you effectively use Azure Migrate across delegated customer resources.
Last updated 05/11/2021
lighthouse Monitor At Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/monitor-at-scale.md
Title: Monitor delegated resources at scale
-description: Learn how to effectively use Azure Monitor Logs in a scalable way across the customer tenants you're managing.
+description: Azure Lighthouse helps you use Azure Monitor Logs in a scalable way across customer tenants.
Last updated 05/10/2021
lighthouse Monitor Delegation Changes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/monitor-delegation-changes.md
Title: Monitor delegation changes in your managing tenant
-description: Learn how to monitor delegation activity from customer tenants to your managing tenant.
+description: Learn how to monitor all Azure Lighthouse delegation activity to your managing tenant.
Last updated 05/11/2021
lighthouse Onboard Customer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/onboard-customer.md
Title: Onboard a customer to Azure Lighthouse
-description: Learn how to onboard a customer to Azure Lighthouse, allowing their resources to be accessed and managed through your own tenant using Azure delegated resource management.
+description: Learn how to onboard a customer to Azure Lighthouse, allowing their resources to be accessed and managed by users in your tenant.
Last updated 05/25/2021
lighthouse Partner Earned Credit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/partner-earned-credit.md
Title: Link your partner ID to track your impact on delegated resources
-description: Learn how to associate your partner ID to receive partner earned credit (PEC) on customer resources you manage through Azure Lighthouse.
+description: Associate your partner ID to receive partner earned credit (PEC) on customer resources you manage through Azure Lighthouse.
Last updated 02/12/2021
lighthouse Policy At Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/policy-at-scale.md
Title: Deploy Azure Policy to delegated subscriptions at scale
-description: Learn how Azure Lighthouse lets you deploy a policy definition and policy assignment across multiple tenants.
+description: Azure Lighthouse lets you deploy a policy definition and policy assignment across multiple tenants.
Last updated 05/11/2021
lighthouse View Manage Service Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/view-manage-service-providers.md
Title: View and manage service providers
-description: Customers can use the Service providers page in the Azure portal to view info about service providers, service provider offers, and delegated resources.
+description: Customers can view info about Azure Lighthouse service providers, service provider offers, and delegated resources in the Azure portal.
Last updated 02/16/2021
machine-learning How To Change Storage Access Key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-change-storage-access-key.md
Learn how to change the access keys for Azure Storage accounts used by Azure Mac
For security purposes, you may need to change the access keys for an Azure Storage account. When you regenerate the access key, Azure Machine Learning must be updated to use the new key. Azure Machine Learning may be using the storage account for both model storage and as a datastore. > [!IMPORTANT]
-> Credentials registered with datastores are saved in your Azure Key Vault associated with the workspace. If you have [soft-delete](../key-vault/general/soft-delete-overview.md) enabled for your Key Vault, this article provides instructions for updating credentials. If you unregister the datastore and try to re-register it under the same name, this action will fail. See [Turn on Soft Delete for an existing key vault]( https://docs.microsoft.com/azure/key-vault/general/soft-delete-change#turn-on-soft-delete-for-an-existing-key-vault) for how to enable soft delete in this scenario.
+> Credentials registered with datastores are saved in your Azure Key Vault associated with the workspace. If you have [soft-delete](../key-vault/general/soft-delete-overview.md) enabled for your Key Vault, this article provides instructions for updating credentials. If you unregister the datastore and try to re-register it under the same name, this action will fail. See [Turn on Soft Delete for an existing key vault](/azure/key-vault/general/soft-delete-change#turn-on-soft-delete-for-an-existing-key-vault) for how to enable soft delete in this scenario.
## Prerequisites
machine-learning How To Deploy And Where https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-deploy-and-where.md
Last updated 04/21/2021-+ adobe-target: true
machine-learning How To Network Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-network-security-overview.md
Title: Virtual network isolation and security overview
+ Title: Secure workspace resources using virtual networks (VNets)
-description: Use an isolated Azure Virtual Network with Azure Machine Learning to secure workspace resources and compute environments.
+description: Secure Azure Machine Learning workspace resources and compute environments using an isolated Azure Virtual Network (VNet).
Previously updated : 03/02/2021 Last updated : 06/11/2021 -+
-# Virtual network isolation and privacy overview
+<!-- # Virtual network isolation and privacy overview -->
+# Secure Azure Machine Learning workspace resources using virtual networks (VNets)
-In this article, you learn how to use virtual networks (VNets) to secure network communication in Azure Machine Learning. This article uses an example scenario to show you how to configure a complete virtual network.
+Secure Azure Machine Learning workspace resources and compute environments using virtual networks (VNets). This article uses an example scenario to show you how to configure a complete virtual network.
This article is part one of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through this overview article to understand the concepts first.
machine-learning Overview What Is Azure Ml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/overview-what-is-azure-ml.md
Title: What is Azure Machine Learning
+ Title: What is Azure Machine Learning?
description: Azure Machine Learning is an integrated data science solution for data scientists and MLops to model and deploy ML applications at cloud scale.
Azure Machine Learning provides all the tools developers and data scientists nee
+ Jupyter notebooks: use our [example notebooks](https://github.com/Azure/MachineLearningNotebooks) or create your own notebooks to leverage our <a href="/python/api/overview/azure/ml/intro" target="_blank">SDK for Python</a> samples for your machine learning.
-+ R scripts or notebooks in which you use the <a href="https://azure.github.io/azureml-sdk-for-r/reference/https://docsupdatetracker.net/index.html" target="_blank">SDK for R</a> to write your own code, or use the R modules in the designer.
- + The [Many Models Solution Accelerator](https://aka.ms/many-models) (preview) builds on Azure Machine Learning and enables you to train, operate, and manage hundreds or even thousands of machine learning models. + [Machine learning extension for Visual Studio Code (preview)](how-to-set-up-vs-code-remote.md) provides you with a full-featured development environment for building and managing your machine learning projects.
Azure Machine Learning provides all the tools developers and data scientists nee
You can even use [MLflow to track metrics and deploy models](how-to-use-mlflow.md) or Kubeflow to [build end-to-end workflow pipelines](https://www.kubeflow.org/docs/azure/).
-## Build ML models in Python or R
+## Build ML models in with the Python SDK
-Start training on your local machine using the Azure Machine Learning <a href="/python/api/overview/azure/ml/intro" target="_blank">Python SDK</a> or <a href="https://azure.github.io/azureml-sdk-for-r/reference/https://docsupdatetracker.net/index.html" target="_blank">R SDK</a>. Then, you can scale out to the cloud.
+Start training on your local machine using the Azure Machine Learning <a href="/python/api/overview/azure/ml/intro" target="_blank">Python SDK</a>. Then, you can scale out to the cloud.
With many available [compute targets](how-to-create-attach-compute-studio.md), like Azure Machine Learning Compute and [Azure Databricks](/azure/databricks/scenarios/what-is-azure-databricks), and with [advanced hyperparameter tuning services](how-to-tune-hyperparameters.md), you can build better models faster by using the power of the cloud.
machine-learning Explore Data Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/team-data-science-process/explore-data-blob.md
To explore and manipulate a dataset, it must first be downloaded from the blob s
#download from blob t1=time.time() blob_service_client_instance = BlobServiceClient(account_url=STORAGEACCOUNTURL, credential=STORAGEACCOUNTKEY)
- blob_client_instance = blob_service_client.get_blob_client(CONTAINERNAME, BLOBNAME, snapshot=None)
+ blob_client_instance = blob_service_client_instance.get_blob_client(CONTAINERNAME, BLOBNAME, snapshot=None)
with open(LOCALFILENAME, "wb") as my_blob: blob_data = blob_client_instance.download_blob() blob_data.readinto(my_blob)
machine-learning Predictive Maintenance Playbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/team-data-science-process/predictive-maintenance-playbook.md
The question here is: "What is the remaining useful life (RUL) of the equipment?
Figure 4. Labeling for regression
-For regression, labeling is done with reference to a failure point. Its calculation is not possible without knowing how long the asset has survived before a failure. So in contrast to binary classification, assets without any failures in the data cannot be used for modeling. This issue is best addressed by another statistical technique called [Survival Analysis](https://en.wikipedia.org/wiki/Survival_analysis). But potential complications may arise when applying this technique to PdM use cases that involve time-varying data with frequent intervals. For more information on Survival Analysis, see [this one-pager](https://www.cscu.cornell.edu/news/news.php/stnews78.pdf).
+For regression, labeling is done with reference to a failure point. Its calculation is not possible without knowing how long the asset has survived before a failure. So in contrast to binary classification, assets without any failures in the data cannot be used for modeling. This issue is best addressed by another statistical technique called [Survival Analysis](https://en.wikipedia.org/wiki/Survival_analysis). But potential complications may arise when applying this technique to PdM use cases that involve time-varying data with frequent intervals. For more information on Survival Analysis, see [this one-pager](https://cscu.cornell.edu/wp-content/uploads/78_surv.pdf).
### Multi-class classification for predictive maintenance Multi-class classification techniques can be used in PdM solutions for two scenarios:
Microsoft Azure offers learning paths for the foundational concepts behind PdM t
| [Microsoft AI](https://www.microsoft.com/AI) | Public | | [Microsoft Partner Network](https://partner.microsoft.com/training/training-center) | Partners |
-In addition, free MOOCS (massive open online courses) on AI are offered online by academic institutions like Stanford and MIT, and other educational companies.
+In addition, free MOOCS (massive open online courses) on AI are offered online by academic institutions like Stanford and MIT, and other educational companies.
machine-learning Tutorial Deploy Managed Endpoints Using System Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/tutorial-deploy-managed-endpoints-using-system-managed-identity.md
This tutorial demonstrates how to take the following actions with the Azure CLI
* A trained machine learning model ready for scoring and deployment. + ## Set the defaults for Azure CLI To ensure the correct resources are used throughout this tutorial, set the default values for the Azure subscription ID, Azure Machine Learning workspace, and resource group you want to use. Doing so allows you to avoid having to repeatedly pass in the values every time you call an Azure CLI command.
In this Azure Machine Learning tutorial, you used the machine learning CLI for t
* For more information on using the CLI, see [Use the CLI extension for Azure Machine Learning](reference-azure-machine-learning-cli.md). * To refine JSON queries to only return specific data, see [Query Azure CLI command output](/cli/azure/query-azure-cli).
+* For more information on the YAML schema, see [online endpoint YAML reference](reference-online-endpoint-yaml.md) document.
mariadb Howto Configure Privatelink Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mariadb/howto-configure-privatelink-portal.md
In this section, you will create a Virtual Network and the subnet to host the VM
| Size | Leave the default **Standard DS1 v2**. | | **ADMINISTRATOR ACCOUNT** | | | Username | Enter a username of your choosing. |
- | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.md?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm).|
+ | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|
| Confirm Password | Reenter password. | | **INBOUND PORT RULES** | | | Public inbound ports | Leave the default **None**. |
marketplace Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/overview.md
+ Last updated 10/15/2020
marketplace Support Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/support-azure-marketplace.md
Previously updated : 04/14/2020 Last updated : 06/14/2021 # Support for the Microsoft commercial marketplace
Open a ticket with Microsoft [marketplace publisher support](https://aka.ms/mark
| Support channel | Description | Availability | |: |: |: |
-| For assistance, visit the Create an incident page located at [Marketplace Support](https://aka.ms/marketplacepublishersupport)</li> </ul> | Support for Partner Center. | Support is provided 24x5. |
+| For assistance, visit the Create an incident page located at [Marketplace Support](https://aka.ms/marketplacepublishersupport)</li> </ul> | Support for Partner Center. | Support is provided 24x5. |
+|
## Technical
Open a ticket with Microsoft [marketplace publisher support](https://aka.ms/mark
| Support channel | Description | Availability | |: |: |: |
-| Email: [gtm@microsoft.com](mailto:gtm@microsoft.com) | Support for GTM benefits and program questions. | Business hours are in the Pacific time zone. |
-| Email: [cebrand@microsoft.com](mailto:cebrand@microsoft.com) | Answers to questions about usage for Azure logos and branding. | |
+| Email: [cebrand@microsoft.com](mailto:cebrand@microsoft.com) | Answers to questions about usage for Azure logos and branding. | |
+|
-## Next steps
+For questions about Marketplace Rewards, contact [Partner Center support](https://partner.microsoft.com/support/v2/?stage=1).
-* Visit the [commercial marketplace publisher guide page](index.yml).
-* Learn more about [support for the commercial marketplace program in Partner Center](support.md).
+## Next steps
-
+- Visit the [commercial marketplace publisher guide page](index.yml)
+- Learn more about [support for the commercial marketplace program in Partner Center](support.md)
mysql Howto Configure Privatelink Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/howto-configure-privatelink-portal.md
In this section, you will create a Virtual Network and the subnet to host the VM
| Size | Leave the default **Standard DS1 v2**. | | **ADMINISTRATOR ACCOUNT** | | | Username | Enter a username of your choosing. |
- | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.md?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm).|
+ | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|
| Confirm Password | Reenter password. | | **INBOUND PORT RULES** | | | Public inbound ports | Leave the default **None**. |
mysql Appendix A Environment Setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/appendix-a-environment-setup.md
- Title: "MySQL on-premises to Azure Database for MySQL migration guide Appendix A: Environment Setup"
-description: "Download additional documentation we created for this Migration Guide and learn how to configure."
------- Previously updated : 05/26/2021--
-# MySQL on-premises to Azure Database for MySQL migration guide Appendix A: Environment Setup
-
-[Download additional documentation](https://github.com/Azure/azure-mysql/blob/master/MigrationGuide/MySQL%20Migration%20Guide_v1.1%20Appendix%20A.pdf) we created for this Migration Guide and learn how to configure an environment to perform the guideΓÇÖs migration steps for the sample [conference demo application.](https://github.com/Azure/azure-mysql/tree/master/MigrationGuide/sample-app).
mysql Appendix B Arm Templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/appendix-b-arm-templates.md
- Title: "MySQL on-premises to Azure Database for MySQL migration guide Appendix B: ARM Templates"
-description: "This template will deploy all resources with private endpoints."
------- Previously updated : 05/26/2021--
-# MySQL on-premises to Azure Database for MySQL migration guide Appendix B: ARM Templates
-
-### Secure
-
-This template will deploy all resources with private endpoints. This effectively removes any access to the PaaS services from the internet.
-
-[ARM Template ](https://github.com/Azure/azure-mysql/tree/master/MigrationGuide/arm-templates/ExampleWithMigration)
-
-### Non-Secure
-
-This template will deploy resources using standard deployment where all resources are available from the internet.
-
-[ARM Template ](https://github.com/Azure/azure-mysql/tree/master/MigrationGuide/arm-templates/ExampleWithMigrationSecure)
mysql Appendix C Default Server Parameters Mysql 55 And Azure Database For Mysql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/appendix-c-default-server-parameters-mysql-55-and-azure-database-for-mysql.md
- Title: "MySQL on-premises to Azure Database for MySQL migration guide Appendix C: Default server parameters MySQL 5.5 and Azure Database for MySQL"
-description: "You will find the full listing of default server parameters of MySQL 5.5 and Azure Database for MySQL in our GitHub repository."
------- Previously updated : 05/26/2021--
-# MySQL on-premises to Azure Database for MySQL migration guide Appendix C: Default server parameters MySQL 5.5 and Azure Database for MySQL
-
-You can find the [full listing of default server parameters of MySQL 5.5 and Azure Database for MySQL](https://github.com/Azure/azure-mysql/blob/master/MigrationGuide/MySQL%20Migration%20Guide_v1.1%20Appendix%20C.pdf) in our GitHub repository.
mysql Business Continuity And Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/business-continuity-and-disaster-recovery.md
- Title: "MySQL on-premises to Azure Database for MySQL migration guide Business Continuity and Disaster Recovery (BCDR)"
-description: "As with any mission critical system, having a backup and restore as well as a disaster recovery (BCDR) strategy is an important part of your overall system design."
------- Previously updated : 05/26/2021--
-# MySQL on-premises to Azure Database for MySQL migration guide Business Continuity and Disaster Recovery (BCDR)
-
-### Backup and Restore
-
-As with any mission critical system, having a backup and restore as well as a disaster recovery (BCDR) strategy is an important part of your overall system design. If an unforseen event occurs, you should have the ability to restore your data to a point in time (Recovery Point Objective) in a reasonable amount of time (Recovery Time Objective).
-
-#### Backup
-
-Azure Database for MySQL supports automatic backups for 7 days by default. It may be appropriate to modify this to the current maximum of 35 days. It is important to be aware that if the value is changed to 35 days, there will be charges for any extra backup storage over 1x of the storage allocated.
-
-There are several current limitations to the database backup feature as described in the [Backup and restore in Azure Database for MySQL](../concepts-backup.md) docs article. It is important to understand them when deciding what additional strategies that should be implemented.
-
-Some items to be aware of include:
-
- - No direct access to the backups
-
- - Tiers that allow up to 4TB have a full backup once per week, differential twice a day, and logs every five minutes
-
- - Tiers that allow up to 16TB have backups that are snapshot based
-
- > [!NOTE]
- > [Some regions](../concepts-pricing-tiers.md#storage) do not yet support storage up to 16TB.
-
-#### Restore
-
-Redundancy (local or geo) must be configured during server creation. However, a geo-restore can be performed and allows the modification of these options during the restore process. Performing a restore operation will temporarily stop connectivity and any applications will be down during the restore process.
-
-During a database restore, any supporting items outside of the database will also need to be restored.
-Review the migration process. See [Perform post-restore tasks](../concepts-backup.md#perform-post-restore-tasks) for more information.
-
-### Read Replicas
-
-[Read replicas](../concepts-read-replicas.md) can be used to increase the MySQL read throughput, improve performance for regional users and to implement disaster recovery. When creating one or more read replicas, be aware that additional charges will apply for the same compute and storage as the primary server.
-
-### Deleted Servers
-
-If an administrator or bad actor deletes the server in the Azure Portal or via automated methods, all backups and read replicas will also be deleted. It is important that [resource locks](../../azure-resource-manager/management/lock-resources.md) are created on the Azure Database for MySQL resource group to add an extra layer of deletion prevention to the instances.
-
-### Regional Failure
-
-Although rare, if a regional failure occurs geo-redundant backups or a read replica can be used to get the data workloads running again. It is best to have both geo-replication and a read replica available for the best protection against unexpected regional failures.
-
-> [!NOTE]
-> Changing the database server region also means the endpoint will change and application configurations will need to be updated accordingly.
-
-#### Load Balancers
-
-If the application is made up of many different instances around the world, it may not be feasible to update all of the clients. Utilize an [Azure Load Balancer](../../load-balancer/load-balancer-overview.md) or [Application Gateway](../../application-gateway/overview.md) to implement a seamless failover functionality. Although helpful and time-saving, these tools are not required for regional failover capability.
-
-### WWI Scenario
-
-WWI wanted to test the failover capabilities of read replicas so they performed the steps outlined below.
-
-#### Creating a read replica
-
- - Open the Azure Portal.
-
- - Browse to the Azure Database for MySQL instance.
-
- - Under **Settings**, select **Replication**.
-
- - Select **Add Replica**.
-
- - Type a server name.
-
- - Select the region.
-
- - Select **OK**, wait for the instance to deploy. Depending on the size of the main instance, it could take some time to replicate.
-
- > [!NOTE]
- > Each replica will incur additional charges equal to the main instance.
-
-#### Failover to read replica
-
-Once a read replica has been created and has completed the replication process, it can be used for failed over. Replication will stop during a failover and make the read replica its own main instance.
-
-Failover Steps:
-
- - Open the Azure Portal.
-
- - Browse to the Azure Database for MySQL instance.
-
- - Under **Settings**, select **Replication**.
-
- - Select one of the read replicas.
-
- - Select **Stop Replication**. This will break the read replica.
-
- - Modify all applications connection strings to point to the new main instance.
-
-### BCDR Checklist
-
- - Modify backup frequency to meet requirements.
-
- - Setup read replicas for read intensive workloads and regional failover.
-
- - Create resource locks on resource groups.
-
- - Implement a load balancing strategy for applications for quick failover.
--
-> [!div class="nextstepaction"]
-> [Security](./security.md)
mysql Data Migration With Mysql Workbench https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/data-migration-with-mysql-workbench.md
- Title: "MySQL on-premises to Azure Database for MySQL migration guide Data Migration with MySQL Workbench"
-description: "Follow all the steps in the Setup guide to create an environment to support the following steps."
------- Previously updated : 05/26/2021--
-# MySQL on-premises to Azure Database for MySQL migration guide Data Migration with MySQL Workbench
-
-### Setup
-
-Follow all the steps in the Setup guide to create an environment to support the following steps.
-
-### Configuring Server Parameters (Source)
-
-Depending on the type of migration you have chosen (offline vs. online), you will want to evaluate if you are going to modify the server parameters to support a fast egress of the data. If you are doing online, it may not be necessary to do anything to server parameters as you will likely be performing `binlog` replication and have the data syncing on its own. However, if you are doing an offline migration, once you stop application traffic, you can switch the server parameters from supporting the workload to supporting the export.
-
-### Configuring Server Parameters (Target)
-
-Review the server parameters before starting the import process into Azure Database for MySQL. Server parameters can be retrieved and set using the [Azure Portal](../howto-server-parameters.md) or by calling the [Azure PowerShell for MySQL cmdlets](../howto-configure-server-parameters-using-powershell.md) to make the changes.
-
-Execute the following PowerShell script to get all parameters:
-
-```
-\[Net.ServicePointManager\]::SecurityProtocol = \[Net.SecurityProtocolType\]::Tls
-12
-
-Install-Module -Name Az.MySql
-Connect-AzAccount
-$rgName = "{RESOURCE\_GROUP\_NAME}";
-$serverName = "{SERVER\_NAME}";
-Get-AzMySqlConfiguration -ResourceGroupName $rgName -ServerName $serverName
-```
-
- - To do the same with the mysql tool, download the [CA root certification](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) to c:\\temp (make this directory).
-
- > [!NOTE]
- > The certificate is subject to change. Reference [Configure SSL connectivity in your application to securely connect to Azure Database for MySQL](../howto-configure-ssl.md) for the latest certificate information.
-
- - Run the following in a command prompt, be sure to update the tokens:
-
-```
-mysql --host {servername}.mysql.database.azure.com --database mysql --user
-{u sername}@{servername} -p --ssl-ca=c:\\temp\\BaltimoreCyberTrustRoot.crt.cer
--A -e "SHOW GLOBAL VARIABLES;" \> c:\\temp\\settings\_azure.txt
-```
-
-In the new \`settings\_azure.txt\` file, you will see the default Azure Database for MySQL server parameters as shown in Appendix A.
-
-To support the migration, set the target MySQL instance parameters to allow for a faster ingress. The following server parameters should be set before starting the data migration:
-
- - `max\_allowed\_packet` ΓÇô set the parameter to `1073741824` (i.e. 1GB) or the largest size of a row in the database to prevent any overflow issue due to long rows. Consider adjusting this parameter if there are large BLOB rows that need to be pulled out (or read).
-
- - `innodb\_buffer\_pool\_size` ΓÇô Scale up the server to 32 vCore Memory Optimized SKU from the Pricing tier of the portal during migration to increase the innodb\_buffer\_pool\_size. Innodb\_buffer\_pool\_size can only be increased by scaling up compute for Azure Database for MySQL server. Reference [Server parameters in Azure Database for MySQL](../concepts-server-parameters.md#innodb_buffer_pool_size) for the max value for the tier. The maximum value in a Memory Optimized 32 vCore system is `132070244352`.
-
- - `innodb\_io\_capacity` & `innodb\_io\_capacity\_max` - Change the parameter to `9000` to improve the IO utilization to optimize for migration speed.
-
- - `max\_connections` - If using a tool that generates multiple threads to increase throughput, increase the connections to support that tool. Default is `151`, max is `5000`.
-
- > [!NOTE]
- > Take care when performing scaling. Some operations cannot be undone, such as storage scaling.
-
-These settings can be updated using the Azure PowerShell cmdlets below:
-
-```
-Install-Module -Name Az.MySql
-$rgName = " {RESOURCE\_GROUP\_NAME}";
-$serverName = "{SERVER\_NAME}";
-
-Select-AzSubscription -Subscription "{SUBSCRIPTION\_ID}"
-Update-AzMySqlConfiguration -Name max\_allowed\_packet -ResourceGroupName
-$rgna me -ServerName $serverName -Value 1073741824
-Update-AzMySqlConfiguration -Name innodb\_buffer\_pool\_size -ResourceGroupName
-$rgname -ServerName $serverName -Value 16106127360
-Update-AzMySqlConfiguration -Name innodb\_io\_capacity -ResourceGroupName
-$rgna me -ServerName $serverName -Value 9000
-Update-AzMySqlConfiguration -Name innodb\_io\_capacity\_max -ResourceGroupName
-$ rgname -ServerName $serverName -Value 9000
-
-\#required if you have functions
-
-Update-AzMySqlConfiguration -Name log\_bin\_trust\_function\_creators
--ResourceGr oupName $rgname -ServerName $serverName -Value ON
-```
-### Data
-
-#### Tool Choice
-
-With the database objects and users from the source system migrated, the migration can begin. Databases running on MySQL version 8.0 cannot use Azure DMS to migrate the workload. Instead, migration users should use MySQL Workbench.
-
-#### Manual Import and Export Steps
-
- - Open MySQL Workbench and connect as the local databaseΓÇÖs root user.
-
- - Under \*\*Management\*\*, select \*\*Data Export\*\*. Select the **reg\_app** schema.
-
- - In **Objects to Export**, select **Dump Stored Procedures and Functions**, **Dump Events** and **Dump Triggers**.
-
- - Under **Export Options**, select **Export to Self-Contained File**.
-
- - Also, select the **Include Create Schema** checkbox. Refer to the image below to observe the correct mysqldump configuration.
-
- ![Include Create Schema](./media/image6.jpg)
-
- **Test**
-
- - If any of these options appear unavailable, they are likely obstructed by the Output pane. Just change the editor layout.
-
- ![editor layout](./media/image7.jpg)
-
- **Test**
-
- - Select the **Export Progress** tab.
-
- - Select **Start Export**, notice MySQL Workbench makes calls to the `mysqldump` tool.
-
- - Open the newly created export script.
-
- - Find any `DEFINER` statements and either change to a valid user or remove them completely.
-
- > [!NOTE]
- > This can be done by passing the `--skip-definer` in the mysqldump command. This is not an option in the MySQL Workbench; therefore, the lines will need to be manually removed in the export commands. Although we point out four items to remove here, there can be other items that could fail when migrating from one MySQL version to another (such as new reserved words).
-
- - Find `SET GLOBAL` statements and either change to a valid user or remove them completely.
-
- - Ensure `sql\_mode` isnΓÇÖt set to `NO\_AUTO\_CREATE\_USER`.
-
- - Remove the `hello\_world` function.
-
- - In MySQL Workbench, create a new connection to the Azure Database for MySQL.
-
- - For Hostname, enter the full server DNS (ex: `servername.mysql.database.azure.com`).
-
- - Enter the username (ex: `sqlroot@servername`).
-
- - Select the **SSL** tab.
-
- - For the SSL CA File, browse to the **BaltimoreCyberTrustRoot.crt.cer** key file.
-
- - Select **Test Connection**, ensure the connection completes.
-
- - Select **OK**.
-
- ![MySQL connection dialog box](./media/image8.jpg)
-
- **MySQL connection dialog box is displayed.**
-
- - Select **File-\>Open SQL Script**.
-
- - Browse to the dump file, select **Open**.
-
- - Select **Execute**.
-
-### Update Applications to support SSL
-
- - Switch to the Java Server API in Visual Studio code.
-
- - Open the **launch.json** file.
-
- - Update the **DB\_CONNECTION\_URL** to `jdbc:mysql://serverDNSname:3306/reg\_app?useUnicode=true\&useJDBCCompliantT imezoneShift=true\&useLegacyDatetimeCode=false\&serverTimezone=UTC\&verifySe rverCertificate=true\&useSSL=true\&requireSSL=true\&noAccessToProcedureBodie s=true.` Note the additional SSL parameters.
-
- - Update **DB\_USER\_NAME** to **conferenceuser@servername**.
-
- - Start the debug configuration, and ensure that the application works locally with the new database.
-
-### Revert Server Parameters
-
-The following parameters can be changed on the Azure Database for MySQL target instance. These parameters can be set through the Azure Portal or by using the [Azure PowerShell for MySQL cmdlets.](../howto-configure-server-parameters-using-powershell.md)
-
-```
-$rgName = "YourRGName";
-$serverName = "servername";
-Update-AzMySqlConfiguration -Name max\_allowed\_packet -ResourceGroupName
-$rgna me -ServerName $serverName -Value 536870912
-Update-AzMySqlConfiguration -Name innodb\_buffer\_pool\_size -ResourceGroupName
-$rgname -ServerName $serverName -Value 16106127360
-Update-AzMySqlConfiguration -Name innodb\_io\_capacity -ResourceGroupName $rgna
-me -ServerName $serverName -Value 200
-Update-AzMySqlConfiguration -Name innodb\_io\_capacity\_max -ResourceGroupName
-$ rgname -ServerName $serverName -Value 2000
-```
-### Change Connection String for the Java API
-
- - Use the following commands to change the connection string for the App Service Java API
-
-```
-$rgName = "YourRGName";
-$app_name = "servername";
-az webapp config appsettings set -g $rgName -n $app_name
settings DB_CONNECTION_URL={DB_CONNECTION_URL}
-```
-
-> [!NOTE]
-> Remember that you can use the Portal to set the connection string.
-
- - Restart the App Service API
-
-```
-az webapp restart -g $rgName -n $app\_name
-```
-You have successfully completed an on-premises to Azure Database for MySQL migration\!
--
-> [!div class="nextstepaction"]
-> [Post Migration Management](./post-migration-management.md)
mysql 01 Mysql Migration Guide Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/mysql-on-premises-azure-db/01-mysql-migration-guide-intro.md
+
+ Title: "MySQL on-premises to Azure Database for MySQL migration guide introduction"
+description: "Migration guide from MySQL on-premises to Azure Data base for MySQL"
+++++++ Last updated : 06/11/2021 ++
+# MySQL on-premises to Azure Database for MySQL migration guide Introduction
+
+This migration guide is designed to provide stackable and actionable information for MySQL customers and software integrators seeking to migrate MySQL workloads to [Azure Database for MySQL](../../overview.md). This guide gives applicable knowledge that applies to most cases and provides guidance that leads to the successful planning and execution of a MySQL migration to Azure.
+
+The process of moving existing databases and MySQL workloads into the cloud can present challenges concerning the workload functionality and the connectivity of existing applications. The information presented throughout this guide offers helpful links and recommendations focusing on a successful migration and ensure workloads and applications continue operating as originally intended.
+
+The information provided centers on a customer journey using the Microsoft [Cloud Adoption Framework](/azure/cloud-adoption-framework/get-started/) to perform assessment, migration, and post-optimization activities for an Azure Database for MySQL environment.
+
+## MySQL
+
+MySQL has a rich history in the open-source community and has become popular with corporations worldwide for websites and other business-critical applications. This guide assists administrators who have been asked to scope, plan, and execute the migration. Administrators that are new to MySQL can also review the [MySQL Documentation](https://dev.mysql.com/doc/) for more profound information on the internal workings of MySQL. Additionally, this guide also links to several reference articles through each of the sections to point you to helpful information and tutorials.
+
+## Azure Database for MySQL
+
+[Azure Database for MySQL](../../overview.md) is a Platform as a Service (PaaS) offering by Microsoft, where the MySQL environment is fully managed. In this fully managed environment, the operating system and software updates are automatically applied, and the implementation of high availability and protection of the data.
+
+In addition to the PaaS offering, it's still possible to run MySQL in Azure VMs. Reference the [Choose the right MySQL Server option in Azure](../../select-right-deployment-type.md) article to decide what deployment type is most appropriate for the target data workload.
+
+![Comparison of MySQL environments](./media/image3.jpg)
+
+**Comparison of MySQL environments**
+
+This guide focuses entirely on migrating the on-premises MySQL workloads to the Platform as a Service Azure Database for MySQL offering due to its various advantages over Infrastructure as a Service (IaaS) such as scale-up and scale-out, pay-as-you-go, high availability, security, and manageability features.
+
+> [!div class="nextstepaction"]
+> [Representative Use Case](./02-representative-use-case.md)
mysql 02 Representative Use Case https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/mysql-on-premises-azure-db/02-representative-use-case.md
+
+ Title: "MySQL on-premises to Azure Database for MySQL migration guide Representative Use Case"
+description: "The following use case is based on a real-world customer scenario of an enterprise who migrated their MySQL workload to Azure Database for MySQL."
+++++++ Last updated : 06/11/2021++
+# MySQL on-premises to Azure Database for MySQL migration guide Representative Use Case
+
+## Prerequisites
+
+[Introduction](01-mysql-migration-guide-intro.md)
+## Overview
+
+The following use case is based on a real-world customer scenario of an enterprise that migrated their MySQL workload to Azure Database for MySQL.
+
+The World-Wide Importers (WWI) company is a San Francisco, California-based manufacturer and wholesale distributor of novelty goods. They began operations in 2002 and developed an effective business-to-business (B2B) model, selling the items they produce directly to retail customers throughout the United States. Its customers include specialty stores, supermarkets, computing stores, tourist attraction shops, and some individuals. This B2B model enables a streamlined distribution system of their products, allowing them to reduce costs and offer more competitive pricing on their manufactured items. They also sell to other wholesalers via a network of agents who promote their products on WWI's behalf.
+
+Before launching into new areas, WWI wants to ensure its IT infrastructure can handle the expected growth. WWI currently hosts all its IT infrastructure on-premises at its corporate headquarters and believes moving these resources to the cloud enables future growth. As a result, they've tasked their CIO with overseeing the migration of their customer portal and the associated data workloads to the cloud.
+
+WWI would like to continue to take advantage of the many advanced capabilities available in the cloud, and they're interested in migrating their databases and associated workloads into Azure. They want to do this quickly and without having to make any changes to their applications or databases. Initially, they plan on migrating their java-based customer portal web application and the associated MySQL databases and workloads to the cloud.
+
+### Migration goals
+
+The primary goals for migrating their databases and associated SQL workloads to the cloud include:
+
+ - Improve their overall security posture with data at rest and in transit.
+
+ - Enhance the high availability and disaster recovery (HA/DR) capabilities.
+
+ - Position the organization to use cloud-native capabilities and technologies such as point-in-time restore.
+
+ - Take advantage of administrative and performance optimization features of Azure Database for MySQL.
+
+ - Create a scalable platform that they can use to expand their business into more geographic regions.
+
+ - Allow for enhanced compliance with various legal requirements where personal information is stored.
+
+WWI used the [Cloud Adoption Framework (CAF)](/azure/cloud-adoption-framework/) to educate their team on following best practices guidelines for cloud migration. Then, using CAF as a higher-level migration guide, WWI customized their migration into three main stages. Finally, they defined activities that needed to be addressed within each stage to ensure a successful lift and shift cloud migration.
+
+These stages include:
+
+| Stage | Name | Activities |
+|-|||
+| 1 | Pre-migration | Assessment, Planning, Migration Method Evaluation, Application Implications, Test Plans, Performance Baselines |
+| 2 | Migration | Execute Migration, Execute Test Plans |
+| 3 | Post-migration | Business Continuity, Disaster Recovery, Management, Security, Performance Optimization, Platform modernization |
+
+WWI has several instances of MySQL running with varying versions ranging from 5.5 to 5.7. They would like to move their instances to the latest version as soon as possible but would like to ensure their applications can still work if they move to the newer versions. They're comfortable moving to the same version in the cloud and upgrading afterward, but they would prefer that path if they can accomplish two tasks at once.
+
+They would also like to ensure that their data workloads are safe and available across multiple geographic regions if there's a failure and look at the available configuration options.
+
+WWI wants to start with a simple application for the first migration and then move to more business-critical applications in a later phase. This provides the team with the knowledge and experience they need to prepare and plan for those future migrations.
+
+> [!div class="nextstepaction"]
+> [Assessment](./03-assessment.md)
mysql 03 Assessment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/mysql-on-premises-azure-db/03-assessment.md
+
+ Title: "MySQL on-premises to Azure Database for MySQL migration guide assessment"
+description: "Before jumping right into migrating a MySQL workload, there's a fair amount of due diligence that must be performed."
+++++++ Last updated : 06/11/2021++
+# MySQL on-premises to Azure Database for MySQL migration guide assessment
+
+## Prerequisites
+
+[Representative Use Case](02-representative-use-case.md)
+
+## Overview
+
+Before jumping right into migrating a MySQL workload, there's a fair amount of due diligence that must be performed. This includes analyzing the data, hosting environment, and application workloads to validate the Azure Landing zone is configured correctly and prepared to host the soon-to-be migrated workloads.
+
+## Limitations
+
+Azure Database for MySQL is a fully supported version of the MySQL community edition running as a platform as a service. However, there are [some limitations](../../concepts-limits.md) to become familiar with when doing an initial assessment.
+
+The most important of which include:
+
+ - Storage engine support for `InnoDB` and `Memory` only
+
+ - Limited `Privilege` support (`DBA`, `SUPER`, `DEFINER`)
+
+ - Disabled data manipulation statements (`SELECT ... INTO OUTFILE`, `LOAD DATA INFILE`)
+
+ - Automatic significant database migration (5.6 to 5.7, 5.7 to 8.0)
+
+ - When using [MySQL Server User-Defined Functions (UDFs),](https://dev.mysql.com/doc/refman/5.7/en/server-udfs.html) the only viable hosting option is Azure Hosted VMs, as there's no capability to upload the `so` or `dll` component to Azure Database for MySQL.
+
+Many of the other items are operational aspects that administrators should become familiar with as part of the operational data workload lifecycle management. This guide explores many of these operational aspects in the Post Migration Management section.
+
+## MySQL versions
+
+MySQL has a rich history starting in 1995. Since then, it has evolved into a widely used database management system. Azure Database for MySQL started with the support of MySQL version 5.6 and has continued to 5.7 and recently 8.0. For the latest on Azure Database for MySQL version support, reference [Supported Azure Database for MySQL server versions.](../../concepts-supported-versions.md) In the Post Migration Management section, we review how upgrades (such as 5.7.20 to 5.7.21) are applied to the MySQL instances in Azure.
+
+> [!NOTE]
+> The jump from 5.x to 8.0 was largely due to the Oracle acquisition of MySQL. To read more about MySQL history, navigate to the [MySQL wiki page. ](https://en.wikipedia.org/wiki/MySQL)
+
+Knowing the source MySQL version is essential. The applications using the system may be using database objects and features that are specific to that version. Migrating a database to a lower version could cause compatibility issues and loss of functionality. It's also recommended the data and application instance are thoroughly tested before migrating to a newer version as the features introduced could break your application.
+
+Examples that may influence the migration path and version:
+
+ - 5.6: TIMESTAMP column for correct storage of milliseconds and full-text search
+
+ - 5.7: Support for native JSON data type
+
+ - 8.0: Support for NoSQL Document Store, atomic, and crash-safe DDL and JSON table functions
+
+ > [!NOTE]
+ > MySQL 5.6 loses general support in February of 2021. MySQL workloads needs to migrate to MySQL version of 5.7 or greater.
+
+To check the MySQL server version:
+
+```
+SHOW VARIABLES LIKE "%version%";
+```
+
+### Database storage engines
+
+Azure Database for MySQL only supports [InnoDB](https://dev.mysql.com/doc/refman/8.0/en/innodb-storage-engine.html) and [Memory](https://dev.mysql.com/doc/refman/8.0/en/memory-storage-engine.html) database storage engines. Other storage engines, like [MyISAM,](https://dev.mysql.com/doc/refman/8.0/en/myisam-storage-engine.html) need to be migrated to a supported storage engine. The differences between MyISAM and InnoDB are the operational features and performance output. The higher-level tables and schema structure typically don't change between the engines, but the index and table column types may change for storage and performance reasons. Although InnoDB is known to have large data file sizes, these storage details are managed by the Azure Database for MySQL service.
+
+#### Migrating from MyISAM to InnoDB
+
+The MyISAM database and tables needs to be converted to InnoDB tables. After conversion, applications should be tested for compatibility and performance. In most cases, testing requires recreating the table and changing the target storage engine via DDL statements. It's unlikely this change needs to be performed during migration as it occurs during the schema creation in the Azure target. For more details, review the [converting tables developers documentation](https://dev.mysql.com/doc/refman/5.6/en/converting-tables-to-innodb.html) on the MySQL website.
+
+To find useful table information, use this query:
+
+```dotnetcli
+ SELECT
+ tab.table_schema,
+ tab.table_name,
+ tab.engine as engine_type,
+ tab.auto_increment,
+ tab.table_rows,
+ tab.create_time,
+ tab.update_time,
+ tco.constraint_type
+ FROM information_schema.tables tab
+ LEFT JOIN information_schema.table_constraints tco
+ ON (tab.table_schema = tco.table_schema
+ AND tab.table_name = tco.table_name
+ )
+ WHERE
+ tab.table_schema NOT IN ('mysql', 'information_schema', 'performance_
+schema', 'sys')
+ AND tab.table_type = 'BASE TABLE';
+```
+
+> [!NOTE]
+> Running query against INFORMATION\_SCHEMA across multiple databases might impact performance. Run during low usage periods.
+
+To convert a table from MyISAM to InnoDB, run the following:
+
+```
+ALTER TABLE {table\_name} ENGINE=InnoDB;
+```
+
+> [!NOTE]
+> This conversion approach causes the table to lock, and all applications can wait until the operation is complete. The table locking makes the database appear offline for a short period.
+
+Instead, the table can be created with the same structure but with a different storage engine. Once created, copy the rows into the new table:
+
+```
+INSERT INTO {table\_name} SELECT * FROM {myisam\_table} ORDER BY {primary\_key\_columns}
+```
+
+> [!NOTE]
+> For this approach to be successful, the original table would need to be deleted, then the new table renamed. This task causes a short downtime period.
+
+### Database data and objects
+
+Data is one component of database migration. The database supporting objects must be migrated and validated to ensure the applications continue to run reliably.
+
+Here's a list of items you should inventory before and after the migration:
+
+ - Tables (schema)
+
+ - Primary keys, foreign keys
+
+ - Indexes
+
+ - Functions
+
+ - Procedures
+
+ - Triggers
+
+ - Views
+
+### User-Defined functions
+
+MySQL allows for the usage of functions that call external code. Unfortunately, data workloads using User-Defined Functions (UDFs) with external code cannot be migrated to Azure Database for MySQL. This is because the required MySQL function's backing so or dll code cannot be uploaded to the Azure server.
+
+Run the following query to find any UDFs that may be installed:
+
+```
+SELECT * FROM mysql.func;
+```
+
+## Source systems
+
+The amount of migration preparation can vary depending on the source system and its location. In addition to the database objects, consider how to get the data from the source system to the target system. Migrating data can become challenging when firewalls and other networking components are between the source and target.
+
+Additionally, moving data over the Internet can be slower than using dedicated circuits to Azure. Therefore, when moving many gigabytes, terabytes, and petabytes of data, consider setting up an [ExpressRoute](../../../expressroute/expressroute-introduction.md) connection between the source network and the Azure network.
+
+If ExpressRoute is already present, it's likely that connection is being used by other applications. Performing a migration over an existing route can cause strain on the network throughput and potentially cause a significant performance hit for both the migration and other applications using the network.
+
+Lastly, disk space must be evaluated. When exporting a large database, consider the size of the data. Ensure the system where the tool is running, and ultimately the export location has enough disk space to perform the export operation.
+
+### Cloud providers
+
+Migrating databases from cloud services providers such as Amazon Web Services (AWS) may require an extra networking configuration step in order to access the cloud-hosted MySQL instances. Migration tools, like Data Migration Services, require access from outside IP ranges and maybe otherwise blocked.
+
+### On-premises
+
+Like cloud providers, if the MySQL data workload is behind firewalls or other network security layers, a path needs to be created between the on-premises instance and Azure Database for MySQL.
+
+## Tools
+
+Many tools and methods can be used to assess the MySQL data workloads and environments. Each tool provides a different set of assessment and migration features and functionality. As part of this guide, we review the most commonly used tools for assessing MySQL data workloads.
+
+### Azure migrate
+
+Although [Azure Migrate](/azure/migrate/migrate-services-overview) doesn't support migrating MySQL database workloads directly, it can be used when administrators are unsure of what users and applications are consuming the data, whether hosted in a virtual or hardware-based machine. [Dependency analysis](/azure/migrate/concepts-dependency-visualization) can be accomplished by installing and running the monitoring agent on the machine hosting the MySQL workload. The agent gathers the information over a set period, such as a month. The dependency data can be analyzed to find unknown connections being made to the database. The connection data can help identify application owners that need to be notified of the pending migration.
+
+In addition to the dependency analysis of applications and user connectivity data, Azure Migrate can also be used to analyze the [Hyper-V, VMware, or physical servers](../../../migrate/migrate-appliance-architecture.md) to provide utilization patterns of the database workloads to help suggest the proper target environment.
+
+### Telgraf for Linux
+
+Linux workloads can utilize the [Microsoft Monitoring Agent (MMA)](../../../azure-monitor/agents/agent-linux.md) to gather data on your virtual and physical machines. Additionally, consider using the [Telegraf agent](../../../azure-monitor/essentials/collect-custom-metrics-linux-telegraf.md) and its wide array of plugins to gather your performance metrics.
+
+### Service tiers
+
+Equipped with the assessment information (CPU, memory, storage, etc.), the migration user's next choice is to decide on which Azure Database for MySQL [pricing tier](../../concepts-pricing-tiers.md) to start using.
+
+There are currently three tiers:
+
+ - **Basic** : Workloads requiring light compute and I/O performance.
+
+ - **General Purpose** : Most business workloads requiring balanced compute and memory with scalable I/O throughput.
+
+ - **Memory Optimized** : High-performance database workloads requiring in-memory performance for faster transaction processing and higher concurrency.
+
+The tier decision can be influenced by the RTO and RPO requirements of the data workload. When the data workload requires over 4 TB of storage, an extra step is required. Review and select [a region that supports](../../concepts-pricing-tiers.md#storage) up to 16 TB of storage.
+
+> [!NOTE]
+> Contact the MySQL team (AskAzureDBforMySQL@service.microsoft.com) for regions that don't support your storage requirements.
+
+Typically, the decision-making focuses on the storage and IOPS, or Input/output Operations Per Second, needs. Thus, the target system always needs at least as much storage as in the source system. Additionally, since IOPS are allocated 3/GB, it's important to match up the IOPs needs to the final storage size.
+
+| Factors | Tier |
+|||
+| **Basic** | Development machine, no need for high performance with less than 1 TB storage. |
+| **General Purpose** | Needs for IOPS more than what basic tier can provide, but for storage less than 16 TB, and less than 4 GB of memory. |
+| **Memory Optimized** | Data workloads that utilize high memory or high cache and buffer-related server configuration such as high concurrency innodb_buffer_pool_instances, large BLOB sizes, systems with many slaves for replication. |
+
+### Costs
+
+After evaluating the entire WWI MySQL data workloads, WWI determined they would need at least 4 vCores and 20 GB of memory and at least 100 GB of storage space with an IOP capacity of 450 IOPS. Because of the 450 IOPS requirement, they need to allocate at least 150 GB of storage because of [Azure Database for MySQL IOPs allocation method.](../../concepts-pricing-tiers.md#storage) Additionally, they require at least up to 100% of your provisioned server storage as backup storage and one read replica. They don't anticipate an outbound egress of more than 5 GB.
+
+Using the [Azure Database for MySQL pricing calculator](https://azure.microsoft.com/pricing/details/mysql/), WWI was able to determine the costs for the Azure Database for MySQL instance. As of 9/2020, the total costs of ownership (TCO) are displayed in the following table for the WWI Conference Database:
+
+| Resource | Description | Quantity | Cost |
+|-|-|-||
+| **Compute (General Purpose)** | 4 vCores, 20 GB | 1 @ $0.351/hr | $3074.76 / yr |
+| **Storage** | 5 GB | 12 x 150 @ $0.115 | $207 / yr |
+| **Backup** | Up to 100% of provisioned storage | No extra cost up to 100% of provisioned server storage | $0.00 / yr |
+| **Read Replica** | 1-second region replica | compute + storage | $3281.76 / yr |
+| **Network** | < 5GB/month egress | Free | |
+| **Total** | | | $6563.52 / yr |
+
+After reviewing the initial costs, WWI's CIO confirmed they are on Azure for a period much longer than 3 years. They decided to use 3-year [reserve instances](../../concept-reserved-pricing.md) to save an extra \~$4K/yr:
+
+| Resource | Description | Quantity | Cost |
+|-|-|-||
+| **Compute (General Purpose)** | 4 vCores | 1 @ $0.1375/hr | $1204.5 / yr |
+| **Storage** | 5 GB | 12 x 150 @ $0.115 | $207 / yr |
+| **Backup** | Up to 100% of provisioned storage | No extra cost up to 100% of provisioned server storage | $0.00 / yr |
+| **Network** | < 5GB/month egress | Free | |
+| **Read Replica** | 1-second region replica | compute + storage | $1411.5 / yr |
+| **Total** | | | $2823 / yr |
+
+As the table above shows, backups, network egress, and any read replicas must be considered in the total cost of ownership (TCO). As more databases are added, the storage and network traffic generated would be the only extra cost-based factor to consider.
+
+> [!NOTE]
+> The estimates above don't include any [ExpressRoute](/azure/expressroute/expressroute-introduction), [Azure App Gateway](/azure/application-gateway/overview), [Azure Load Balancer](/azure/load-balancer/load-balancer-overview), or [App Service](/azure/app-service/overview) costs for the application layers.
+>
+> The above pricing can change at any time and varies based on region.
+
+### Application implications
+
+When moving to Azure Database for MySQL, the conversion to secure sockets layer (SSL) based communication is likely to be one of the most significant changes for your applications. SSL is enabled by default in Azure Database for MySQL, and it's likely the on-premises application and data workload is not set up to connect to MySQL using SSL. When enabled, SSL usage adds some extra processing overhead and should be monitored.
+
+> [!NOTE]
+> Although SSL is enabled by default, you do have the option to disable it.
+
+Follow the activities in [Configure SSL connectivity in your application to securely connect to Azure Database for MySQL](../../howto-configure-ssl.md) to reconfigure the application to support this strong authentication path.
+
+Lastly, modify the server name in the application connection strings or switch the DNS to point to the new Azure Database for MySQL server.
+
+## WWI scenario
+
+WWI started the assessment by gathering information about their MySQL data estate. They were able to compile the following:
+
+| Name | Source | Db Engine | Size | IOPS | Version | Owner | Downtime |
+||--|--||||-|-|
+| **WwwDB** | AWS (PaaS) | InnoDB | 1 GB | 150 | 5.7 | Marketing Dept | 1 hr |
+| **BlogDB** | AWS (PaaS) | InnoDB | 1 GB | 100 | 5.7 | Marketing Dept | 4 hrs |
+| **ConferenceDB** | On-premises | InnoDB | 5 GB | 50 | 5.5 | Sales Dept | 4 hrs |
+| **CustomerDB** | On-premises | InnoDB | 10 GB | 75 | 5.5 | Sales Dept | 2 hrs |
+| **SalesDB** | On-premises | InnoDB | 20 GB | 75 | 5.5 | Sales Dept | 1 hr |
+
+Each database owner was contacted to determine the acceptable downtime period. The planning and migration method selected were based on the acceptable database downtime.
+
+For the first phase, WWI focused solely on the ConferenceDB database. The team needed the migration experience to help the proceeding data workload migrations. The ConferenceDB database was selected because of the simple database structure and the large acceptable downtime. Once the database was migrated, the team focused on migrating the application into the secure Azure landing zone.
+
+## Assessment checklist
+
+ - Test the workload runs successfully on the target system.
+
+ - Ensure the right networking components are in place for the migration.
+
+ - Understand the data workload resource requirements.
+
+ - Estimate the total costs.
+
+ - Understand the downtime requirements.
+
+ - Be prepared to make application changes.
+
+> [!div class="nextstepaction"]
+> [Planning](./04-planning.md)
mysql 04 Planning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/mysql-on-premises-azure-db/04-planning.md
+
+ Title: "MySQL on-premises to Azure Database for MySQL migration guide Planning"
+description: "an azure landing zone is the target environment defined as the final resting place of a cloud migration project."
+++++++ Last updated : 06/11/2021++
+# MySQL on-premises to Azure Database for MySQL migration guide Planning
+
+## Prerequisites
+
+[Assessment](03-assessment.md)
+
+## Landing zone
+
+An [Azure Landing zone](/azure/cloud-adoption-framework/ready/landing-zone/) is the target environment defined as the final resting place of a cloud migration project. In most projects, the landing zone should be scripted via ARM templates for its initial setup. Finally, it should be customized with PowerShell or the Azure portal to fit the workloads needs.
+
+Since WWI is based in San Francisco, all resources for the Azure landing zone were created in the `US West 2` region. The following resources were created to support the migration:
+
+- [Azure Database for MySQL](../../quickstart-create-mysql-server-database-using-azure-portal.md)
+
+- [Azure Database Migration Service (DMS)](../../../dms/quickstart-create-data-migration-service-portal.md)
+
+- [Express Route](../../../expressroute/expressroute-introduction.md)
+
+- [Azure Virtual Network](../../../virtual-network/quick-create-portal.md) with [hub and spoke design](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) with corresponding [virtual network peerings](../../../virtual-network/virtual-network-peering-overview.md) establish.
+
+- [App Service](../../../app-service/overview.md)
+
+- [Application Gateway](../../../load-balancer/quickstart-load-balancer-standard-internal-portal.md?tabs=option-1-create-internal-load-balancer-standard)
+
+- [Private endpoints](../../../private-link/private-endpoint-overview.md) for the App Services and MySQL instance
+
+> [!NOTE]
+> As part of this guide, two ARM templates (one with private endpoints, one without) were provided in order to deploy a potential Azure landing zone for a MySQL migration project. The private endpoints ARM template provides a more secure and production like scenario. Additional manual Azure landing zone configuration may be necessary, depending on the requirements.
+
+## Networking
+
+Getting data from the source system to Azure Database for MySQL in a fast and optimal way is a vital component to consider in a migration project. Small unreliable connections may require administrators to restart the migration several times until a successful result is achieved. Restarting migrations because of network issues can lead to wasted effort.
+
+Take the time to understand and evaluate the network connectivity between the source, tool, and destination environments. In some cases, it may be appropriate to upgrade the internet connectivity or configure an ExpressRoute connection from the on-premises environment to Azure. Once on-premises to Azure connectivity has been created, the next step is to validate that the selected migration tool can connect from the source to the destination.
+
+The migration tool location determines the network connectivity requirements. As shown in the table below, the selected migration tool must connect to both the on-premises machine and to Azure. Azure should be configured to only accept network traffic from the migration tool location.
+
+| Migration Tool | Type | Location | Inbound Network Requirements | Outbound Network Requirements |
+|-||-||-|
+| **Database Migration Service (DMS)** | Offline | Azure | Allow 3306 from external IP | A path to connect to the Azure MySQL database instance |
+| **Import/Export (MySQL Workbench, mysqldump)** | Offline | On-premises | Allow 3306 from internal IP | A path to connect to the Azure MySQL database instance |
+| **Import/Export (MySQL Workbench, mysqldump)** | Offline | Azure VM | Allow 3306 from external IP | A path to connect to the Azure MySQL database instance |
+| **mydumper/myloader** | Offline | On-premises | Allow 3306 from internal IP | A path to connect to the Azure MySQL database instance |
+| **mydumper/myloader** | Offline | Azure VM | Allow 3306 from external IP | A path to connect to the Azure MySQL database instance |
+| **binlog** | Offline | On-premises | Allow 3306 from external IP or private IP via Private endpoints | A path for each replication server to the master |
+
+Other networking considerations include:
+
+- DMS located in a VNET is assigned a [dynamic public IP](../../../dms/faq.md#setup) to the service. At creation time, you can place the service inside a virtual network that has connectivity via a [ExpressRoute](../../../expressroute/expressroute-introduction.md) or over [a site to site VPN](../../../vpn-gateway/tutorial-site-to-site-portal.md).
+
+- When using an Azure Virtual Machine to run the migration tools, assign it a public IP address and then only allow it to connect to the on-premises MySQL instance.
+
+- Outbound firewalls must ensure outbound connectivity to Azure Database for MySQL. The MySQL gateway IP addresses are available on the [Connectivity Architecture in Azure Database for MySQL](../../concepts-connectivity-architecture.md#azure-database-for-mysql-gateway-ip-addresses) page.
+
+## SSL/TLS connectivity
+
+In addition to the application implications of migrating to SSL-based communication, the SSL/TLS connection types are also something that needs to be considered. After creating the Azure Database for MySQL database, review the SSL settings, and read the [SSL/TLS connectivity in Azure Database for MySQL](../../concepts-ssl-connection-security.md) article to understand how the TLS settings can affect the security posture.
+
+> [!Important]
+> Pay attention to the disclaimer on the page. Enforcement of TLS version is not be enabled by default. Once TLS is enabled, the only way to disable it is to re-enable SSL.
+
+## WWI scenario
+
+WWIΓÇÖs cloud team has created the necessary Azure landing zone resources in a specific resource group for the Azure Database for MySQL. To create the landing zone, WWI decided to script the setup and deployment using ARM templates. By using ARM templates, they can quickly tear down and resetup the environment, if needed.
+
+As part of the ARM template, all connections between virtual networks are configured with peering in a hub and spoke architecture. The database and application are placed into separate virtual networks. An Azure App Gateway is placed in front of the app service to allow the app service to be isolated from the Internet. The Azure App Service connects to the Azure Database for MySQL using a private endpoint.
+
+WWI originally wanted to test an online migration, but the required network setup for DMS to connect to their on-premises environment made this infeasible. WWI chose to do an offline migration instead. The MySQL Workbench tool was used to export the on-premises data and then was used to import the data into the Azure Database for MySQL instance.
+
+## Planning checklist
+
+- Prepare the Azure landing zone. Consider using ARM template deployment in case the environment must be torn down and rebuilt quickly.
+
+- Verify the networking setup. Verification should include: connectivity, bandwidth, latency, and firewall configurations.
+
+- Determine if you're going to use the online or offline data migration strategy.
+
+- Decide on the SSL certificate strategy.
++
+> [!div class="nextstepaction"]
+> [Migration Methods](./05-migration-methods.md)
mysql 05 Migration Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/migrate/mysql-on-premises-azure-db/05-migration-methods.md
+
+ Title: "MySQL on-premises to Azure Database for MySQL migration guide Migration Methods"
+description: "Getting the data from the source to target will require using tools or features of MySQL to accomplish the migration."
+++++++ Last updated : 06/11/2021++
+# MySQL on-premises to Azure Database for MySQL migration guide Migration Methods
+
+## Prerequisites
+
+[Planning](04-planning.md)
+
+## Overview
+
+Getting the data from the source to target requires using tools or features of MySQL to accomplish the migration.
+
+It's important to complete the entire assessment and planning stages before starting the next stages. The decisions and data collected are migration path and tool selection dependencies.
+
+We explore the following commonly used tools in this section:
+
+ - MySQL Workbench
+
+ - mysqldump
+
+ - mydumper and myloader
+
+ - Data-in replication (binlog)
+
+### MySQL Workbench
+
+[MySQL Workbench](https://www.mysql.com/products/workbench/) provides a rich GUI experience that allows developers and administrators to design, develop, and manage their MySQL instances.
+
+The latest version of the MySQL Workbench provides sophisticated [object migration capabilities](https://www.mysql.com/products/workbench/migrate/) when moving a database from a source to target.
+
+#### Data Import and Export
+
+MySQL Workbench provides a wizard-based UI to do full or partial export and import of tables and database objects. For an example of how to use the MySQL Workbench, see [Migrate your MySQL database using import and export. ](../../concepts-migrate-import-export.md)
+
+### Dump and restore (mysqldump)
+
+`mysqldump` is typically provided as part of the MySQL installation. It's a [client utility](https://dev.mysql.com/doc/refman/5.7/en/mysqldump.html) that can be run to create logical backups that equate to a set of SQL statements that can be replayed to rebuild the database to a point in time. `mysqldump` is not intended as a fast or scalable solution for backing up or migrating large amounts of data. Executing a large set of SQL insert statements can perform poorly due to the disk I/O required to update indexes. However, when combined with other tools that require the original schema, `mysqldump` is a great tool for generating the database and table schemas. The schemas can create the target landing zone environment.
+
+The `mysqldump` utility provides useful features during the data migration phase. Performance considerations need to be evaluated before running the utility. See [Performance considerations.](../../concepts-migrate-dump-restore.md#performance-considerations)
+
+### mydumper and myloader
+
+Environments with large databases requiring fast migration should use [mydumper and myloader.](https://github.com/maxbube/mydumper) These tools are written in C++ and utilize multi-threaded techniques to send the data as fast as possible to the target MySQL instance. `mydumper` and `myloader` take advantage of parallelism and can speed up the migration by a factor of 10x or more.
+
+The toolsΓÇÖ binary releases available for public download have been compiled for Linux. To run these tools on Windows, the open-source projects would need to be recompiled. Compiling source code and creating releases is not a trivial task for most users.
+
+### Data-in replication (binlog)
+
+Similar to other database management systems, MySQL provides for a log replication feature called [binlog replication.](https://dev.mysql.com/doc/refman/5.7/en/binlog-replication-configuration-overview.html) The `binlog` replication feature helps with data migration and the creation of read replicas.
+
+Utilize binlog replication to [migrate your data to Azure Database for MySQL](../../concepts-data-in-replication.md) in an online scenario. The data replication helps to reduce the downtime required to make the final target data changes.
+
+In order to use the `binlog` replication feature there are some setup [requirements:](../../howto-data-in-replication.md#link-source-and-replica-servers-to-start-data-in-replication)
+
+ - Then master server is recommended to use the MySQL InnoDB engine. If you're using a storage engine other than InnoDB, you need to migrate those tables to InnoDB.
+
+ - Migration users must have permissions to configure binary logging and create new users on the master server.
+
+ - If the master server has SSL enabled, ensure the SSL CA certificate provided for the domain has been included in the mysql.az\_replication\_change\_master stored procedure. Refer to the following [examples](../../howto-data-in-replication.md#link-source-and-replica-servers-to-start-data-in-replication) and the master\_ssl\_ca parameter.
+
+ - Ensure the master serverΓÇÖs IP address has been added to the Azure Database for MySQL replica serverΓÇÖs firewall rules. Update firewall rules using the Azure portal or Azure CLI.
+
+ - Ensure the machine hosting the master server allows both inbound and outbound traffic on port 3306.
+
+ - Ensure the master server has an accessible IP address (public or private) from the source to the targets.
+
+To perform a migration using replication, review [How to configure Azure Database for MySQL Data-in Replication](../../howto-data-in-replication.md#link-source-and-replica-servers-to-start-data-in-replication) for details.
+
+The `binlog` replication method has high CPU and extra storage requirements. Migration users should test the load placed on the source system during online migrations and determine if It's acceptable.
+
+### Azure Database Migration Service (DMS)
+
+The [Azure Database Migration Services (DMS)](https://azure.microsoft.com/services/database-migration/) is an Azure cloud-based tool that allows administrators to keep track of the various settings for migration and reuse them if necessary. DMS works by creating migration projects with settings that point to various sources and destinations. It supports [offline migrations](../../../dms/tutorial-mysql-azure-mysql-offline-portal.md). Additionally, it supports on-premises data workloads and cloud-based workloads such as Amazon Relational Database Service (RDS) MySQL.
+
+Although the DMS service is an online tool, it does rely on the `binlog` replication feature of MySQL to complete its tasks. Currently, DMS partially automates the offline migration process. DMS requires the generation and application of the matching schema in the target Azure Database for MySQL instance. Schemas can be exported using the `mysqldump` client utility.
+
+### Fastest/Minimum Downtime Migration
+
+There are plenty of paths for migrating the data. Deciding which path to take is a function of the migration teamΓÇÖs skill set, and the amount of downtime the database and application owners are willing to accept. Some tools support multi-threaded parallel data migration approaches while other tools were designed for simple migrations of table data only.
+
+The fastest and most complete path is to use `binlog` replication (either directly with MySQL or via DMS), but it comes with the costs of adding primary keys.
+
+### Decision Table
+
+There are many paths WWI can take to migrate their MySQL workloads. We've provided a table of the potential paths and the advantages and disadvantages of each:
+
+| Objective | Description | Tool | Prerequisites | Advantages | Disadvantages |
+|--|-|||||
+| **Fastest migration possible** | Parallel approach | mydumper and myloader | Linux | Highly parallelized | Target throttling |
+| **Online migration** | Keep the source up for as long as possible | binlog | None | Seamless | Extra processing and storage |
+| **Offline migration** | Keep the source up for as long as possible | Database Migration Service (DMS) | None | Repeatable process | Limited to data only, supports all MySQL versions |
+| **Highly Customized Offline Migration** | Selectively export objects | mysqldump | None | Highly customizable | Manual |
+| **Offline Migration Semi-automated** | UI-based export and import | MySQL Workbench | Download and Install | Semi-automated | Only common sets of switches are supported |
+
+### WWI Scenario
+
+WWI has selected its conference database as its first migration workload. The workload was chosen because it had the least risk and the most available downtime due to the gap in the annual conference schedule. In addition, based on the migration teamΓÇÖs assessment, they determined that they attempted to perform an offline migration using MySQL Workbench.
+
+### Migration Methods Checklist
+
+ - Ensure the right method is selected given the target and source environments.
+
+ - Ensure the method can meet the business requirements.
+
+ - Always verify if the data workload supports the method.
++
+> [!div class="nextstepaction"]<