Updates from: 06/16/2021 03:09:17
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Add Password Reset Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-password-reset-policy.md
The [sign-up and sign-in journey](add-sign-up-and-sign-in-policy.md) allows user
![Password reset flow](./media/add-password-reset-policy/password-reset-flow.png)
-The password reset flow applies to local accounts in Azure AD B2C that use an [email address](identity-provider-local.md#email-sign-in) or [username](identity-provider-local.md#username-sign-in) with a password for sign-in.
+The password reset flow applies to local accounts in Azure AD B2C that use an [email address](sign-in-options.md#email-sign-in) or [username](sign-in-options.md#username-sign-in) with a password for sign-in.
> [!TIP] > The self-service password reset flow allows users to change their password when the user forgets their password and wants to reset it. Consider configuring a [password change flow](add-password-change-policy.md) to support cases where a user knows their password and wants to change it.
To let users of your application reset their password, you create a password res
1. On the **Create a user flow** page, select the **Password reset** user flow. 1. Under **Select a version**, select **Recommended**, and then select **Create**. 1. Enter a **Name** for the user flow. For example, *passwordreset1*.
-1. For **Identity providers**, enable **Reset password using email address**.
-1. Under **Application claims**, select **Show more** and choose the claims you want returned in the authorization tokens sent back to your application. For example, select **User's Object ID**.
+1. For **Identity providers**, enable **Reset password using username** or **Reset password using email address**.
+1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when to enforce multi-factor authentication (MFA). [Learn more](multi-factor-authentication.md).
+1. Under **Conditional access**, if you've configured Conditional Access policies for your Azure AD B2C tenant and you want to enable them for this user flow, select the **Enforce conditional access policies** check box. You don't need to specify a policy name. [Learn more](conditional-access-user-flow.md?pivots=b2c-user-flow).
+1. 1. Under **Application claims**, select **Show more** and choose the claims you want returned in the authorization tokens sent back to your application. For example, select **User's Object ID**.
1. Select **OK**. 1. Select **Create** to add the user flow. A prefix of *B2C_1* is automatically appended to the name.
active-directory-b2c Add Profile Editing Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-profile-editing-policy.md
Previously updated : 12/16/2020 Last updated : 06/07/2021
If you want to enable users to edit their profile in your application, you use a
1. On the **Create a user flow** page, select the **Profile editing** user flow. 1. Under **Select a version**, select **Recommended**, and then select **Create**. 1. Enter a **Name** for the user flow. For example, *profileediting1*.
-1. For **Identity providers**, select **Email sign-in**.
-1. For **User attributes**, choose the attributes that you want the customer to be able to edit in their profile. For example, select **Show more**, and then choose both attributes and claims for **Display name** and **Job title**. Click **OK**.
-1. Click **Create** to add the user flow. A prefix of *B2C_1* is automatically appended to the name.
+1. Under **Identity providers** select at least one identity provider:
+
+ * Under **Local accounts**, select one of the following: **Email signin**, **User ID signin**, **Phone signin**, **Phone/Email signin**, **User ID/Email signin**, or **None**. [Learn more](sign-in-options.md).
+ * Under **Social identity providers**, select any of the external social or enterprise identity providers you've set up. [Learn more](add-identity-provider.md).
+1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when to enforce multi-factor authentication (MFA). [Learn more](multi-factor-authentication.md).
+1. Under **Conditional access**, if you've configured Conditional Access policies for your Azure AD B2C tenant and you want to enable them for this user flow, select the **Enforce conditional access policies** check box. You don't need to specify a policy name. [Learn more](conditional-access-user-flow.md?pivots=b2c-user-flow).
+1. Under **User attributes**, choose the attributes that you want the customer to be able to edit in their profile. For the full list of values, select **Show more**, choose the values, and then select **OK**.
+1. Select **Create** to add the user flow. A prefix of *B2C_1* is automatically appended to the name.
### Test the user flow
active-directory-b2c Add Sign In Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-sign-in-policy.md
Previously updated : 03/04/2021 Last updated : 06/07/2021
To add sign-in policy:
1. On the **Create a user flow** page, select the **Sign in** user flow. 1. Under **Select a version**, select **Recommended**, and then select **Create**. ([Learn more](user-flow-versions.md) about user flow versions.) 1. Enter a **Name** for the user flow. For example, *signupsignin1*.
-1. For **Identity providers**, select **Email sign-in**.
-1. For **Application claims**, choose the claims and attributes that you want to send to your application. For example, select **Show more**, and then choose attributes and claims for **Display Name**, **Given Name**, **Surname**, and **User's Object ID**. Click **OK**.
+1. Under **Identity providers** select at least one identity provider:
+
+ * Under **Local accounts**, select one of the following: **Email signin**, **User ID signin**, **Phone signin**, **Phone/Email signin**, **User ID/Email signin**, or **None**. [Learn more](sign-in-options.md).
+ * Under **Social identity providers**, select any of the external social or enterprise identity providers you've set up. [Learn more](add-identity-provider.md).
+1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when to enforce multi-factor authentication (MFA). [Learn more](multi-factor-authentication.md).
+1. Under **Conditional access**, if you've configured Conditional Access policies for your Azure AD B2C tenant and you want to enable them for this user flow, select the **Enforce conditional access policies** check box. You don't need to specify a policy name. [Learn more](conditional-access-user-flow.md?pivots=b2c-user-flow).
+1. Under **Application claims**, choose the claims you want returned to the application in the token. For the full list of values, select **Show more**, choose the values, and then select **OK**.
+ > [!NOTE]
+ > You can also [create custom attributes](user-flow-custom-attributes.md?pivots=b2c-user-flow) for use in your Azure AD B2C tenant.
1. Click **Create** to add the user flow. A prefix of *B2C_1* is automatically prepended to the name. ### Test the user flow
active-directory-b2c Add Sign Up And Sign In Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md
Previously updated : 04/22/2021 Last updated : 06/07/2021
The sign-up and sign-in user flow handles both sign-up and sign-in experiences w
![Create user flow page in Azure portal with properties highlighted](./media/add-sign-up-and-sign-in-policy/select-version.png) 1. Enter a **Name** for the user flow. For example, *signupsignin1*.
-1. For **Identity providers**, select **Email sign-up**.
-1. For **User attributes and claims**, choose the claims and attributes that you want to collect and send from the user during sign-up. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Click **OK**.
+1. Under **Identity providers** select at least one identity provider:
+
+ * Under **Local accounts**, select one of the following: **Email signup**, **User ID signup**, **Phone signup**, **Phone/Email signup**, or **None**. [Learn more](sign-in-options.md).
+ * Under **Social identity providers**, select any of the external social or enterprise identity providers you've set up. [Learn more](add-identity-provider.md).
+1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when to enforce multi-factor authentication (MFA). [Learn more](multi-factor-authentication.md).
+1. Under **Conditional access**, if you've configured Conditional Access policies for your Azure AD B2C tenant and you want to enable them for this user flow, select the **Enforce conditional access policies** check box. You don't need to specify a policy name. [Learn more](conditional-access-user-flow.md?pivots=b2c-user-flow).
+1. Under **User attributes and token claims**, choose the attributes you want to collect from the user during sign-up and the claims you want returned in the token. For the full list of values, select **Show more**, choose the values, and then select **OK**.
+
+ > [!NOTE]
+ > You can also [create custom attributes](user-flow-custom-attributes.md?pivots=b2c-user-flow) for use in your Azure AD B2C tenant.
![Attributes and claims selection page with three claims selected](./media/add-sign-up-and-sign-in-policy/signup-signin-attributes.png)
-1. Click **Create** to add the user flow. A prefix of *B2C_1* is automatically prepended to the name.
-2. Follow the steps to [handle the flow for "Forgot your password?"](add-password-reset-policy.md?pivots=b2c-user-flow.md#self-service-password-reset-recommended) within the sign-up or sign-in policy.
+1. Select **Create** to add the user flow. A prefix of *B2C_1* is automatically prepended to the name.
+1. Follow the steps to [handle the flow for "Forgot your password?"](add-password-reset-policy.md?pivots=b2c-user-flow.md#self-service-password-reset-recommended) within the sign-up or sign-in policy.
### Test the user flow
active-directory-b2c Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-domain.md
Previously updated : 03/17/2021 Last updated : 06/15/2021 zone_pivot_groups: b2c-policy-type
The following diagram illustrates Azure Front Door integration:
1. From an application, a user clicks the sign-in button, which takes them to the Azure AD B2C sign-in page. This page specifies a custom domain name. 1. The web browser resolves the custom domain name to the Azure Front Door IP address. During DNS resolution, a canonical name (CNAME) record with a custom domain name points to your Front Door default front-end host (for example, `contoso.azurefd.net`). 1. The traffic addressed to the custom domain (for example, `login.contoso.com`) is routed to the specified Front Door default front-end host (`contoso.azurefd.net`).
-1. Azure Front Door invokes Azure AD B2C content using the Azure AD B2C `<tenant-name>.b2clogin.com` default domain. The request to the Azure AD B2C endpoint includes a custom HTTP header that contains the original custom domain name.
+1. Azure Front Door invokes Azure AD B2C content using the Azure AD B2C `<tenant-name>.b2clogin.com` default domain. The request to the Azure AD B2C endpoint includes the [X-Forwarded-Host](../frontdoor/front-door-http-headers-protocol.md) HTTP header. This HTTP header contains the original custom domain name.
1. Azure AD B2C responds to the request by displaying the relevant content and the original custom domain. ![Custom domain networking diagram](./media/custom-domain/custom-domain-network-flow.png)
To use your own web application firewall in front of Azure Front Door, you need
## Next steps
-Learn about [OAuth authorization requests](protocols-overview.md).
+Learn about [OAuth authorization requests](protocols-overview.md).
active-directory-b2c Force Password Reset https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/force-password-reset.md
When an administrator resets a user's password via the Azure portal, the value o
![Force password reset flow](./media/force-password-reset/force-password-reset-flow.png)
-The password reset flow is applicable to local accounts in Azure AD B2C that use an [email address](identity-provider-local.md#email-sign-in) or [username](identity-provider-local.md#username-sign-in) with a password for sign-in.
+The password reset flow is applicable to local accounts in Azure AD B2C that use an [email address](sign-in-options.md#email-sign-in) or [username](sign-in-options.md#username-sign-in) with a password for sign-in.
::: zone pivot="b2c-user-flow"
active-directory-b2c Identity Provider Azure Ad Multi Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md
Previously updated : 03/15/2021 Last updated : 06/15/2021
If the sign-in process is successful, your browser is redirected to `https://jwt
## Next steps
-When working with custom policies, you might sometimes need additional information when troubleshooting a policy during its development.
-
-To help diagnose issues, you can temporarily put the policy into "developer mode" and collect logs with Azure Application Insights. Find out how in [Azure Active Directory B2C: Collecting Logs](troubleshoot-with-application-insights.md).
+[Publisher verification](../active-directory/develop/publisher-verification-overview.md) helps your users understand the authenticity of the app you [registered](#register-an-application). A verified app means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN). Learn how to [mark your app as publisher verified](../active-directory/develop/mark-app-as-publisher-verified.md).
::: zone-end
active-directory-b2c Identity Provider Azure Ad Single Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md
Previously updated : 05/26/2021 Last updated : 06/15/2021
To get a token from the Azure AD endpoint, you need to define the protocols that
If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
-## Next steps
-
-When working with custom policies, you might sometimes need additional information when troubleshooting a policy during its development.
-To help diagnose issues, you can temporarily put the policy into "developer mode" and collect logs with Azure Application Insights. Find out how in [Azure Active Directory B2C: Collecting Logs](troubleshoot-with-application-insights.md).
+## Next steps
+[Publisher verification](../active-directory/develop/publisher-verification-overview.md) helps your users understand the authenticity of the app you [registered](#register-an-azure-ad-app). A verified app means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN). Learn how to [mark your app as publisher verified](../active-directory/develop/mark-app-as-publisher-verified.md).
active-directory-b2c Identity Provider Local https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-local.md
zone_pivot_groups: b2c-policy-type
[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
-Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password less authentication), or social identity providers. Email sign-up is enabled by default in your local account identity provider settings.
+This article describes how to determine sign-in methods for your Azure AD B2C local accounts. A local account refers to an account that is created in your Azure AD B2C directory when a user signs up for your application or an admin creates the account. Usernames and passwords are stored locally and Azure AD B2C serves as the identity provider for local accounts.
-This article describes how users create their accounts local to this Azure AD B2C tenant. For social or enterprise identities, where the identity of the user is managed by a federated identity provider like Facebook, and Google, see [Add an identity provider](add-identity-provider.md).
+Several sign-in methods are available for local accounts:
-## Email sign-in
+- **Email**: Users can sign up and sign in to your app with their email address and password. Email sign-up is enabled by default in your local account identity provider settings.
+- **Username**: Users can sign up and sign in with a username and password.
+- **Phone (or "passwordless authentication")**: Users can sign up and sign in to your app using a phone number as their primary sign-in identifier. They don't need to create passwords. One-time passwords are sent to your users via SMS text messages.
+- **Phone or email**: Users can sign up or sign in by entering a phone number or an email address. Based on the user input, Azure AD B2C takes the user to the corresponding flow in the sign-up or sign-in page.
+- **Phone recovery**: If you've enabled phone sign-up or sign-in, phone recovery lets users provide an email address that can be used to recover their account when they don't have their phone.
-With the email option, users can sign in/up with their email address and password:
+To learn more about these methods, see [Sign-in options](sign-in-options.md).
-- **Sign-in**, users are prompted to provide their email and password.-- **Sign-up**, users will be prompted for an email address, which will be verified at sign-up (optional) and become their login ID. The user then enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. Then select Continue to create the account.-- **Password reset**, Users must enter and verify their email, after which, the user can reset the password-
-![Email sign-up or sign-in experience](./media/identity-provider-local/local-account-email-experience.png)
-
-## Username sign-in
-
-With the user option, users can sign in/up with a username and password:
--- **Sign-in**: Users are prompted to provide their username and password.-- **Sign-up**: Users will be prompted for a username, which will become their login ID. Users will also be prompted for an email address, which will be verified at sign-up. The email address will be used during a password reset flow. The user enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. The user then selects Continue to create the account.-- **Password reset**: Users must enter their username, and associated email address. The email address must be verified, after which, the user can reset the password.-
-![Username sign-up or sign-in experience](./media/identity-provider-local/local-account-username-experience.png)
-
-## Phone sign-in
-
-Passwordless authentication is a type of authentication where a user doesn't need to sign-in with their password. With phone sign-up and sign-in, the user can sign up for the app using a phone number as their primary login identifier. The user will have the following experience during sign-up and sign-in:
--- **Sign-in**: If the user has an existing account with phone number as their identifier, the user enters their phone number and selects *Sign in*. They confirm the country and phone number by selecting *Continue*, and a one-time verification code is sent to their phone. The user enters the verification code and selects *Continue* to sign in.-- **Sign-up**: If the user doesn't already have an account for your application, they can create one by clicking on the *Sign up now* link.
- 1. A sign-up page appears, where the user selects their *Country*, enters their phone number, and selects *Send Code*.
- 1. A one-time verification code is sent to the user's phone number. The user enters the *Verification Code* on the sign-up page, and then selects *Verify Code*. (If the user can't retrieve the code, they can select *Send New Code*).
- 1. The user enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. Then select Continue.
- 1. Next, the user is asked to provide a **recovery email**. The user enters their email address, and then selects *Send verification code*. A code is sent to the user's email inbox, which they can retrieve and enter in the Verification code box. Then the user selects Verify code.
- 1. Once the code is verified, the user selects *Create* to create their account.
-
-![Phone sign-up or sign-in experience](./media/identity-provider-local/local-account-phone-experience.png)
-
-### Pricing
-
-One-time passwords are sent to your users by using SMS text messages. Depending on your mobile network operator, you may be charged for each message sent. For pricing information, see the **Separate Charges** section of [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
-
-> [!NOTE]
-> Multi-factor authentication (MFA) is disabled by default when you configure a user flow with phone sign-up. You can enable MFA in user flows with phone sign-up, but because a phone number is used as the primary identifier, email one-time passcode is the only option available for the second authentication factor.
-
-### Phone recovery
-
-When you enable phone sign-up and sign-in for your user flows, it's also a good idea to enable the recovery email feature. With this feature, a user can provide an email address that can be used to recover their account when they don't have their phone. This email address is used for account recovery only. It can't be used for signing in.
--- When the recovery email prompt is **On**, a user signing up for the first time is prompted to verify a backup email. A user who hasn't provided a recovery email before is asked to verify a backup email during next sign in.--- When recovery email is **Off**, a user signing up or signing in isn't shown the recovery email prompt.
-
-The following screenshots demonstrate the phone recovery flow:
-
-![Phone recovery user flow](./media/identity-provider-local/local-account-change-phone-flow.png)
--
-## Phone or email sign-in
-
-You can choose to combine the [phone sign-in](#phone-sign-in), and the [email sign-in](#email-sign-in). In the sign-up or sign-in page, user can type a phone number, or email address. Based on the user input, Azure AD B2C takes the user to the corresponding flow.
-
-![Phone or email sign-up or sign-in experience](./media/identity-provider-local/local-account-phone-and-email-experience.png)
+To configure settings for social or enterprise identities, where the identity of a user is managed by a federated identity provider like Facebook or Google, see [Add an identity provider](add-identity-provider.md).
::: zone pivot="b2c-user-flow" ## Configure local account identity provider settings
-You can configure the local identity providers available to be used within a User Flow by enabling or disabling the providers (email, username, or phone number). You can have more than one local identity provider enabled at the tenant level.
-A User Flow can only be configured to use one of the local account identity providers at any one time. Each User Flow can have a different local account identity provider set, if more than one has been enabled at the tenant level.
+You can choose the local account sign-in methods (email, username, or phone number) you want to make available in your tenant by configuring the **Local account** provider in your list of Azure AD B2C **Identity providers**. Then when you set up a user flow, you can choose one of the local account sign-in methods you've enabled tenant-wide. You can select only one local account sign-in method for a user flow, but you can select a different option for each user flow.
+
+To set your local account sign-in options at the tenant level:
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your Azure AD tenant.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
1. Under **Manage**, select **Identity providers**. 1. In the identity provider list, select **Local account**.
-1. In the **Configure local IDP** page, selected at least one of the allowable identity types consumers can use to create their local accounts in your Azure AD B2C tenant.
+1. In the **Configure local IDP** page, select one or more identity types you want to enable for user flows in your Azure AD B2C tenant. Selecting an option here simply makes it available for use tenant-wide; when you create or modify a user flow, you'll be able to choose from the options you enable here.
+
+ - **Phone**: Users are prompted for a phone number, which is verified at sign-up and becomes their user ID.
+ - **Username**: Users can create their own unique user ID. An email address will be collected from the user and verified.
+ - **Email**: Users will be prompted for an email address which will be verified at sign-up and become their user ID.
1. Select **Save**.
-## Configure your User Flow
+## Configure your user flow
1. In the left menu of the Azure portal, select **Azure AD B2C**. 1. Under **Policies**, select **User flows (policies)**.
active-directory-b2c Microsoft Graph Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-operations.md
To use MS Graph API, and interact with resources in your Azure AD B2C tenant, yo
## User phone number management (beta)
-A phone number that can be used by a user to sign-in using [SMS or voice calls](identity-provider-local.md#phone-sign-in), or [multi-factor authentication](multi-factor-authentication.md). For more information, see [Azure AD authentication methods API](/graph/api/resources/phoneauthenticationmethod).
+A phone number that can be used by a user to sign-in using [SMS or voice calls](sign-in-options.md#phone-sign-in), or [multi-factor authentication](multi-factor-authentication.md). For more information, see [Azure AD authentication methods API](/graph/api/resources/phoneauthenticationmethod).
- [Add](/graph/api/authentication-post-phonemethods) - [List](/graph/api/authentication-list-phonemethods)
Note, the [list](/graph/api/authentication-list-phonemethods) operation returns
## Self-service password reset email address (beta)
-An email address that can be used by a [username sign-in account](identity-provider-local.md#username-sign-in) to reset the password. For more information, see [Azure AD authentication methods API](/graph/api/resources/emailauthenticationmethod).
+An email address that can be used by a [username sign-in account](sign-in-options.md#username-sign-in) to reset the password. For more information, see [Azure AD authentication methods API](/graph/api/resources/emailauthenticationmethod).
- [Add](/graph/api/emailauthenticationmethod-post) - [List](/graph/api/emailauthenticationmethod-list)
active-directory-b2c Publish App To Azure Ad App Gallery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/publish-app-to-azure-ad-app-gallery.md
+
+ Title: Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery
+description: Learn how to list an Azure AD B2C app that supports single sign-on in the Azure Active Directory app gallery.
++++++++ Last updated : 06/15/2021++++
+# Publish your Azure AD B2C app to the Azure AD app gallery
+
+The Azure Active Directory (Azure AD) app gallery is a catalog of thousands of apps. The app gallery makes it easy to deploy and configure single sign-on (SSO) and automate user provisioning. You can find popular cloud apps in the gallery, such as Workday, ServiceNow, and Zoom.
+
+This article describes how to publish your Azure AD B2C app in the Azure AD app gallery. When your app is published, it's listed among the options customers can choose from when they're adding apps to their Azure AD tenant.
+
+Here are some benefits of adding your Azure AD B2C app to the app gallery:
+
+- Your app is a verified integration with Microsoft.
+- SSO access is enabled between your app and Azure AD apps.
+- Customers can find your app in the gallery with a quick search.
+- App configuration is simple and minimal.
+- Customers get a step-by-step configuration tutorial.
+- Customers can assign the app to different users and groups within their organization.
+- The tenant administrator can grant tenant-wide admin consent to your app.
+
+## Sign-in flow overview
+
+The sign-in flow involves following steps:
+
+1. The user navigates to the [My Apps portal](https://myapps.microsoft.com/) and selects your app, which opens the app sign-in URL.
+1. The app sign-in URL starts an authorization request and redirects the user to the Azure AD B2C authorization endpoint.
+1. The user chooses to sign in with Azure AD "Corporate" account. Azure AD B2C takes the user to the Azure AD authorization endpoint, where they sign in with their work account.
+1. If the Azure AD SSO session is active, Azure AD issues an access token without prompting the user to sign in again. If the Azure AD session expires or becomes invalid, the user is prompted to sign in again.
+
+![The sign-in OpenID connect flow.](./media/publish-app-to-azure-ad-app-gallery/app-gallery-sign-in-flow.png)
+
+Depending on the user's SSO session and Azure AD identity settings, the user might be prompted to:
+
+- Provide their email address or phone number.
+- Enter their password or sign in with the [Microsoft authenticator app](https://www.microsoft.com/account/authenticator).
+- Complete multi-factor authentication.
+- Accept the consent page. Your customer's tenant administrator can [grant tenant-wide admin consent to an app](../active-directory/manage-apps/grant-admin-consent.md). When granted, the consent page won't be presented to the user.
+
+Upon successful sign-in, Azure AD returns a token to Azure AD B2C. Azure AD B2C validates and reads the token claims, and then returns a token to your application.
+
+## Prerequisites
++
+## Step 1. Register your application in Azure AD B2C
+
+To enable sign-in to your app with Azure AD B2C, register your app in the Azure AD B2C directory. Registering your app establishes a trust relationship between the app and Azure AD B2C.
+
+If you haven't already done so, [register a web application](tutorial-register-applications.md), and [enable ID token implicit grant](tutorial-register-applications.md#enable-id-token-implicit-grant). Later, you register this app with the Azure App gallery.
+
+## Step 2. Set up sign-in for multi-tenant Azure AD
+
+To allow employees and consumers from any Azure AD tenant to sign in using Azure AD B2C, follow the guidance for [setting up sign-in for multi-tenant Azure AD](identity-provider-azure-ad-multi-tenant.md?pivots=b2c-custom-policy).
+
+## Step 3. Prepare your app
+
+In your app, copy the URL of the sign-in endpoint. If you use the [web application sample](configure-authentication-sample-web-app.md), the sign-in URL is `https://localhost:5001/MicrosoftIdentity/Account/SignIn?`. This URL is where the Azure AD app gallery takes the user to sign-in to your app.
+
+In production environments, the app registration redirect URI is typically a publicly accessible endpoint where your app is running such as `https://woodgrovedemo.com/Account/SignIn`. The reply URL must begin with `https`.
+
+## Step 4. Publish your Azure AD B2C app
+
+Finally, add the multi-tenant app to the Azure AD app gallery. Follow the instructions in [Publish your app to the Azure AD app gallery](../active-directory/develop/v2-howto-app-gallery-listing.md). To add your app to the app gallery, follow these steps:
+
+1. [Create and publish documentation](../active-directory/develop/v2-howto-app-gallery-listing.md#step-5create-and-publish-documentation).
+1. [Submit your app](../active-directory/develop/v2-howto-app-gallery-listing.md#step-6submit-your-app) with the following information:
+
+ |Question |Answer you should provide |
+ |||
+ |What type of request do you want to submit?| Select **List my application in the gallery**.|
+ |What feature would you like to enable when listing your application in the gallery? | Select **Federated SSO (SAML, WS-Fed & OpenID Connect)**. |
+ | Select your application federation protocol| Select, **OpenID Connect & OAuth 2.0**. |
+ | Application (Client) ID | Provide the ID of [your Azure AD B2C application](#step-1-register-your-application-in-azure-ad-b2c). |
+ | Application Sign-on URL|Provide the app sign-in URL as you configured in [Step 3. Prepare your app](#step-3-prepare-your-app).|
+ | Multitenant| Select **Yes**. |
+
+## Next steps
+
+- Learn how to [Publish your app to the Azure AD app gallery](../active-directory/develop/v2-howto-app-gallery-listing.md).
active-directory-b2c Sign In Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/sign-in-options.md
+
+ Title: Sign-in options supported by Azure AD B2C
+
+description: Learn about the options for sign-up and sign-in you can use with Azure Active Directory B2C, including username and password, email, phone, or federation with social or external identity providers.
+++++++ Last updated : 05/10/2021++++
+# Sign-in options in Azure AD B2C
+
+Azure AD B2C offers several sign-up and sign-in methods for users of your applications. When users sign up for your application, you determine whether they'll use a username, email address, or phone number to create local accounts in your Azure AD B2C tenant. You can also federate with social identity providers (like Facebook, LinkedIn, and Twitter) and standard identity protocols (like OAuth 2.0, OpenID Connect, and more).
+
+This article gives an overview of Azure AD B2C sign-in options.
+
+## Email sign-in
+
+Email sign-up is enabled by default in your local account identity provider settings. With the email option, users can sign in and sign up with their email address and password.
+
+- **Sign-in**: Users are prompted to provide their email and password.
+- **Sign-up**: users are prompted for an email address, which is verified at sign-up (optional) and becomes their login ID. The user then enters any other information requested on the sign-up page, for example, display name, given name, and surname. Then they select **Continue** to create an account.
+- **Password reset**: Users enter and verify their email, after which the user can reset the password
+
+![Email sign-up or sign-in experience](./media/sign-in-options/local-account-email-experience.png)
+
+Learn how to configure email sign-in in your local account identity provider.
+## Username sign-in
+
+Your local account identity provider includes a Username option that lets users sign up and sign in to your application with a username and password.
+
+- **Sign-in**: Users are prompted to provide their username and password.
+- **Sign-up**: Users will be prompted for a username, which will become their login ID. Users will also be prompted for an email address, which will be verified at sign-up. The email address will be used during a password reset flow. The user enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. The user then selects Continue to create the account.
+- **Password reset**: Users must enter their username and the associated email address. The email address must be verified, after which, the user can reset the password.
+
+![Username sign-up or sign-in experience](./media/sign-in-options/local-account-username-experience.png)
+
+## Phone sign-in
+
+Phone sign-in is a passwordless option in your local account identity provider settings. This method lets users sign up for your app using a phone number as their primary identifier. One-time passwords are sent to your users via SMS text messages. Users will have the following experience during sign-up and sign-in:
+
+- **Sign-in**: If the user has an existing account with phone number as their identifier, the user enters their phone number and selects *Sign in*. They confirm the country and phone number by selecting *Continue*, and a one-time verification code is sent to their phone. The user enters the verification code and selects *Continue* to sign in.
+- **Sign-up**: If the user doesn't already have an account for your application, they can create one by clicking on the *Sign up now* link.
+ 1. A sign-up page appears, where the user selects their *Country*, enters their phone number, and selects *Send Code*.
+ 1. A one-time verification code is sent to the user's phone number. The user enters the *Verification Code* on the sign-up page, and then selects *Verify Code*. (If the user can't retrieve the code, they can select *Send New Code*).
+ 1. The user enters any other information requested on the sign-up page, for example, Display Name, Given Name, and Surname. Then select Continue.
+ 1. Next, the user is asked to provide a **recovery email**. The user enters their email address, and then selects *Send verification code*. A code is sent to the user's email inbox, which they can retrieve and enter in the Verification code box. Then the user selects Verify code.
+ 1. Once the code is verified, the user selects *Create* to create their account.
+
+![Phone sign-up or sign-in experience](./media/sign-in-options/local-account-phone-experience.png)
+
+### Pricing for phone sign-in
+
+One-time passwords are sent to your users by using SMS text messages. Depending on your mobile network operator, you may be charged for each message sent. For pricing information, see the **Separate Charges** section of [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).
+
+> [!NOTE]
+> Multi-factor authentication (MFA) is disabled by default when you configure a user flow with phone sign-up. You can enable MFA in user flows with phone sign-up, but because a phone number is used as the primary identifier, email one-time passcode is the only option available for the second authentication factor.
+
+### Phone recovery
+
+When you enable phone sign-up and sign-in for your user flows, it's also a good idea to enable the recovery email feature. With this feature, a user can provide an email address that can be used to recover their account when they don't have their phone. This email address is used for account recovery only. It can't be used for signing in.
+
+- When the recovery email prompt is **On**, a user signing up for the first time is prompted to verify a backup email. A user who hasn't provided a recovery email before is asked to verify a backup email during next sign in.
+
+- When recovery email is **Off**, a user signing up or signing in isn't shown the recovery email prompt.
+
+The following screenshots demonstrate the phone recovery flow:
+
+![Phone recovery user flow](./media/sign-in-options/local-account-change-phone-flow.png)
++
+## Phone or email sign-in
+
+You can choose to combine the [phone sign-in](#phone-sign-in), and the [email sign-in](#email-sign-in) in your local account identity provider settings. In the sign-up or sign-in page, user can type a phone number, or email address. Based on the user input, Azure AD B2C takes the user to the corresponding flow.
+
+![Phone or email sign-up or sign-in experience](./media/sign-in-options/local-account-phone-and-email-experience.png)
+
+## Next steps
+
+- Find out more about the built-in policies provided by [User flows in Azure Active Directory B2C](user-flow-overview.md).
+- [Configure your local account identity provider](identity-provider-local.md).
active-directory-b2c Technical Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/technical-overview.md
In Azure Active Directory B2C (Azure AD B2C), a *tenant* represents your organiz
The primary resources you work with in an Azure AD B2C tenant are: * **Directory** - The *directory* is where Azure AD B2C stores your users' credentials, profile data, and your application registrations.
-* **Application registrations** - You register your web, mobile, and native applications with Azure AD B2C to enable identity management. Also, any APIs you want to protect with Azure AD B2C.
-* **User flows** and **custom policies** - The built-in (user flows) and fully customizable (custom policies) identity experiences for your applications.
- * Use *user flows* for quick configuration and enablement of common identity tasks like sign up, sign in, and profile editing.
- * Use *custom policies* for complex identity workflows unique to your organization, customers, employees, partners, and citizens.
-* **Identity providers** - Federation settings for:
- * *Social* identity providers like Facebook, LinkedIn, or Twitter that you want to support in your applications.
- * *External* identity providers that support standard identity protocols like OAuth 2.0, OpenID Connect, and more.
- * *Local* accounts that enable users to sign up and sign in with a username (or email address or other ID) and password.
+* **Application registrations** - Register your web, mobile, and native applications with Azure AD B2C to enable identity management. You can also register any APIs you want to protect with Azure AD B2C.
+* **User flows** and **custom policies** - Create identity experiences for your applications with built-in user flows and fully configurable custom policies:
+ * **User flows** help you quickly enable common identity tasks like sign-up, sign-in, and profile editing.
+ * **Custom policies** let you build complex identity workflows unique to your organization, customers, employees, partners, and citizens.
+* **Sign-in options** - Azure AD B2C offers various [sign-up and sign-in options](sign-in-options.md) for users of your applications:
+ * **Username, email, and phone sign-in** - Configure your Azure AD B2C local accounts to allow sign-up and sign-in with a username, email address, phone number, or a combination of methods.
+ * **Social identity providers** - Federate with social providers like Facebook, LinkedIn, or Twitter.
+ * **External identity providers** - Federate with standard identity protocols like OAuth 2.0, OpenID Connect, and more.
* **Keys** - Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords. An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how to:
For more information, see [Overview of user accounts in Azure Active Directory B
Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password-less authentication). Email sign-up is enabled by default in your local account identity provider settings.
-For more information, see [Set up the local account identity provider](identity-provider-local.md).
+Learn more about [sign-in options](sign-in-options.md) or how to [set up the local account identity provider](identity-provider-local.md).
## User profile attributes
active-directory-b2c User Flow Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/user-flow-overview.md
Learn more about custom policies in [Custom policies in Azure Active Directory B
## Comparing user flows and custom policies
-The following table gives a detailed comparison of the scenarios you can with Azure AD B2C user flows and custom policy.
+The following table gives a detailed comparison of the scenarios you can enable with Azure AD B2C user flows and custom policies.
| Context | User flows | Custom policies | |-|-|--|
active-directory-domain-services Tutorial Create Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/tutorial-create-instance.md
To authenticate users on the managed domain, Azure AD DS needs password hashes i
> > Synchronized credential information in Azure AD can't be re-used if you later create a managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new managed domain. >
-> For more information, see [Password hash sync process for Azure AD DS and Azure AD Connect][password-hash-sync-process].
+> [Azure AD Connect Cloud Sync is not supported with Azure AD DS][/azure/active-directory/cloud-sync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync]. On-premises users need to be synced using Azure AD Connect in order to be able to access domain-joined VMs. For more information, see [Password hash sync process for Azure AD DS and Azure AD Connect][password-hash-sync-process].
The steps to generate and store these password hashes are different for cloud-only user accounts created in Azure AD versus user accounts that are synchronized from your on-premises directory using Azure AD Connect.
active-directory Concept Authentication Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-passwordless.md
The following providers offer FIDO2 security keys of different form factors that
||:--:|::|::|::|:--:|--| | AuthenTrend | ![y] | ![y]| ![y]| ![y]| ![n] | https://authentrend.com/about-us/#pg-35-3 | | Ensurity | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.ensurity.com/contact |
-| Excelsecu | ![n] | ![y]| ![n]| ![n]| ![n] | https://www.excelsecu.com/productdetail/esecufido2secu.html |
+| Excelsecu | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.excelsecu.com/productdetail/esecufido2secu.html |
| Feitian | ![y] | ![y]| ![y]| ![y]| ![n] | https://shop.ftsafe.us/pages/microsoft | | Gemalto (Thales Group) | ![n] | ![y]| ![y]| ![n]| ![n] | https://safenet.gemalto.com/access-management/authenticators/fido-devices | | GoTrustID Inc. | ![n] | ![y]| ![y]| ![y]| ![n] | https://www.gotrustid.com/idem-key |
To get started with passwordless in Azure AD, complete one of the following how-
### External Links * [FIDO Alliance](https://fidoalliance.org/)
-* [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html)
+* [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html)
active-directory Howto Authentication Passwordless Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md
Title: Plan a passwordless authentication deployment with Azure AD
-description: Learn how to plan and deploy an Azure Active Directory passwordless authentication implementation
+ Title: Plan a passwordless authentication deployment in Azure Active Directory
+description: Directions for deploying passwordless authentication
- Previously updated : 02/22/2021+ Last updated : 05/28/2021 -+ -+ + # Plan a passwordless authentication deployment in Azure Active Directory
+Passwords are a primary attack vector. Bad actors use social engineering, phishing, and spray attacks to compromise passwords. A passwordless authentication strategy mitigates the risk of these attacks.
+
+Microsoft offers the following [three passwordless authentication options](concept-authentication-passwordless.md) that integrate with Azure Active Directory (Azure AD):
+
+* [Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#microsoft-authenticator-app) - turns any iOS or Android phone into a strong, passwordless credential by allowing users to sign into any platform or browser.
+
+* [FIDO2-compliant security keys](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) - useful for users who sign in to shared machines like kiosks, in situations where use of phones is restricted, and for highly privileged identities.
+
+* [Windows Hello for Business](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#windows-hello-for-business) - best for users on their dedicated Windows computers.
+ > [!NOTE]
-> To create an offline version of this deployment plan, use your browser's Print to PDF functionality.
+> To create an offline version of this plan with all links, use your browsers print to pdf functionality.
-Most cyber attacks begin with a compromised user name and password. Organizations try to counter the threat by requiring users to use one of the following approaches:
+## Use the passwordless methods wizard
-- Long passwords-- Complex passwords-- Frequent password changes-- Multi-factor authentication (MFA)
+The [Azure portal](https://portal.azure.com/) now has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**
-Microsoft's [research shows](https://aka.ms/passwordguidance) that these efforts annoy users and drive up support costs. For more information, see [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984).
+## Passwordless authentication scenarios
-### Benefits of passwordless authentication
+MicrosoftΓÇÖs passwordless authentication methods enable many scenarios. Consider your organizational needs, prerequisites, and the capabilities of each authentication method to select your passwordless authentication strategy.
-- **Increased security**. Reduce the risk of phishing and password spray attacks by removing passwords as an attack surface.-- **Better user experience**. Give users a convenient way to access data from anywhere. Provide easy access to applications and services such as Outlook, OneDrive, or Office while mobile.-- **Robust insights**. Gain insights into users passwordless activity with robust logging and auditing.
+The following table lists the passwordless authentication methods by device types. Our recommendations are in **bold**.
-With passwordless, the password is replaced with something you have plus something you are or something you know. For example, Windows Hello for Business can use a biometric gesture like a face or fingerprint, or a device-specific PIN that isn't transmitted over a network.
+| Device types| Passwordless authentication method |
+| - | - |
+| Dedicated non-windows devices| <li> **Microsoft Authenticator app** <li> Security keys |
+| Dedicated Windows 10 computers (version 1703 and later)| <li> **Windows Hello for Business** <li> Security keys |
+| Dedicated Windows 10 computers (before version 1703)| <li> **Windows Hello for Business** <li> Microsoft Authenticator app |
+| Shared devices: tablets, and mobile devices| <li> **Microsoft Authenticator app** <li> One-time password sign-in |
+| Kiosks (Legacy)| **Microsoft Authenticator app** |
+| Kiosks and shared computers ΓÇÄ(Windows 10)| <li> **Security keys** <li> Microsoft Authenticator app |
-## Passwordless authentication methods
-Microsoft offers three passwordless authentication options that cover many scenarios. These methods can be used in tandem:
-- [Windows Hello for Business](./concept-authentication-passwordless.md) is best for users on their dedicated Windows computers.-- Security key sign-in with [FIDO2 Security keys](./concept-authentication-passwordless.md) is especially useful for users who sign in to shared machines like kiosks, in situations where use of phones is restricted, and for highly privileged identities.-- Phone sign in with the [Microsoft Authenticator app](./concept-authentication-passwordless.md) is useful for providing a passwordless option to users with mobile devices. The Authenticator app turns any iOS or Android phone into a strong, passwordless credential by allowing users to sign into any platform or browser. Users sign in by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric data or PIN to confirm.
+## Prerequisites
-### Passwordless authentication scenarios
+Ensure you meet the prerequisites before starting your passwordless deployment.
-Microsoft's passwordless authentication methods enable different scenarios. Consider your organizational needs, prerequisites, and the capabilities of each authentication method to select your passwordless authentication strategy. We recommend that every organization that uses Windows 10 devices use Windows Hello for Business. Then, add either phone sign-in (with the Microsoft Authenticator app) or security keys for additional scenarios.
+### Required roles
-| Scenario | Phone authentication | Security keys | Windows Hello for Business |
-| | | | |
-| **Computer sign in**: <br> From assigned Windows 10 device | **No** | **Yes** <br> With biometric, PIN | **Yes**<br>with biometric recognition and or PIN |
-| **Computer sign in**: <br> From shared Windows 10 device | **No** | **Yes** <br> With biometric, PIN | **No** |
-| **Web app sign-in**: <br>ΓÇÄ from a user-dedicated computer | **Yes** | **Yes** <br> Provided single sign-on to apps is enabled by computer sign-in | **Yes**<br> Provided single sign-on to apps is enabled by computer sign-in |
-| **Web app sign-in**: <br> from a mobile or non-windows device | **Yes** | **No** | **No** |
-| **Computer sign in**: <br> Non-Windows computer | **No** | **No** | **No** |
+Here are the least privileged roles required for this deployment:
+<p>
-For information on selecting the best method for your organization, see [Deciding a passwordless method](./concept-authentication-passwordless.md#choose-a-passwordless-method).
+| Azure AD Role| Description |
+| - | -|
+| Global Administrator| To implement combined registration experience. |
+| Authentication Administrator| To implement and manage authentication methods. |
+| User| To configure Authenticator app on device, or to enroll security key device for web or Windows 10 sign-in. |
-## Prerequisites
+As part of this deployment plan, we recommend that passwordless authentication be enabled for all [privileged accounts](../privileged-identity-management/pim-configure.md).
-Organizations must meet the following prerequisites before beginning a passwordless deployment:
+### Microsoft Authenticator app and security keys
-| Prerequisite | Authenticator app | FIDO2 Security Keys |
-| | | |
-| [Combined registration for Azure AD Multi-Factor Authentication and self-service password reset (SSPR)](howto-registration-mfa-sspr-combined.md) is enabled | √ | √ |
-| [Users can perform Azure AD Multi-Factor Authentication](howto-mfa-getstarted.md) | √ | √ |
-| [Users have registered for Azure AD Multi-Factor Authentication and SSPR](howto-registration-mfa-sspr-combined.md) | √ | √ |
-| [Users have registered their mobile devices to Azure Active Directory](../devices/overview.md) | √ | |
-| Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox <br> (version 67 or higher). <br> *Microsoft recommends version 1903 or higher for native support*. | | √ |
-| Compatible FIDO2 security keys. Ensure that you're using a [Microsoft-tested and verified](./concept-authentication-passwordless.md) FIDO2 security device, or other compatible FIDO2 security device. | | √ |
+The prerequisites are determined by your selected passwordless authentication methods.
-### Prerequisites for Windows Hello for Business
+| Prerequisite| Microsoft Authenticator app| FIDO2 Security Keys|
+| - | -|-|
+| [Combined registration for Azure AD Multi-Factor Authentication (MFA) and self-service password reset (SSPR)](howto-registration-mfa-sspr-combined.md) is enabled| √| √| |
+| [Users can perform Azure AD MFA](howto-mfa-getstarted.md)| √| √| |
+| [Users have registered for Azure AD MFA and SSPR](howto-registration-mfa-sspr-combined.md)| √| √| |
+| [Users have registered their mobile devices to Azure Active Directory](../devices/overview.md)| √| | |
+| Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher). Microsoft recommends version 1903 or higher for native support.| | √| |
+| Compatible security keys. Ensure that you’re using a [Microsoft-tested and verified FIDO2 security key](concept-authentication-passwordless.md), or other compatible FIDO2 security key.| | √| |
-The prerequisites for Windows Hello are highly dependent on whether you're deploying in an on-premises, hybrid, or cloud-only configuration. For more information, see the [full listing of prerequisites for Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification).
-### Azure AD Multi-Factor Authentication
+### Windows Hello for Business
-Users register their passwordless method as a part of the Azure AD Multi-Factor Authentication registration flow. Multi-factor authentication with a username and password along with another registered method can be used as a fallback in case they can't use their phone or security key in some scenarios.
+The prerequisites and deployment paths for Windows Hello for Business are highly dependent on whether youΓÇÖre deploying in an on-premises, hybrid, or cloud-only configuration. ItΓÇÖs also dependent on your device join strategy.
-### Licensing
-There is no additional cost for passwordless authentication, although some prerequisites may require a premium subscription. For detailed feature and licensing information in the [Azure Active Directory licensing page](https://azure.microsoft.com/pricing/details/active-directory/).
+Select Windows Hello for Business and [complete the wizard](https://aka.ms/passwordlesswizard) to determine the prerequisites and deployment appropriate for your organization.
-## Develop a plan
+![Select Windows Hello for Business in the wizard](media/howto-authentication-passwordless-deployment/passwordless-wizard-select.png)
-Consider your business needs and the use cases for each authentication method. Then select the method that best fits your needs.
-### Use cases
+The wizard will use your inputs to craft a step-by-step plan for you to follow.
-The following table outlines the use cases to be implemented during this project.
+## Plan the project
-| Area | Description |
-| | |
-| **Access** | Passwordless sign-in is available from a corporate or personal device within or outside the corporate network. |
-| **Auditing** | Usage data is available to administrators to audit in near real time. <br> Usage data is downloaded into corporate systems at least every 29 days, or SIEM tool is used. |
-| **Governance** | Lifecycle of user assignments to appropriate authentication method and associated groups is defined and monitored. |
-| **Security** | Access to appropriate authentication method is controlled via user and group assignments. <br> Only authorized users can use passwordless sign-in. |
-| **Performance** | Access assignment propagation timelines are documented and monitored. <br> Sign in times is measured for ease of use. |
-| **User Experience** | Users are aware of mobile compatibility. <br> Users can configure the Authenticator app passwordless sign-in. |
-| **Support** | Users are aware of how to find support for passwordless sign-in issues. |
+When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.
-### Engage the right stakeholders
+### Plan a pilot
-When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md#include-the-right-stakeholders) and that stakeholder roles in the project are well understood.
+When you deploy passwordless authentication, you should first enable one or more pilot groups. You can create groups specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups. See [best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).
### Plan communications
-Communication is critical to the success of any new service. Proactively communicate how users' experience will change, when it will change, and how to gain support if they experience issues.
- Your communications to end users should include the following information: -- [Enabling the combined security registration experience](howto-authentication-passwordless-phone.md)-- [Downloading the Microsoft Authenticator app](../user-help/user-help-auth-app-download-install.md)-- [Registering in the Microsoft Authenticator app](howto-authentication-passwordless-phone.md)-- [Signing in with your phone](../user-help/user-help-auth-app-sign-in.md)
+* [Guidance on combined registration for both Azure AD MFA and SSPR](howto-registration-mfa-sspr-combined.md)
+
+* [Downloading the Microsoft Authenticator app](../user-help/user-help-auth-app-download-install.md)
+
+* [Registering in the Microsoft Authenticator app](howto-authentication-passwordless-phone.md)
+
+* [Signing in with your phone](../user-help/user-help-auth-app-sign-in.md)
-Microsoft provides Multi-factor authentication [communication templates](https://aka.ms/mfatemplates), Self-Service Password Reset (SSPR) [communication templates](https://www.microsoft.com/download/details.aspx?id=56768), and [end-user documentation](../user-help/security-info-setup-signin.md) to help draft your communications.
-You can send users to [https://myprofile.microsoft.com](https://myprofile.microsoft.com/) to register directly by selecting the **Security Info** links on that page.
+Microsoft provides communication templates for end users. Download the [authentication rollout material](https://aka.ms/MFAtemplates) to help draft your communications. The rollout materials include customizable posters and email templates that you can use to inform your users about upcoming passwordless authentication options in your organization.
-### Plan to pilot
+## Plan user registration
-When you deploy passwordless authentication, you should first enable one or more pilot groups. You can [create groups](../fundamentals/active-directory-groups-create-azure-portal.md) specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups.
+Users register their passwordless method as a part of the **combined security information workflow** at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Azure AD logs registration of security keys and Microsoft Authenticator app, and any other changes to the authentication methods.
-Groups can be synced from an on-premises directory, or from Azure AD. Once you're happy with the results of your pilot, you can switch on the passwordless authentication for all users.
+For the first-time user who doesn't have a password, admins can provide a [Temporary Access Passcode](howto-authentication-temporary-access-pass.md) to register their security information in [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo.md) . This is a time-limited passcode and satisfies strong authentication requirements. **Temporary Access Pass is a per-user process**.
-See [Best practices for a pilot](../fundamentals/active-directory-deployment-plans.md) on the deployment plans page.
+This method can also be used for easy recovery when the user has lost or forgotten their authentication factor such as security key or Microsoft Authenticator app but needs to sign in to **register a new strong authentication method**.
-## Plan passwordless authentication with the Microsoft Authenticator app
+>[!NOTE]
+> If you canΓÇÖt use the security key or Microsoft Authenticator app for some scenarios, multifactor authentication with a username and password along with another registered method can be used as a fallback option.
-The Microsoft Authenticator app is a free download from Google Play or the Apple App Store. [Learn more about downloading the Microsoft Authenticator app](https://www.microsoft.com/p/microsoft-authenticator/9nblgggzmcj6). Have users download the Microsoft Authenticator app. and follow the directions to enable phone sign in.
+## Plan for and deploy the Microsoft Authenticator app
-It turns any iOS or Android phone into a strong, passwordless credential. Users sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using biometrics or a PIN to confirm. [See details on how the Microsoft Authenticator app works](./concept-authentication-passwordless.md#microsoft-authenticator-app).
+The [Microsoft Authenticator app](concept-authentication-passwordless.md) turns any iOS or Android phone into a strong, passwordless credential. ItΓÇÖs a free download from Google Play or the Apple App Store. Have users [download the Microsoft Authenticator app](../user-help/user-help-auth-app-download-install.md) and follow the directions to enable phone sign-in.
-![sign in with the Authenticator app](./media/howto-authentication-passwordless-deployment/passwordless-dp-sign-in.png)
+### Technical considerations
-### Technical considerations for the Microsoft Authenticator app
+**Active Directory Federation Services (AD FS) Integration** - When a user enables the Microsoft Authenticator passwordless credential, authentication for that user defaults to sending a notification for approval. Users in a hybrid tenant are prevented from being directed to AD FS for sign-in unless they select ΓÇ£Use your password instead.ΓÇ¥ This process also bypasses any on-premises Conditional Access policies, and pass-through authentication (PTA) flows. However, if a login_hint is specified, the user is forwarded to AD FS and bypasses the option to use the passwordless credential.
-**AD FS Integration** - When a user enables the Microsoft Authenticator passwordless credential, authentication for that user defaults to sending a notification for approval. Users in a hybrid tenant are prevented from being directed to ADFS for sign-in unless they select "Use your password instead." This process also bypasses any on-premises Conditional Access policies, and pass-through authentication flows. However, if a *login_hint* is specified, the user is forwarded to ADFS and bypass the option to use the passwordless credential.
+**Azure MFA server** - End users enabled for multi-factor authentication through an organizationΓÇÖs on-premises Azure MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Microsoft Authenticator app with the credential, this change may result in an error.
+
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication. Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. We recommend moving from Azure MFA Server to Azure Active Directory MFA.
+
+**Device registration** - To use the Authenticator app for passwordless authentication, the device must be registered in the Azure AD tenant and canΓÇÖt be a shared device. A device can only be registered in a single tenant. This limit means that only one work or school account is supported for phone sign-in using the Microsoft Authenticator app.
+
+### Deploy phone sign-in with the Microsoft Authenticator app
+
+Follow the steps in the article, [Enable passwordless sign-in with the Microsoft Authenticator app](howto-authentication-passwordless-phone.md) to enable the Microsoft Authenticator app as a passwordless authentication method in your organization.
+
+### Testing Microsoft Authenticator app
+
+The following are sample test cases for passwordless authentication with the Microsoft Authenticator app:
-**Azure AD Multi-Factor Authentication server** - End users enabled for Multi-factor authentication through an organization's on-premises Azure MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Microsoft Authenticator with the credential, this change may result in an error.
+| Scenario| Expected results |
+| - |-|
+| User can register Microsoft Authenticator app| User can register app from https://aka.ms/mysecurityinfo |
+| User can enable phone sign-in| Phone sign-in configured for work account |
+| User can access an app with phone sign-in| User goes through phone sign-in flow and reaches application. |
+| Test rolling back phone sign-in registration by turning off Microsoft Authenticator passwordless sign-in. Do this within the Authentication methods screen in the Azure AD portal| Previously enabled users unable to use passwordless sign-in from Microsoft Authenticator. |
+| Removing phone sign in from Microsoft Authenticator app| Work account no longer available on Microsoft Authenticator |
-**Device Registration** - To use the Authenticator app for passwordless authentication, the device must be registered in the Azure AD tenant and can't be a shared device. A device can only be registered in a single tenant. This limit means that only one work or school account is supported for phone sign-in using the Authenticator app.
-## Plan passwordless authentication with FIDO2 Security keys
+### Troubleshoot phone sign-in
++
+| Scenario| Solution |
+| - |-|
+| User cannot perform combined registration.| Ensure [combined registration](concept-registration-mfa-sspr-combined.md) is enabled. |
+| User cannot enable phone sign-in authenticator app.| Ensure user is in scope for deployment. |
+| User is NOT in scope for passwordless authentication, but is presented with passwordless sign-in option, which they cannot complete.| Occurs when user has enabled phone sign in in the application prior to the policy being created. To enable sign in, add the user to a group of users enabled for passwordless sign-in. To block sign in: have the user remove their credential from that application. |
++
+## Plan for and deploy FIDO2-compliant security keys
+
+Enable compatible security keys. Here is a list of [FIDO2 security key providers](concept-authentication-passwordless.md) that provide keys known to be compatible with the passwordless experience.
+
+### Plan security key lifecycle
+
+Prepare for and plan the key lifecycle.
+
+**Key distribution**- Plan how to provision keys to your organization. You may have a centralized provisioning process or allow end users to purchase FIDO 2.0-compatible keys.
+
+ **Key activation** - End users must self-activate the security key. End users register their security keys at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) and enable the second factor (PIN or biometric) at first use. For first-time users, they can use TAP to register their security information.
+
+ **Disabling a key** - If an administrator wishes to remove a FIDO2 key associated with a User Account, they can do so by deleting the key from the userΓÇÖs authentication method as shown below. For more information, see [Disable a key](howto-authentication-passwordless-security-key.md#disable-a-key)
+
+
+
+**Issue a new key**: User can register the new FIDO2 key by going to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo)
+
+### Technical considerations
+ There are three types of passwordless sign-in deployments available with security keys: -- Azure Active Directory web apps on a supported browser-- Azure Active Directory Joined Windows 10 devices-- Hybrid Azure Active Directory Joined Windows 10 devices
- - Provides access to both cloud-based and on premises resources. For more information about access to on-premises resources, see [SSO to on-premises resources using FIDO2 keys](./howto-authentication-passwordless-security-key-on-premises.md)
+* Azure AD web apps on a supported browser
+
+* Azure AD joined Windows 10 devices
+
+* Hybrid Azure AD joined Windows 10 devices
+
+ * Provides access to both cloud-based and on premises resources. For more information about access to on-premises resources, see [SSO to on-premises resources using FIDO2 keys](howto-authentication-passwordless-security-key-on-premises.md)
+
+**For Azure AD web apps and Azure AD joined Windows devices**, use:
-You must enable **Compatible FIDO2 security keys**. Microsoft announced [key partnerships with FIDO2 key vendors](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Microsoft-passwordless-partnership-leads-to-innovation-and-great/ba-p/566493).
+* Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher).
-**For Azure AD web apps and Azure AD Windows joined devices**:
+* Windows 10 version 1809 supports FIDO2 sign-in and may require software from the FIDO2 key manufacturer to be deployed. We recommend you use version 1903 or later.
-- Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher). -- Windows 10 version 1809 supports FIDO2 sign-in and may require software from the FIDO2 key manufacturer to be deployed. We recommend you use version 1903 or later.
+**For hybrid Azure AD domain joined devices**, use:
-**For Hybrid Azure Active Directory Domain Joined devices**:
-- Windows 10 version 2004 or later-- Fully patched domain servers running Windows Server 2016 or 2019.-- Latest version of Azure AD Connect
+* Windows 10 version 2004 or later.
-For a complete list of requirements, see [Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory](./howto-authentication-passwordless-security-key-windows.md#requirements).
+* Fully patched domain servers running Windows Server 2016 or 2019.
+* Latest version of Azure AD Connect.
-### Security key life cycle
+#### Enable Windows 10 support
-Security keys enable access to your resources, and you should plan the management of those physical devices.
+Enabling Windows 10 sign-in using FIDO2 security keys requires you to enable the credential provider functionality in Windows 10. Choose one of the following:
-1. **Key distribution**: Plan how to provision keys to your organization. You may have a centralized provisioning process or allow end users to purchase FIDO 2.0-compatible keys.
-1. **Key activation**: End users must self-activate the security key. End users register their security keys at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) and enable the second factor (PIN or biometric) at first use.
-1. **Disabling a key**: While security key functionality is in the preview stage, there's no way for an administrator to remove a key from a user account. The user must remove it. If a key is lost or stolen:
- 1. Remove the user from any group enabled for passwordless authentication.
- 1. Verify they've removed the key as an authentication method.
- 1. Issue a new key. **Key replacement**: Users can enable two security keys at the same time. When replacing a security key, ensure the user has also removed the key being replaced.
+* [Enable credential provider with Intune](howto-authentication-passwordless-security-key-windows.md)
-### Enable Windows 10 support
+ * We recommend Intune deployment.
-Enabling Windows 10 sign-in using FIDO2 security keys requires enabling the credential provider functionality in Windows 10. Choose one of the following:
+* [Enable credential provider with a provisioning package](howto-authentication-passwordless-security-key-windows.md)
-- [Enable credential provider with Intune](howto-authentication-passwordless-security-key-windows.md#enable-with-intune)
- - Intune deployment is the recommended option.
-- [Enable credential provider with a provisioning package](howto-authentication-passwordless-security-key-windows.md#enable-with-a-provisioning-package)
- - If Intune deployment isn't possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:
- - Group Policy or Configuration Manager
- - Local installation on a Windows 10 machine
-- [Enable credential provider with Group Policy](howto-authentication-passwordless-security-key-windows.md#enable-with-group-policy)
- - Only supported for hybrid Azure AD joined devices.
+ * If Intune deployment isnΓÇÖt possible, administrators must deploy a package on each machine to enable the credential provider functionality. The package installation can be carried out by one of the following options:
+ * Group Policy or Configuration Manager
+ * Local installation on a Windows 10 machine
+
+* [Enable credential provider with Group Policy](howto-authentication-passwordless-security-key-windows.md)
+
+ * Only supported for hybrid Azure AD joined devices.
#### Enable on-premises integration
-To enable access to on-premises resources, follow the steps to [Enable passwordless security key sign in to on-premises resources](howto-authentication-passwordless-security-key-on-premises.md).
+Follow the steps in the article [Enable passwordless security key sign in to on-premises resources (preview)](howto-authentication-passwordless-security-key-on-premises.md).
-> [!IMPORTANT]
-> These steps must also be completed for any hybrid Azure AD joined devices to utilize FIDO2 security keys for Windows 10 sign in.
+> [!IMPORTANT]
+> These steps must also be completed for any hybrid Azure AD joined devices to utilize FIDO2 security keys for Windows 10 sign-in.
-### Register security keys
-Users must register their security key on each of their Azure Active Directory joined Windows 10 machines.
+### Key restrictions policy
-For more information, see [User registration and management of FIDO2 security keys](howto-authentication-passwordless-security-key.md#user-registration-and-management-of-fido2-security-keys).
+When you deploy the security key, you can optionally restrict the use of FIDO2 keys only to specific manufacturers that have been approved by your organization. Restricting keys requires the Authenticator Attestation GUID (AAGUID). [There are two ways to get your AAGUID](howto-authentication-passwordless-security-key.md#security-key-authenticator-attestation-guid-aaguid).
+![How to enforce key restrictions](media/howto-authentication-passwordless-deployment/security-key-enforce-key-restriction.png)
-## Plan auditing, security, and testing
-Planning for auditing that meets your organizational and compliance frameworks is an essential part of your deployment.
-### Auditing passwordless
+If the security key is restricted, and the user tries to register the FIDO2 security key, they receive the following error:
-Azure AD has reports that provide technical and business insights. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements.
+![Security key error when key is restricted](media/howto-authentication-passwordless-deployment/security-key-restricted-error.png)
-The **Authentication** methods section within the Azure Active Directory portal is where administrators can enable and manage settings for passwordless credentials.
-Azure AD adds entries to the audit logs when:
+If the AAGUID is restricted after the user has registered the security key, they see the following message:
-- An admin makes changes in the Authentication methods section.-- A user makes any kind of change to their credentials within Azure Active Directory.
+![View for user when AAGUID is restricted](media/howto-authentication-passwordless-deployment/security-key-block-user-window.png)
-The following table provides some examples of typical reporting scenarios:
-| | Manage risk | Increase productivity | Governance and compliance |
-| | | | |
-| **Report types** | Authentication methods- users registered for combined security registration | Authentication methods ΓÇô users registered for app notification | Sign-ins: review who is accessing the tenant and how |
-| **Potential actions** | Target users not yet registered | Drive adoption of Microsoft Authenticator app or security keys | Revoke access or enforce additional security policies for admins |
+*FIDO2 key blocked by Key Restriction Policy
-**Azure AD keeps most auditing data for 30 days** and makes the data available via Azure Admin portal or API for you to download into your analysis systems. If you require longer retention,export and consume logs in a SIEM tool such as [Azure Sentinel](../../sentinel/connect-azure-active-directory.md), Splunk, or Sumo Logic. [Learn more about viewing your access and usage reports](../reports-monitoring/overview-reports.md).
+### Deploy FIDO2 security key sign-in
-Users can register and manage their credentials by navigating to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). This link directs users to the end-user credential management experience that was enabled via the combined SSPR/Multi-factor authentication registration experience. Azure AD logs registration of FIDO2 security devices, and changes to authentication methods by a users.
+Follow the steps in the article [Enable passwordless security key sign-in](howto-authentication-passwordless-security-key.md) to enable FIDO2 security key as a passwordless authentication method in your organization.
-### Plan security
-As part of this rollout plan, Microsoft recommends that passwordless authentication be enabled for all privileged admin accounts.
+### Testing security keys
-When users enable or disable the account on a security key, or reset the second factor for the security key on their Windows 10 machines, an entry is added to security log and are under the following event IDs: *4670* and *5382*.
+Here are the sample test cases for passwordless authentication with security keys.
-### Plan testing
+#### Passwordless FIDO sign in to Azure Active Directory Joined Windows 10 devices
-At each stage of your deployment as you test scenarios and adoption, ensure that the results are as expected.
-#### Testing the Microsoft Authenticator app
+| Scenario (Windows build)| Expected results |
+| - |-|
+| The user can register FIDO2 device (1809)| User can register FIDO2 device using at Settings > Accounts > sign in options > Security Key |
+| The user can reset FIDO2 device (1809)| User can reset FIDO2 device using manufacturer software |
+| The user can sign in with FIDO2 device (1809)| User can select Security Key from the sign-in window, and successfully sign in. |
+| The user can register FIDO2 device (1903)| User can register FIDO2 device at Settings > Accounts > sign in options > Security Key |
+| The user can reset FIDO2 device (1903)| User can reset FIDO2 device at Settings > Accounts > sign in options > Security Key |
+| The user can sign in with FIDO2 device (1903)| User can select Security Key from the sign-in window, and successfully sign in. |
-The following are sample test cases for passwordless authentication with the Microsoft Authenticator app:
-| Scenario | Expected results |
-| | |
-| User can register Microsoft Authenticator app | User can register app from aka.ms/mysecurityinfo |
-| User can enable phone sign-in | Phone sign in configured for work account |
-| User can access an app with phone sign-in | User goes through phone sign-in flow and reaches application. |
-| Test rolling back phone sign-in registration by turning off Microsoft Authenticator passwordless sign-in within the Authentication methods screen in the Azure Active Directory portal | Previously enabled users unable to use passwordless sign-in from Microsoft Authenticator. |
-| Removing phone sign-in from Microsoft Authenticator app | Work account no longer available on Microsoft Authenticator |
+#### Passwordless FIDO sign-in to Azure AD web apps
+
-#### Testing security keys
+| Scenario| Expected results |
+| - |-|
+| The user can register FIDO2 device at aka.ms/mysecurityinfo using Microsoft Edge| Registration should succeed |
+| The user can register FIDO2 device at aka.ms/mysecurityinfo using Firefox| Registration should succeed |
+| The user can sign in to OneDrive online using FIDO2 device using Microsoft Edge| Sign-in should succeed |
+| The user can sign in to OneDrive online using FIDO2 device using Firefox| Sign-in should succeed |
+| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Azure Active Directory portal| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: ΓÇ£Your company policy requires that you use a different method to sign inΓÇ¥. <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
-The following are sample test cases for passwordless authentication with security keys.
-**Passwordless FIDO sign-in to Azure Active Directory Joined Windows 10 devices**
+### Troubleshoot security key sign-in
+
-| Scenario | Expected results |
-| | |
-| The user can register FIDO2 device (1809) | User can register FIDO2 device using at Settings > Accounts > sign in options > Security Key |
-| The user can reset FIDO2 device (1809) | User can reset FIDO2 device using manufacturer software |
-| The user can sign in with FIDO2 device (1809) | User can select Security Key from the sign-in window, and successfully sign in. |
-| The user can register FIDO2 device (1903) | User can register FIDO2 device at Settings > Accounts > sign in options > Security Key |
-| The user can reset FIDO2 device (1903) | User can reset FIDO2 device at Settings > Accounts > sign in options > Security Key |
-| The user can sign in with FIDO2 device (1903) | User can select Security Key from the sign-in window, and successfully sign in. |
+| Scenario| Solution |
+| - | -|
+| User canΓÇÖt perform combined registration.| Ensure [combined registration](concept-registration-mfa-sspr-combined.md) is enabled. |
+| User canΓÇÖt add a security key in their [security settings](https://aka.ms/mysecurityinfo).| Ensure that [security keys](howto-authentication-passwordless-security-key.md) are enabled. |
+| User canΓÇÖt add security key in Windows 10 sign-in options.| [Ensure that security keys for Windows sign in](concept-authentication-passwordless.md) are enabled |
+| **Error message**: We detected that this browser or OS doesnΓÇÖt support FIDO2 security keys.| Passwordless FIDO2 security devices can only be registered in supported browsers (Microsoft Edge, Firefox version 67) o Windows 10 version 1809 or higher. |
+| **Error message**: Your company policy requires that you use a different method to sign in.| Ensure security keys are enabled in the tenant. |
+| User unable to manage my security key on Windows 10 version 1809| Version 1809 requires that you use the security key management software provided by the FIDO2 key vendor. Contact the vendor for support. |
+| I think my FIDO2 security key may be defectiveΓÇöhow can I test it.| Navigate to [https://webauthntest.azurewebsites.net/](https://webauthntest.azurewebsites.net/), enter credentials for a test account, plug in the suspect security key, select the + button at the top right of the screen, select create, and go through the creation process. If this scenario fails, your device may be defective. |
-**Passwordless FIDO sign-in to Azure AD web apps**
-| Scenario | Expected results |
-| | |
-| The user can register FIDO2 device at aka.ms/mysecurityinfo using Microsoft Edge | Registration should succeed |
-| The user can register FIDO2 device at aka.ms/mysecurityinfo using Firefox | Registration should succeed |
-| The user can sign in to OneDrive online using FIDO2 device using Microsoft Edge | Sign-in should succeed |
-| The user can sign in to OneDrive online using FIDO2 device using Firefox | Sign-in should succeed |
-| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Azure Active Directory portal | Users will be prompted to sign in using their security key. Users will successfully sign in and an error will be displayed: "Your company policy requires that you use a different method to sign in". Users should then be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
+## Manage passwordless authentication
-### Plan for rollback
+To manage your userΓÇÖs passwordless authentication methods in the [Azure portal](https://portal.azure.com/), select your user account, and then select Authentication methods.
+
+### Microsoft Graph APIs
+
+You can also manage the passwordless authentication methods using the authentication methods API in Microsoft Graph. For example:
+
+* You can retrieve details of a user's FIDO2 Security Key and delete it if the user has lost the key.
+
+* You can retrieve details of a user's Microsoft Authenticator registration and delete it if the user has lost the phone.
+
+* Manage your authentication method policies for security keys and Microsoft Authenticator app.
+
+For more information on what authentication methods can be managed in Microsoft Graph, see [Azure AD authentication methods API overview](https://docs.microsoft.com/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta).
+
+### Rollback
Though passwordless authentication is a lightweight feature with minimal impact on end users, it may be necessary to roll back.
-Rolling back requires the administrator to sign in to the Azure Active Directory portal, select the desired strong authentication methods, and change the enable option to **No**. This process turns off the passwordless functionality for all users.
+Rolling back requires the administrator to sign in to the Azure portal, select the desired strong authentication methods, and change the enable option to No. This process turns off the passwordless functionality for all users.
-Users that have already registered FIDO2 security devices are prompted to use the security device at their next sign-in, and then see the following error:
-
-![choose a different way to sign in](./media/howto-authentication-passwordless-deployment/passwordless-choose-sign-in.png)
+![Passwordless rollback](media/howto-authentication-passwordless-deployment/passwordless-rollback.png)
-## Deploy and troubleshoot passwordless authentication
+Users who have already registered FIDO2 security devices are prompted to use the security device at their next sign-in, and then see the following error:
-Follow the steps aligned to your chosen method below.
+![Error window for password rollback](media/howto-authentication-passwordless-deployment/passswordless-rollback-error-window.png)
-### Required administrative roles
+### Reporting and monitoring
-| Azure AD Role | Description |
-| | |
-| Global Administrator|Least privileged role able to implement combined registration experience. |
-| Authentication Administrator | Least privileged role able to implement and manage authentication methods. |
-| User | Least privileged role to configure Authenticator app on device, or to enroll security key device for web or Windows 10 sign-in. |
+Azure AD has reports that provide technical and business insights. Have your business and technical application owners assume ownership of and consume these reports based on your organizationΓÇÖs requirements.
-### Deploy phone sign-in with the Microsoft Authenticator app
+The following table provides some examples of typical reporting scenarios:
-Follow the steps in the article, [Enable passwordless sign-in with the Microsoft Authenticator app](howto-authentication-passwordless-phone.md) to enable the Microsoft Authenticator app as a passwordless authentication method in your organization.
+| Manage risk| Increase productivity| Governance and compliance|
+|-|-|-|
+| Report types| Authentication methods- users registered for combined security registration| Authentication methods ΓÇô users registered for app notification| Sign-ins: review who is accessing the tenant and how |
+| Potential actions| Target users not yet registered| Drive adoption of Microsoft Authenticator app or security keys| Revoke access or enforce additional security policies for admins |
-### Deploy FIDO2 security key sign-in
+
-Follow the steps in the article, [Enable passwordless security key sign in for Azure AD](howto-authentication-passwordless-security-key.md) to enable FIDO2 security keys as passwordless authentication methods.
+#### Track usage and insights
-### Troubleshoot phone sign-in
+Azure AD adds entries to the audit logs when:
-| Scenario | Solution |
-| | |
-| User cannot perform combined registration. | Ensure [combined registration](concept-registration-mfa-sspr-combined.md) is enabled. |
-| User cannot enable phone sign-in authenticator app. | Ensure user is in scope for deployment. |
-| User is NOT in scope for passwordless authentication, but is presented with passwordless sign-in option, which they cannot complete. | This scenario occurs when the user has enabled phone sign-in in the application prior to the policy being created. <br> *To enable sign in*: Add the user to the scope of users enabled for passwordless sign-in. <br> *To block sign in*: have the user remove their credential from that application. |
+* An admin makes changes in the Authentication methods section.
-### Troubleshoot security key sign-in
+* A user makes any kind of change to their credentials within Azure AD.
+
+* A user enables or disables their account on a security key or resets the second factor for the security key on their Win 10 machine. See event IDs: 4670 and 5382.
+
+**Azure AD keeps most auditing data for 30 days** and makes the data available via Azure Admin portal or API for you to download into your analysis systems. If you require longer retention, export and consume logs in a SIEM tool such as [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/connect-azure-active-directory), Splunk, or Sumo Logic. We recommend longer retention for auditing, trend analysis, and other business needs as applicable
+
+There are two tabs in the Authentication methods activity dashboard - Registration and Usage.
+
+The [Registration tab](https://portal.azure.com/) shows the number of users capable of passwordless authentication as well as other authentication methods. This tab displays two graphs:
+
+* Users registered by authentication method.
-| Scenario | Solution |
-| | |
-| User can't perform combined registration. | Ensure [combined registration](concept-registration-mfa-sspr-combined.md) is enabled. |
-| User can't add a security key in their [security settings](https://aka.ms/mysecurityinfo). | Ensure that [security keys](howto-authentication-passwordless-security-key.md) are enabled. |
-| User can't add security key in Windows 10 sign-in options. | [Ensure that security keys for Windows sign in](./concept-authentication-passwordless.md) |
-| **Error message**: We detected that this browser or OS doesn't support FIDO2 security keys. | Passwordless FIDO2 security devices can only be registered in supported browsers (Microsoft Edge, Firefox version 67) on Windows 10 version 1809 or higher. |
-| **Error message**: Your company policy requires that you use a different method to sign in. | Unsure security keys are enabled in the tenant. |
-| User unable to manage my security key on Windows 10 version 1809 | Version 1809 requires that you use the security key management software provided by the FIDO2 key vendor. Contact the vendor for support. |
-| I think my FIDO2 security key may be defectiveΓÇöhow can I test it. | Navigate to [https://webauthntest.azurewebsites.net/](https://webauthntest.azurewebsites.net/), enter credentials for a test account, plug in the suspect security key, select the **+** button at the top right of the screen, click create, and go through the creation process. If this scenario fails, your device may be defective. |
+* Recent registration by authentication method.
+
+![Registration tab to view auth methods](media/howto-authentication-passwordless-deployment/monitoring-registration-tab.png)
+
+The [Usage tab ](https://portal.azure.com/)shows the sign-ins by authentication method.
+
+![Usage tab to view auth methods](media/howto-authentication-passwordless-deployment/monitoring-usage-tab.png)
+
+For more information, see [track registered authentication methods and usage across the Azure AD organization](howto-authentication-methods-activity.md).
+
+#### Sign-in activity reports
+
+Use the [sign-in activity report](../reports-monitoring/concept-sign-ins.md) to track the authentication methods used to sign in to the various applications.
+
+Select the user row, and then select the **Authentication Details** tab to view which authentication method was used for which sign-in activity.
+
+![Reporting sign-in activity](media/howto-authentication-passwordless-deployment/reporting-sign-in-activity.png)
## Next steps -- [Enable passwordless security keys for sign in for Azure AD](howto-authentication-passwordless-security-key.md)-- [Enable passwordless sign-in with the Microsoft Authenticator app](howto-authentication-passwordless-phone.md)-- [Learn more about Authentication methods usage & insights](./howto-authentication-methods-activity.md)
+* [Learn how passwordless authentication works](concept-authentication-passwordless.md)
+
+* [Deploy other identity features](https://aka.ms/deploymentplans)
active-directory Concept Conditional Access Cloud Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Previously updated : 05/20/2021 Last updated : 06/08/2021
Cloud apps, actions, and authentication context are key signals in a Conditional
- Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md). - Administrators may choose to define policy not based on a cloud application but on a [user action](#user-actions) like **Register security information** or **Register or join devices (Preview)**, allowing Conditional Access to enforce controls around those actions.-- Administrators can use [authentication context](#authentication-context-preview) to provide an extra layer of security inside of applications.
+- Administrators can use [authentication context](#authentication-context-preview) to provide an extra layer of security in applications.
![Define a Conditional Access policy and specify cloud apps](./media/concept-conditional-access-cloud-apps/conditional-access-cloud-apps-or-actions.png)
Cloud apps, actions, and authentication context are key signals in a Conditional
Many of the existing Microsoft cloud applications are included in the list of applications you can select from.
-Administrators can assign a Conditional Access policy to the following cloud apps from Microsoft. Some apps like Office 365 and Microsoft Azure Management include multiple related child apps or services. We continually add more apps, so the following list is not exhaustive and is subject to change.
+Administrators can assign a Conditional Access policy to the following cloud apps from Microsoft. Some apps like Office 365 and Microsoft Azure Management include multiple related child apps or services. We continually add more apps, so the following list isn't exhaustive and is subject to change.
- [Office 365](#office-365) - Azure Analysis Services
Administrators can assign a Conditional Access policy to the following cloud app
- Virtual Private Network (VPN) - Windows Defender ATP
-Applications that are available to Conditional Access have gone through an onboarding and validation process. This list does not include all Microsoft apps, as many are backend services and not meant to have policy directly applied to them. If you are looking for an application that is missing, you can contact the specific application team or make a request on [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=167259).
+Applications that are available to Conditional Access have gone through an onboarding and validation process. This list doesn't include all Microsoft apps, as many are backend services and not meant to have policy directly applied to them. If you're looking for an application that is missing, you can contact the specific application team or make a request on [UserVoice](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=167259).
### Office 365 Microsoft 365 provides cloud-based productivity and collaboration services like Exchange, SharePoint, and Microsoft Teams. Microsoft 365 cloud services are deeply integrated to ensure smooth and collaborative experiences. This integration can cause confusion when creating policies as some apps such as Microsoft Teams have dependencies on others such as SharePoint or Exchange.
-The Office 365 app makes it possible to target these services all at once. We recommend using the new Office 365 app, instead of targeting individual cloud apps to avoid issues with [service dependencies](service-dependencies.md). Targeting this group of applications helps to avoid issues that may arise due to inconsistent policies and dependencies.
+The Office 365 suite makes it possible to target these services all at once. We recommend using the new Office 365 suite, instead of targeting individual cloud apps to avoid issues with [service dependencies](service-dependencies.md).
-Administrators can choose to exclude specific apps from policy if they wish by including the Office 365 app and excluding the specific apps of their choice in policy.
+Targeting this group of applications helps to avoid issues that may arise because of inconsistent policies and dependencies. For example: The Exchange Online app is tied to traditional Exchange Online data like mail, calendar, and contact information. Related metadata may be exposed through different resources like search. To ensure that all metadata is protected by as intended, administrators should assign policies to the Office 365 app.
-Key applications that are included in the Office 365 client app:
+Administrators can exclude specific apps from policy if they wish, including the Office 365 suite and excluding the specific apps in policy.
+
+The following key applications are included in the Office 365 client app:
- Microsoft Flow - Microsoft Forms
Key applications that are included in the Office 365 client app:
### Microsoft Azure Management
-The Microsoft Azure Management application includes multiple underlying services.
+The Microsoft Azure Management application includes multiple services.
- Azure portal - Azure Resource Manager provider
active-directory Howto Get List Of All Active Directory Auth Library Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-get-list-of-all-active-directory-auth-library-apps.md
+
+ Title: "How to: Get a complete list of all apps using Active Directory Authentication Library (ADAL) in your tenant | Azure"
+
+description: In this how-to guide, you get a complete list of all apps that are using ADAL in your tenant.
++++++++ Last updated : 05/27/2021+++
+# Customer intent: As an application developer / IT admin, I need to know / identify which of my apps are using ADAL.
++
+# How to: Get a complete list of apps using ADAL in your tenant
+
+Support for Active Directory Authentication Library (ADAL) will end on June 30, 2022. Apps using ADAL on existing OS versions will continue to work, but technical support and security updates will end. Without continued security updates, apps using ADAL will become increasingly vulnerable to the latest security attack patterns. This article provides guidance on how to use Azure Monitor workbooks to obtain a list of all apps that use ADAL in your tenant.
+
+## Sign-ins workbook
+
+Workbooks are a set of queries that collect and visualize information that is available in Azure AD logs. [Learn more about the sign-in logs schema here](../reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md). The Sign-ins workbook in the Azure AD admin portal now has a new table to assist you in determining which applications use ADAL and how often they are used. First, weΓÇÖll detail how to access the workbook before showing the visualization for the list of applications.
+
+### Access the workbook
+
+If your organization is new to Azure Monitoring workbooks, [integrate your Azure AD sign-in and audit logs with Azure Monitor](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) before accessing the workbook. This integration allows you to store, query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration will be stored. Insights before the date of the Azure Monitor integration won't be available. You can use the workbook to assess past insights if your Azure AD sign-in and audit logs is already integrated with Azure Monitor.
+
+To access the workbook:
+
+1. Sign into the Azure portal
+2. Navigate toΓÇ»**Azure Active Directory**ΓÇ»>ΓÇ»**Monitoring**ΓÇ»>ΓÇ»**Workbooks**
+3. In the Usage section, open theΓÇ»**Sign-ins** workbook
+
+ :::image type="content" source="media/howto-get-list-of-all-active-directory-auth-library-apps/sign-in-workbook.png" alt-text="Screenshot of the Azure Active Directory portal workbooks interface highlighting the sign-ins workbook.":::
+
+### Identify apps using ADAL for authentication
+
+The Sign-ins workbook has a new table at the bottom of the page that can show you which recently used apps are using ADAL as shown below. You can also export a list of the apps. Update these apps to use MSAL.
++
+If there are no apps using ADAL, the workbook will display a view as shown below.
++
+## Next steps
+
+After identifying your apps, we recommend you [start migrating all ADAL apps to MSAL](msal-migration.md).
active-directory Enterprise State Roaming Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/enterprise-state-roaming-enable.md
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license. For more information on how to get an Azure AD subscription, see the [Azure AD product page](https://azure.microsoft.com/services/active-directory).
-When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must have [a paid subscription](https://azure.microsoft.com/pricing/details/information-protection/) to use the full capabilities of the Azure Rights Management service.
+When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must have [a paid subscription](https://azure.microsoft.com/services/information-protection/) to use the full capabilities of the Azure Rights Management service.
> [!NOTE] > This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information on the Sync behavior for the new Microsoft Edge, see the article [Microsoft Edge Sync](/deployedge/microsoft-edge-enterprise-sync).
The data retention policy is not configurable. Once the data is permanently dele
* [Settings and data roaming FAQ](enterprise-state-roaming-faqs.yml) * [Group Policy and MDM settings for settings sync](enterprise-state-roaming-group-policy-settings.md) * [Windows 10 roaming settings reference](enterprise-state-roaming-windows-settings-reference.md)
-* [Troubleshooting](enterprise-state-roaming-troubleshooting.md)
+* [Troubleshooting](enterprise-state-roaming-troubleshooting.md)
active-directory Protect M365 From On Premises Attacks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md
Use Azure AD capabilities to securely manage devices.
as the source of authority for all device management workloads. - [**Deploy privileged access devices**](/security/compass/privileged-access-devices#device-roles-and-profiles):
- Use privileged access to manage Microsoft 365 and Azure AD.
+ Use privileged access to manage Microsoft 365 and Azure AD as part of a complete approach to [Securing privileged access](/security/compass/overview).
## Workloads, applications, and resources
Define a log storage and retention strategy, design, and implementation to facil
* [Build resilience into identity and access management by using Azure AD](resilience-overview.md) * [Secure external access to resources](secure-external-access-resources.md)
-* [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
+* [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
active-directory Sync Ldap https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/sync-ldap.md
You need to synchronize identity data between your on-premises LDAP v3 directori
* [Overview and creation a LDAP Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap) > [!NOTE]
- > LDAP Connectors are an advanced configuration requiring some familiarity with Forefront Identity Manager and/or Microsoft Identity Manager. If used in production, we advise questions about this configuration should go through [Premier Support](https://support.microsoft.com/premier) or Microsoft Partner Network.
-
+ > Deploying the LDAP Connector requires an advanced configuration and this connector is provided under limited support. Configuring this connector requires familiarity with Microsoft Identity Manager and the specific LDAP directory.
+ >
+ > Customers who require to deploy this configuration in a production environment are recommended to work with a partner such as Microsoft Consulting Services for help, guidance and support for this configuration.
active-directory Entitlement Management Delegate Catalog https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-delegate-catalog.md
# Delegate access governance to catalog creators in Azure AD entitlement management
-A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or a User administrator can [create a catalog](entitlement-management-catalog-create.md), and can add additional users as catalog owners.
+A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or an Identity governance administrator can [create a catalog](entitlement-management-catalog-create.md), and can add additional users as catalog owners.
To delegate to users who aren't administrators, so that they can create their own catalogs, you can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group, whose members are then able to create catalogs. After creating a catalog, they can subsequently add resources they own to their catalog.
active-directory Entitlement Management Delegate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-delegate.md
# Delegation and roles in Azure AD entitlement management
-By default, Global administrators and User administrators can create and manage all aspects of Azure AD entitlement management. However, the users in these roles may not know all the situations where access packages are required. Typically it's users within the respective departments, teams, or projects who know who they're collaborating with, using what resources, and for how long. Instead of granting unrestricted permissions to non-administrators, you can grant users the least permissions they need to do their job and avoid creating conflicting or inappropriate access rights.
+By default, Global administrators and Identity governance administrators can create and manage all aspects of Azure AD entitlement management. However, the users in these roles may not know all the situations where access packages are required. Typically it's users within the respective departments, teams, or projects who know who they're collaborating with, using what resources, and for how long. Instead of granting unrestricted permissions to non-administrators, you can grant users the least permissions they need to do their job and avoid creating conflicting or inappropriate access rights.
This video provides an overview of how to delegate access governance from IT administrator to users who aren't administrators.
After delegation, the marketing department might have roles similar to the follo
| User | Job role | Azure AD role | Entitlement management role | | | | | |
-| Hana | IT administrator | Global administrator, Identity Governance administrator or User administrator | |
+| Hana | IT administrator | Global administrator or Identity Governance administrator | |
| Mamta | Marketing manager | User | Catalog creator and Catalog owner | | Bob | Marketing lead | User | Catalog owner | | Jessica | Marketing project manager | User | Access package manager |
The following table lists the tasks that the entitlement management roles can do
A Global administrator can add or remove any group (cloud-created security groups or cloud-created Microsoft 365 Groups), application, or SharePoint Online site in a catalog. A User administrator can add or remove any group or application in a catalog, except for a group configured as assignable to a directory role. Note that a user administrator can manage access packages in a catalog that includes groups configured as assignable to a directory role. For more information on role-assignable groups, reference [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md).
-For a user who isn't a Global administrator or a User administrator, to add groups, applications, or SharePoint Online sites to a catalog, that user must have *both* the required Azure AD directory role and catalog owner entitlement management role. The following table lists the role combinations that are required to add resources to a catalog. To remove resources from a catalog, you must have the same roles.
+For a user who isn't a global administrator, to add groups, applications, or SharePoint Online sites to a catalog, that user must have *both* an Azure AD directory role or ownership of the resource, and a and catalog owner entitlement management role for the catalog. The following table lists the role combinations that are required to add resources to a catalog. To remove resources from a catalog, you must have the same roles.
| Azure AD directory role | Entitlement management role | Can add security group | Can add Microsoft 365 Group | Can add app | Can add SharePoint Online site | | | :: | :: | :: | :: | :: |
active-directory Identity Governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/identity-governance-overview.md
It's a best practice to use the least privileged role to perform administrative
| Feature | Least privileged role | | - | |
-| Entitlement management | User administrator (with the exception of adding SharePoint Online sites to catalogs, which requires Global administrator) |
+| Entitlement management | Identity Governance Administrator |
| Access reviews | User administrator (with the exception of access reviews of Azure or Azure AD roles, which requires Privileged role administrator) | |Privileged Identity Management | Privileged role administrator | | Terms of use | Security administrator or Conditional access administrator | >[!NOTE]
->The least privileged role for Entitlement management will be changing from the User Administrator role to the Identity Governance Administrator role.
+>The least privileged role for Entitlement management has changed from the User Administrator role to the Identity Governance Administrator role.
## Next steps
active-directory How To Connect Sso Quick Start https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md
In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in
>[!IMPORTANT] >The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys - at least once every 30 days.
-For instructions on how to roll over keys, see [Azure Active Directory Seamless Single Sign-On: Frequently asked questions](how-to-connect-sso-faq.md). We are working on a capability to introduce automated roll over of keys.
+For instructions on how to roll over keys, see [Azure Active Directory Seamless Single Sign-On: Frequently asked questions](how-to-connect-sso-faq.md).
>[!IMPORTANT] >You don't need to do this step _immediately_ after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.
active-directory Reference Connect Adsync https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-adsync.md
+
+ Title: 'Azure AD Connect: ADSync PowerShell Reference | Microsoft Docs'
+description: This document provides reference information for the ADSync.psm1 PowerShell module.
++++ Last updated : 11/30/2020++++++++
+# Azure AD Connect: ADSync PowerShell Reference
+The following documentation provides reference information for the ADSync.psm1 PowerShell Module that is included with Azure AD Connect.
++
+## Add-ADSyncADDSConnectorAccount
+
+ ### SYNOPSIS
+ This cmdlet resets the password for the service account and updates it both in Azure AD and in the sync engine.
+
+ ### SYNTAX
+ #### byIdentifier
+ ```
+ Add-ADSyncADDSConnectorAccount [-Identifier] <Guid> [-EACredential <PSCredential>] [<CommonParameters>]
+ ```
+
+ #### byName
+ ```
+ Add-ADSyncADDSConnectorAccount [-Name] <String> [-EACredential <PSCredential>] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ This cmdlet resets the password for the service account and updates it both in Azure AD and in the sync engine.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Add-ADSyncADDSConnectorAccount -Name contoso.com -EACredential $EAcredentials
+ ```
+
+ Resets the password for the service account connected to contoso.com.
+
+ ### PARAMETERS
+
+ #### -EACredential
+ Credentials for an Enterprise Administrator account in the Active Directory.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Identifier
+ Identifier of the connector whose service account's password needs to be reset.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: byIdentifier
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -Name
+ Name of the connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: byName
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Guid
+
+ #### System.String
+
+ ### OUTPUTS
+
+ #### System.Object
+++
+## Disable-ADSyncExportDeletionThreshold
+
+ ### SYNOPSIS
+ Disables feature for deletion threshold at Export stage.
+
+ ### SYNTAX
+
+ ```
+ Disable-ADSyncExportDeletionThreshold [[-AADCredential] <PSCredential>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Disables feature for deletion threshold at Export stage.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Disable-ADSyncExportDeletionThreshold -AADCredential $aadCreds
+ ```
+
+ Uses the provided AAD Credentials to disable the feature for export deletion threshold.
+
+ ### PARAMETERS
+
+ #### -AADCredential
+ The AAD credential.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -Confirm
+ Parameter switch for prompting for confirmation.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Management.Automation.PSCredential
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Enable-ADSyncExportDeletionThreshold
+
+ ### SYNOPSIS
+ Enables Export Deletion threshold feature and sets a value for the threshold.
+
+ ### SYNTAX
+
+ ```
+ Enable-ADSyncExportDeletionThreshold [-DeletionThreshold] <UInt32> [[-AADCredential] <PSCredential>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Enables Export Deletion threshold feature and sets a value for the threshold.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Enable-ADSyncExportDeletionThreshold -DeletionThreshold 777 -AADCredential $aadCreds
+ ```
+
+ Enables export deletion threshold feature and sets the deletion threshold to 777.
+
+ ### PARAMETERS
+
+ #### -AADCredential
+ The AAD credential.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 2
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -DeletionThreshold
+ The deletion threshold.
+
+ ```yaml
+ Type: UInt32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.UInt32
+
+ #### Sytem.Management.Automation.PSCredential
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Get-ADSyncAutoUpgrade
+
+ ### SYNOPSIS
+ Gets the status of AutoUpgrade on your installation.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncAutoUpgrade [-Detail] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the status of AutoUpgrade on your installation.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncAutoUpgrade -Detail
+ ```
+
+ Returns the AutoUpgrade status of the installation and shows the suspension reason if AutoUpgrade is suspended.
+
+ ### PARAMETERS
+
+ #### -Detail
+ If the AutoUpgrade state is suspended, using this parameter shows the suspension reason.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Get-ADSyncCSObject
+
+ ### SYNOPSIS
+ Gets the specified Connector Space object.
+
+ ### SYNTAX
+
+ #### SearchByIdentifier
+ ```
+ Get-ADSyncCSObject [-Identifier] <Guid> [<CommonParameters>]
+ ```
+
+ #### SearchByConnectorIdentifierDistinguishedName
+ ```
+ Get-ADSyncCSObject [-ConnectorIdentifier] <Guid> [-DistinguishedName] <String> [-SkipDNValidation] [-Transient]
+ [<CommonParameters>]
+ ```
+
+ #### SearchByConnectorIdentifier
+ ```
+ Get-ADSyncCSObject [-ConnectorIdentifier] <Guid> [-Transient] [-StartIndex <Int32>] [-MaxResultCount <Int32>]
+ [<CommonParameters>]
+ ```
+
+ #### SearchByConnectorNameDistinguishedName
+ ```
+ Get-ADSyncCSObject [-ConnectorName] <String> [-DistinguishedName] <String> [-SkipDNValidation] [-Transient]
+ [<CommonParameters>]
+ ```
+
+ #### SearchByConnectorName
+ ```
+ Get-ADSyncCSObject [-ConnectorName] <String> [-Transient] [-StartIndex <Int32>] [-MaxResultCount <Int32>]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the specified Connector Space object.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncCSObject -ConnectorName "contoso.com" -DistinguishedName "CN=fabrikam,CN=Users,DC=contoso,DC=com"
+ ```
+
+ Gets the CS object for the user fabrikam in the contoso.com domain.
+
+ ### PARAMETERS
+
+ #### -ConnectorIdentifier
+ The identifier of the connector.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: SearchByConnectorIdentifierDistinguishedName, SearchByConnectorIdentifier
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorName
+ The name of the connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: SearchByConnectorNameDistinguishedName, SearchByConnectorName
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -DistinguishedName
+ The distinguished name of the connector space object.
+
+ ```yaml
+ Type: String
+ Parameter Sets: SearchByConnectorIdentifierDistinguishedName, SearchByConnectorNameDistinguishedName
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Identifier
+ The identifier of the connector space object.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: SearchByIdentifier
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -MaxResultCount
+ The max count of the result set.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: SearchByConnectorIdentifier, SearchByConnectorName
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -SkipDNValidation
+ Parameter Switch to Skip DN validation.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: SearchByConnectorIdentifierDistinguishedName, SearchByConnectorNameDistinguishedName
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -StartIndex
+ The start index to return the count from.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: SearchByConnectorIdentifier, SearchByConnectorName
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Transient
+ Parameter Switch to get Transient CS objects.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: SearchByConnectorIdentifierDistinguishedName, SearchByConnectorIdentifier, SearchByConnectorNameDistinguishedName, SearchByConnectorName
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Get-ADSyncCSObjectLog
+
+ ### SYNOPSIS
+ Gets connector space object log entries.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncCSObjectLog [-Identifier] <Guid> [-Count] <UInt32> [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets connector space object log entries.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncCSObjectLog -Identifier "00000000-0000-0000-0000-000000000000" -Count 1
+ ```
+
+ Returns one object with the specified identifier.
+
+ ### PARAMETERS
+
+ #### -Count
+ Expected maximum number of connector space object log entries to retrieve.
+
+ ```yaml
+ Type: UInt32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Identifier
+ The connector space object identifier.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Get-ADSyncDatabaseConfiguration
+
+ ### SYNOPSIS
+ Gets the configuration of the ADSync Database.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncDatabaseConfiguration [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the configuration of the ADSync Database.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncDatabaseConfiguration
+ ```
+
+ Gets the configuration of the ADSync Database.
+
+ ### PARAMETERS
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Get-ADSyncExportDeletionThreshold
+
+ ### SYNOPSIS
+ Gets the export deletion threshold from AAD.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncExportDeletionThreshold [[-AADCredential] <PSCredential>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the export deletion threshold from AAD.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncExportDeletionThreshold -AADCredential $aadCreds
+ ```
+
+ Gets the export deletion threshold from AAD using the specified AAD credentials.
+
+ ### PARAMETERS
+
+ #### -AADCredential
+ The AAD credential.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Management.Automation.PSCredential
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Get-ADSyncMVObject
+
+ ### SYNOPSIS
+ Gets a metaverse object.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncMVObject -Identifier <Guid> [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets a metaverse object.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncMVObject -Identifier "00000000-0000-0000-0000-000000000000"
+ ```
+
+ Gets metaverse object with the specified identifier.
+
+ ### PARAMETERS
+
+ #### -Identifier
+ The identifier of the metaverse object.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Get-ADSyncRunProfileResult
+
+ ### SYNOPSIS
+ Processes the inputs from the client and retrieves the run profile result(s).
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncRunProfileResult [-RunHistoryId <Guid>] [-ConnectorId <Guid>] [-RunProfileId <Guid>]
+ [-RunNumber <Int32>] [-NumberRequested <Int32>] [-RunStepDetails] [-StepNumber <Int32>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Processes the inputs from the client and retrieves the run profile result(s).
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncRunProfileResult -ConnectorId "00000000-0000-0000-0000-000000000000"
+ ```
+
+ Retrieves all sync run profile results for the specified connector.
+
+ ### PARAMETERS
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorId
+ The connector identifier.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -NumberRequested
+ The maximum number of returns.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunHistoryId
+ The identifier of a specific run.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunNumber
+ The run number of a specific run.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunProfileId
+ The run profile identifier of a specific run.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunStepDetails
+ Parameter switch for Run Step Details.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -StepNumber
+ Filters by step number.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Get-ADSyncRunStepResult
+
+ ### SYNOPSIS
+ Gets the AD Sync Run Step Result.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncRunStepResult [-RunHistoryId <Guid>] [-StepHistoryId <Guid>] [-First] [-StepNumber <Int32>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the AD Sync Run Step Result.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncRunStepResult -RunHistoryId "00000000-0000-0000-0000-000000000000"
+ ```
+
+ Gets the AD Sync Run Step Result of the specified run.
+
+ ### PARAMETERS
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -First
+ Parameter switch for getting only the first object.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunHistoryId
+ The ID of a specific run.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -StepHistoryId
+ The ID of a specific run step.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -StepNumber
+ The step number.
+
+ ```yaml
+ Type: Int32
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+++
+## Get-ADSyncScheduler
+
+ ### SYNOPSIS
+ Gets the current synchronization cycle settings for the sync scheduler.
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncScheduler [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the current synchronization cycle settings for the sync scheduler.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncScheduler
+ ```
+
+ Gets the current synchronization cycle settings for the sync scheduler.
+
+ ### PARAMETERS
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Get-ADSyncSchedulerConnectorOverride
+
+ ### SYNOPSIS
+ Gets the AD Sync Scheduler override values for the specified connector(s).
+
+ ### SYNTAX
+
+ ```
+ Get-ADSyncSchedulerConnectorOverride [-ConnectorIdentifier <Guid>] [-ConnectorName <String>]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Gets the AD Sync Scheduler override values for the specified connector(s).
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Get-ADSyncSchedulerConnectorOverride -ConnectorName "contoso.com"
+ ```
+
+ Gets the AD Sync Scheduler override values for the 'contoso.com' connector.
+
+ #### Example 2
+ ```powershell
+ PS C:\> Get-ADSyncSchedulerConnectorOverride
+ ```
+
+ Gets all AD Sync Scheduler override values.
+
+ ### PARAMETERS
+
+ #### -ConnectorIdentifier
+ The connector identifier.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorName
+ The connector name.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Invoke-ADSyncCSObjectPasswordHashSync
+
+ ### SYNOPSIS
+ Synchronize password hash for the given AD connector space object.
+
+ ### SYNTAX
+
+ #### SearchByDistinguishedName
+ ```
+ Invoke-ADSyncCSObjectPasswordHashSync [-ConnectorName] <String> [-DistinguishedName] <String>
+ [<CommonParameters>]
+ ```
+
+ #### SearchByIdentifier
+ ```
+ Invoke-ADSyncCSObjectPasswordHashSync [-Identifier] <Guid> [<CommonParameters>]
+ ```
+
+ #### CSObject
+ ```
+ Invoke-ADSyncCSObjectPasswordHashSync [-CsObject] <CsObject> [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Synchronize password hash for the given AD connector space object.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Invoke-ADSyncCSObjectPasswordHashSync -ConnectorName "contoso.com" -DistinguishedName "CN=fabrikam,CN=Users,DN=contoso,DN=com"
+ ```
+
+ Synchronizes password hash for the specified object.
+
+ ### PARAMETERS
+
+ #### -ConnectorName
+ The name of the connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: SearchByDistinguishedName
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -CsObject
+ Connector space object.
+
+ ```yaml
+ Type: CsObject
+ Parameter Sets: CSObject
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -DistinguishedName
+ Distinguished Name of the connector space object.
+
+ ```yaml
+ Type: String
+ Parameter Sets: SearchByDistinguishedName
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Identifier
+ The identifier of the connector space object.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: SearchByIdentifier
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Invoke-ADSyncRunProfile
+
+ ### SYNOPSIS
+ Invokes a specific run profile.
+
+ ### SYNTAX
+
+ #### ConnectorName
+ ```
+ Invoke-ADSyncRunProfile -ConnectorName <String> -RunProfileName <String> [-Resume] [<CommonParameters>]
+ ```
+
+ #### ConnectorIdentifier
+ ```
+ Invoke-ADSyncRunProfile -ConnectorIdentifier <Guid> -RunProfileName <String> [-Resume] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Invokes a specific run profile.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Invoke-ADSyncRunProfile -ConnectorName "contoso.com" -RunProfileName Export
+ ```
+
+ Invokes an export on the 'contoso.com' connector.
+
+ ### PARAMETERS
+
+ #### -ConnectorIdentifier
+ Identifier of the Connector.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: ConnectorIdentifier
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorName
+ Name of the Connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ConnectorName
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -Resume
+ Parameter switch to attempt to resume a previously stalled/half-finished RunProfile.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -RunProfileName
+ Name of the run profile to invoke on the selected Connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.String
+
+ #### System.Guid
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Remove-ADSyncAADServiceAccount
+
+ ### SYNOPSIS
+ Deletes an/all existing AAD service account(s) in the AAD tenant (associated with the specified credentials).
+
+ ### SYNTAX
+
+ #### ServiceAccount
+ ```
+ Remove-ADSyncAADServiceAccount [-AADCredential] <PSCredential> [-Name] <String> [-WhatIf] [-Confirm]
+ [<CommonParameters>]
+ ```
+
+ #### ServicePrincipal
+ ```
+ Remove-ADSyncAADServiceAccount [-ServicePrincipal] [-WhatIf] [-Confirm] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Deletes an/all existing AAD service account(s) in the AAD tenant (associated with the specified credentials).
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Remove-ADSyncAADServiceAccount -AADCredential $aadcreds -Name contoso.com
+ ```
+
+ Deletes all existing AAD service accounts in contoso.com.
+
+ ### PARAMETERS
+
+ #### -AADCredential
+ The AAD credential.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: ServiceAccount
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Name
+ The name of the account.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ServiceAccount
+ Aliases:
+
+ Required: True
+ Position: 2
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -ServicePrincipal
+ The service principal of the account.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: ServicePrincipal
+ Aliases:
+
+ Required: True
+ Position: 3
+ Default value: None
+ Accept pipeline input: True (ByPropertyName)
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Management.Automation.PSCredential
+
+ #### System.String
+
+ #### System.Management.Automation.SwitchParameter
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Set-ADSyncAutoUpgrade
+
+ ### SYNOPSIS
+ Changes the AutoUpgrade state on your installation between Enabled and Disabled.
+
+ ### SYNTAX
+
+ ```
+ Set-ADSyncAutoUpgrade [-AutoUpgradeState] <AutoUpgradeConfigurationState> [[-SuspensionReason] <String>]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Sets the AutoUpgrade state on your installation. This cmdlet should only be used to change AutoUpgrade state between Enabled and Disabled. Only the system should set the state to Suspended.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled
+ ```
+
+ Sets the AutoUpgrade state to Enabled.
+
+ ### PARAMETERS
+
+ #### -AutoUpgradeState
+ The AtuoUpgrade state. Accepted values: Suspended, Enabled, Disabled.
+
+ ```yaml
+ Type: AutoUpgradeConfigurationState
+ Parameter Sets: (All)
+ Aliases:
+ Accepted values: Suspended, Enabled, Disabled
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -SuspensionReason
+ The suspension reason. Only the system should set the AutoUpgrade state to suspended.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Set-ADSyncScheduler
+
+ ### SYNOPSIS
+ Sets the current synchronization cycle settings for the sync scheduler.
+
+ ### SYNTAX
+
+ ```
+ Set-ADSyncScheduler [[-CustomizedSyncCycleInterval] <TimeSpan>] [[-SyncCycleEnabled] <Boolean>]
+ [[-NextSyncCyclePolicyType] <SynchronizationPolicyType>] [[-PurgeRunHistoryInterval] <TimeSpan>]
+ [[-MaintenanceEnabled] <Boolean>] [[-SchedulerSuspended] <Boolean>] [-Force] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Sets the current synchronization cycle settings for the sync scheduler.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Set-ADSyncScheduler -SyncCycleEnabled $true
+ ```
+
+ Sets the current synchronization cycle setting for SyncCycleEnabled to True.
+
+ ### PARAMETERS
+
+ #### -CustomizedSyncCycleInterval
+ Please specify the timespan value for custom sync interval you want to set.
+ If you want to run on lowest allowed setting, please set this parameter to null.
+
+ ```yaml
+ Type: TimeSpan
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 0
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -Force
+ Parameter switch for forcing the setting of a value.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 6
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -MaintenanceEnabled
+ Parameter for setting MaintenanceEnabled.
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 4
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -NextSyncCyclePolicyType
+ Parameter for setting NextSyncCyclePolicyType. Accepted values: Unspecified, Delta, Initial.
+
+ ```yaml
+ Type: SynchronizationPolicyType
+ Parameter Sets: (All)
+ Aliases:
+ Accepted values: Unspecified, Delta, Initial
+
+ Required: False
+ Position: 2
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -PurgeRunHistoryInterval
+ Parameter for setting PurgeRunHistoryInterval.
+
+ ```yaml
+ Type: TimeSpan
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 3
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -SchedulerSuspended
+ Parameter for setting SchedulerSuspended.
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 5
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -SyncCycleEnabled
+ Parameter for setting SyncCycleEnabled.
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Nullable`1[[System.TimeSpan, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
+
+ #### System.Nullable`1[[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
+
+ #### System.Nullable`1[[Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationPolicyType, Microsoft.IdentityManagement.PowerShell.ObjectModel, Version=1.4.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
+
+ #### System.Management.Automation.SwitchParameter
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Set-ADSyncSchedulerConnectorOverride
+
+ ### SYNOPSIS
+ Sets the current synchronization cycle settings for the sync scheduler.
+
+ ### SYNTAX
+
+ #### ConnectorIdentifier
+ ```
+ Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid> [-FullImportRequired <Boolean>]
+ [-FullSyncRequired <Boolean>] [<CommonParameters>]
+ ```
+
+ #### ConnectorName
+ ```
+ Set-ADSyncSchedulerConnectorOverride -ConnectorName <String> [-FullImportRequired <Boolean>]
+ [-FullSyncRequired <Boolean>] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Sets the current synchronization cycle settings for the sync scheduler.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Set-ADSyncSchedulerConnectorOverride -Connectorname "contoso.com" -FullImportRequired $true
+ -FullSyncRequired $false
+ ```
+
+ Sets the synchronization cycle settings for the 'contoso.com' connector to require full import and to not require full sync.
+
+ ### PARAMETERS
+
+ #### -ConnectorIdentifier
+ The connector identifier.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: ConnectorIdentifier
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorName
+ The connector name.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ConnectorName
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -FullImportRequired
+ Set as true to require full import on the next cycle.
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -FullSyncRequired
+ Set as true to require full sync on the next cycle.
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Guid
+
+ #### System.String
+
+ #### System.Nullable`1[[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Start-ADSyncPurgeRunHistory
+
+ ### SYNOPSIS
+ Cmdlet to purge run history older than specified timespan.
+
+ ### SYNTAX
+
+ #### online
+ ```
+ Start-ADSyncPurgeRunHistory [[-PurgeRunHistoryInterval] <TimeSpan>] [<CommonParameters>]
+ ```
+
+ #### offline
+ ```
+ Start-ADSyncPurgeRunHistory [-Offline] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Cmdlet to purge run history older than specified timespan.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Start-ADSyncPurgeRunHistory -PurgeRunHistoryInterval (New-Timespan -Hours 5)
+ ```
+
+ Purges all run history older than 5 hours.
+
+ ### PARAMETERS
+
+ #### -Offline
+ Purges all run history from the database while the service is offline.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: offline
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -PurgeRunHistoryInterval
+ Interval for which history to preserve.
+
+ ```yaml
+ Type: TimeSpan
+ Parameter Sets: online
+ Aliases:
+
+ Required: False
+ Position: 0
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.TimeSpan
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Start-ADSyncSyncCycle
+
+ ### SYNOPSIS
+ Triggers a synchronization cycle.
+
+ ### SYNTAX
+
+ ```
+ Start-ADSyncSyncCycle [[-PolicyType] <SynchronizationPolicyType>] [[-InteractiveMode] <Boolean>]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Triggers a synchronization cycle.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Start-ADSyncSyncCycle -PolicyType Initial
+ ```
+
+ Triggers a synchronization cycle with an Initial policy type.
+
+ ### PARAMETERS
+
+ #### -InteractiveMode
+ Differentiates between interactive (command line) mode and script/code mode (calls from other code).
+
+ ```yaml
+ Type: Boolean
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 2
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -PolicyType
+ The policy type to run. Accepted values: Unspecified, Delta, Initial.
+
+ ```yaml
+ Type: SynchronizationPolicyType
+ Parameter Sets: (All)
+ Aliases:
+ Accepted values: Unspecified, Delta, Initial
+
+ Required: False
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.Nullable`1[[Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationPolicyType, Microsoft.IdentityManagement.PowerShell.ObjectModel, Version=1.4.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
+
+ #### System.Boolean
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Stop-ADSyncRunProfile
+
+ ### SYNOPSIS
+ Finds and stops all or specified busy connectors.
+
+ ### SYNTAX
+
+ ```
+ Stop-ADSyncRunProfile [[-ConnectorName] <String>] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Finds and stops all or specified busy connectors.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Stop-ADSyncRunProfile -ConnectorName "contoso.com"
+ ```
+
+ Stops any running synchronization on 'contoso.com'.
+
+ ### PARAMETERS
+
+ #### -ConnectorName
+ Name of the Connector.
+ If this is not given, then all busy connectors will be stopped.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 0
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Stop-ADSyncSyncCycle
+
+ ### SYNOPSIS
+ Signals the server to stop the currently running sync cycle.
+
+ ### SYNTAX
+
+ ```
+ Stop-ADSyncSyncCycle [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Signals the server to stop the currently running sync cycle.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Stop-ADSyncSyncCycle
+ ```
+
+ Signals the server to stop the currently running sync cycle.
+
+ ### PARAMETERS
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Sync-ADSyncCSObject
+
+ ### SYNOPSIS
+ Runs sync preview on connector space object.
+
+ ### SYNTAX
+
+ #### ConnectorName_ObjectDN
+ ```
+ Sync-ADSyncCSObject -ConnectorName <String> -DistinguishedName <String> [-Commit] [<CommonParameters>]
+ ```
+
+ #### ConnectorIdentifier_ObjectDN
+ ```
+ Sync-ADSyncCSObject -ConnectorIdentifier <Guid> -DistinguishedName <String> [-Commit] [<CommonParameters>]
+ ```
+
+ #### ObjectIdentifier
+ ```
+ Sync-ADSyncCSObject -Identifier <Guid> [-Commit] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Runs sync preview on connector space object.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Sync-ADSyncCSObject -ConnectorName "contoso.com" -DistinguishedName "CN=fabrikam,CN=Users,DC=contoso,DC=com"
+ ```
+
+ Returns a sync preview for the specified object.
+
+ ### PARAMETERS
+
+ #### -Commit
+ Parameter Switch for commit.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorIdentifier
+ The identifier of the connector.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: ConnectorIdentifier_ObjectDN
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ConnectorName
+ The name of the connector.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ConnectorName_ObjectDN
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -DistinguishedName
+ Distinguished Name of the connector space object.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ConnectorName_ObjectDN, ConnectorIdentifier_ObjectDN
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Identifier
+ The identifier of the connector space object.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: ObjectIdentifier
+ Aliases:
+
+ Required: True
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### None
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Test-AdSyncAzureServiceConnectivity
+
+ ### SYNOPSIS
+ Investigates and identifies connectivity issues to Azure AD.
+
+ ### SYNTAX
+
+ #### ByEnvironment
+ ```
+ Test-AdSyncAzureServiceConnectivity [-AzureEnvironment] <Identifier> [[-Service] <AzureService>] [-CurrentUser]
+ [<CommonParameters>]
+ ```
+
+ #### ByTenantName
+ ```
+ Test-AdSyncAzureServiceConnectivity [-Domain] <String> [[-Service] <AzureService>] [-CurrentUser]
+ [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Investigates and identifies connectivity issues to Azure AD.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Test-AdSyncAzureServiceConnectivity -AzureEnvironment Worldwide -Service SecurityTokenService -CurrentUser
+ ```
+
+ Returns "True" if there are no connectivity issues.
+
+ ### PARAMETERS
+
+ #### -AzureEnvironment
+ Azure environment to test. Accepted values: Worldwide, China, UsGov, Germany, AzureUSGovernmentCloud, AzureUSGovernmentCloud2, AzureUSGovernmentCloud3, PreProduction, OneBox, Default.
+
+ ```yaml
+ Type: Identifier
+ Parameter Sets: ByEnvironment
+ Aliases:
+ Accepted values: Worldwide, China, UsGov, Germany, AzureUSGovernmentCloud, AzureUSGovernmentCloud2, AzureUSGovernmentCloud3, PreProduction, OneBox, Default
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -CurrentUser
+ The user running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: False
+ Position: 3
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -Domain
+ The domain whose connectivity is being tested.
+
+ ```yaml
+ Type: String
+ Parameter Sets: ByTenantName
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -Service
+ The service whose connectivity is being tested.
+
+ ```yaml
+ Type: AzureService
+ Parameter Sets: (All)
+ Aliases:
+ Accepted values: SecurityTokenService, AdminWebService
+
+ Required: False
+ Position: 2
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### Microsoft.Online.Deployment.Client.Framework.MicrosoftOnlineInstance+Identifier
+
+ #### System.String
+
+ #### System.Nullable`1[[Microsoft.Online.Deployment.Client.Framework.AzureService, Microsoft.Online.Deployment.Client.Framework, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
+
+ #### System.Management.Automation.SwitchParameter
+
+ ### OUTPUTS
+
+ #### System.Object
++
+## Test-AdSyncUserHasPermissions
+
+ ### SYNOPSIS
+ Cmdlet to check if ADMA user has required permissions.
+
+ ### SYNTAX
+
+ ```
+ Test-AdSyncUserHasPermissions [-ForestFqdn] <String> [-AdConnectorId] <Guid>
+ [-AdConnectorCredential] <PSCredential> [-BaseDn] <String> [-PropertyType] <String> [-PropertyValue] <String>
+ [-WhatIf] [-Confirm] [<CommonParameters>]
+ ```
+
+ ### DESCRIPTION
+ Cmdlet to check if ADMA user has required permissions.
+
+ ### EXAMPLES
+
+ #### Example 1
+ ```powershell
+ PS C:\> Test-AdSyncUserHasPermissions -ForestFqdn "contoso.com" -AdConnectorId "00000000-0000-0000-000000000000"
+ -AdConnectorCredential $connectorAcctCreds -BaseDn "CN=fabrikam,CN=Users,DC=contoso,DC=com" -PropertyType "Allowed-Attributes" -PropertyValue "name"
+ ```
+
+ Checks if ADMA user has permissions to access the 'name' property of the user 'fabrikam'.
+
+ ### PARAMETERS
+
+ #### -AdConnectorCredential
+ AD Connector account credentials.
+
+ ```yaml
+ Type: PSCredential
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 2
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -AdConnectorId
+ AD Connector ID.
+
+ ```yaml
+ Type: Guid
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 1
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -BaseDn
+ Base DN of the object to check.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 3
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -Confirm
+ Prompts you for confirmation before running the cmdlet.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: cf
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -ForestFqdn
+ Name of the forest.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 0
+ Default value: None
+ Accept pipeline input: True (ByValue)
+ Accept wildcard characters: False
+ ```
+
+ #### -PropertyType
+ Permission type you are looking for. Accepted values: Allowed-Attributes, Allowed-Attributes-Effective, Allowed-Child-Classes, Allowed-Child-Classes-Effective.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 4
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -PropertyValue
+ The value you are looking for in PropertyType attribute.
+
+ ```yaml
+ Type: String
+ Parameter Sets: (All)
+ Aliases:
+
+ Required: True
+ Position: 5
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### -WhatIf
+ Shows what would happen if the cmdlet runs.
+ The cmdlet is not run.
+
+ ```yaml
+ Type: SwitchParameter
+ Parameter Sets: (All)
+ Aliases: wi
+
+ Required: False
+ Position: Named
+ Default value: None
+ Accept pipeline input: False
+ Accept wildcard characters: False
+ ```
+
+ #### CommonParameters
+ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+ ### INPUTS
+
+ #### System.String
+
+ #### System.Guid
+
+ ### OUTPUTS
+
+ #### System.Object
+
+## Next Steps
+
+- [What is hybrid identity?](./whatis-hybrid-identity.md)
+- [What is Azure AD Connect and Connect Health?](whatis-azure-ad-connect.md)
active-directory Grant Admin Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/grant-admin-consent.md
For more information on consenting to applications, see [Azure Active Directory
## Prerequisites
-Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. This includes [Global Administrator](../roles/permissions-reference.md#global-administrator) and [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator), and, for some applications, [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). A user can also be authorized to grant tenant-wide consent if they are assigned a [custom directory role](../roles/custom-create.md) that includes the [permission to grant permissions to applications](../roles/custom-consent-permissions.md).
+Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. This includes [Global Administrator](../roles/permissions-reference.md#global-administrator) and [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator). For applications which do not require application permissions for Microsoft Graph or Azure AD Graph this also includes [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). A user can also be authorized to grant tenant-wide consent if they are assigned a [custom directory role](../roles/custom-create.md) that includes the [permission to grant permissions to applications](../roles/custom-consent-permissions.md).
> [!WARNING] > Granting tenant-wide admin consent to an application will grant the app and the app's publisher access to your organization's data. Carefully review the permissions the application is requesting before granting consent.
You can grant tenant-wide admin consent through *Enterprise applications* if the
To grant tenant-wide admin consent to an app listed in **Enterprise applications**:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) with a role that allows granting admin consent (see [Prerequisites](#prerequisites)).
2. Select **Azure Active Directory** then **Enterprise applications**. 3. Select the application to which you want to grant tenant-wide admin consent. 4. Select **Permissions** and then click **Grant admin consent**.
For applications your organization has developed, or which are registered direct
To grant tenant-wide admin consent from **App registrations**:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) with a role that allows granting admin consent (see [Prerequisites](#prerequisites)).
2. Select **Azure Active Directory** then **App registrations**. 3. Select the application to which you want to grant tenant-wide admin consent. 4. Select **API permissions** and then click **Grant admin consent**.
active-directory Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.md
First, create and save new certificate with a different expiration date:
1. Select **New Certificate**. A new row appears below the certificate list, where the expiration date defaults to exactly three years after the current date. (Your changes haven't been saved yet, so you can still modify the expiration date.) 1. In the new certificate row, hover over the expiration date column and select the **Select Date** icon (a calendar). A calendar control appears, displaying the days of a month of the new row's current expiration date. 1. Use the calendar control to set a new date. You can set any date between the current date and three years after the current date.
-1. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint.
+1. Select **Save**. The new certificate now appears with a status of **Inactive**, the expiration date that you chose, and a thumbprint. **Note**- When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you have not activated it yet.
1. Select the **X** to return to the **Set up Single Sign-On with SAML - Preview** page. ### Upload and activate a certificate
Next, download the new certificate in the correct format, upload it to the appli
1. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**. 1. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format.
+If your application does not have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Please ensure your application can validate the certificate's expiration date.
+ ## Add email notification addresses for certificate expiration Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications. To specify the email address(es) you want the notifications to be sent to:
If a certificate is about to expire, you can renew it using a procedure that res
1. Skip the next two steps. 1. If the app can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesnΓÇÖt automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)
-1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier.
+1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your app may fail.
1. Sign in to the application to make sure that the certificate works correctly.
+If your application does not validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Please ensure your application can validate certificate expiration.
+ ## Related articles - [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)
active-directory Delegate By Task https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/delegate-by-task.md
In this article, you can find the information needed to restrict a user's admini
> [!div class="mx-tableFixed"] > | Task | Least privileged role | Additional roles | > | - | | - |
-> | Add resources to a catalog | User Administrator | With entitlement management, you can delegate this task to the catalog owner ([see documentation](../governance/entitlement-management-catalog-create.md#add-additional-catalog-owners)) |
-> | Add SharePoint Online sites to catalog | Global Administrator | |
+> | Add resources to a catalog | Identity Governance Administrator | With entitlement management, you can delegate this task to the catalog owner ([see documentation](../governance/entitlement-management-catalog-create.md#add-additional-catalog-owners)) |
+> | Add SharePoint Online sites to catalog | SharePoint Administrator | |
## Groups
active-directory Attendancemanagementservices Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/attendancemanagementservices-tutorial.md
Previously updated : 04/15/2019 Last updated : 06/14/2021 # Tutorial: Azure Active Directory integration with Attendance Management Services
-In this tutorial, you learn how to integrate Attendance Management Services with Azure Active Directory (Azure AD).
-Integrating Attendance Management Services with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Attendance Management Services with Azure Active Directory (Azure AD). When you integrate Attendance Management Services with Azure AD, you can:
-* You can control in Azure AD who has access to Attendance Management Services.
-* You can enable your users to be automatically signed-in to Attendance Management Services (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Attendance Management Services.
+* Enable your users to be automatically signed-in to Attendance Management Services with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Attendance Management Services, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Attendance Management Services single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Attendance Management Services single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Attendance Management Services supports **SP** initiated SSO
+* Attendance Management Services supports **SP** initiated SSO.
-## Adding Attendance Management Services from the gallery
+## Add Attendance Management Services from the gallery
To configure the integration of Attendance Management Services into Azure AD, you need to add Attendance Management Services from the gallery to your list of managed SaaS apps.
-**To add Attendance Management Services from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Attendance Management Services**, select **Attendance Management Services** from result panel then click **Add** button to add the application.
-
- ![Attendance Management Services in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Attendance Management Services based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Attendance Management Services needs to be established.
-
-To configure and test Azure AD single sign-on with Attendance Management Services, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Attendance Management Services** in the search box.
+1. Select **Attendance Management Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Attendance Management Services Single Sign-On](#configure-attendance-management-services-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Attendance Management Services test user](#create-attendance-management-services-test-user)** - to have a counterpart of Britta Simon in Attendance Management Services that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Attendance Management Services
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Attendance Management Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Attendance Management Services.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Attendance Management Services, perform the following steps:
-To configure Azure AD single sign-on with Attendance Management Services, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Attendance Management Services SSO](#configure-attendance-management-services-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Attendance Management Services test user](#create-attendance-management-services-test-user)** - to have a counterpart of B.Simon in Attendance Management Services that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Attendance Management Services** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Attendance Management Services** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Attendance Management Services Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://id.obc.jp/<tenant information >/`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://id.obc.jp/<TENANT_INFORMATION>/`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://id.obc.jp/<tenant information >/`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://id.obc.jp/<TENANT_INFORMATION>/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Attendance Management Services Client support team](https://www.obcnet.jp/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Attendance Management Services Client support team](https://www.obcnet.jp/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Attendance Management Services, perfor
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Attendance Management Services Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Attendance Management Services.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Attendance Management Services**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Attendance Management Services SSO
1. In a different browser window, sign-on to your Attendance Management Services company site as administrator. 1. Click on **SAML authentication** under the **Security management section**.
- ![Screenshot shows SAML authentication selected in a page that uses non-latin characters.](./media/attendancemanagementservices-tutorial/user1.png)
+ ![Screenshot shows SAML authentication selected in a page that uses non-latin characters.](./media/attendancemanagementservices-tutorial/security.png)
1. Perform the following steps:
- ![Screenshot shows window where you can perform the tasks described in this step.](./media/attendancemanagementservices-tutorial/user2.png)
+ ![Screenshot shows window where you can perform the tasks described in this step.](./media/attendancemanagementservices-tutorial/authentication.png)
a. Select **Use SAML authentication**.
To configure Azure AD single sign-on with Attendance Management Services, perfor
e. Select **Disable password authentication**.
- f. Click **Registration**
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Attendance Management Services.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Attendance Management Services**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Attendance Management Services**.
-
- ![The Attendance Management Services link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ f. Click **Registration**.
### Create Attendance Management Services test user
To enable Azure AD users to sign in to Attendance Management Services, they must
1. Click on **User management** under the **Security management section**.
- ![Screenshot shows User management selected in a page that uses non-latin characters.](./media/attendancemanagementservices-tutorial/user5.png)
+ ![Screenshot shows User management selected in a page that uses non-latin characters.](./media/attendancemanagementservices-tutorial/user.png)
1. Click **New rules login**.
- ![Screenshot shows selecting the plus option.](./media/attendancemanagementservices-tutorial/user3.png)
+ ![Screenshot shows selecting the plus option.](./media/attendancemanagementservices-tutorial/login.png)
1. In the **OBCiD information** section, perform the following steps:
- ![Screenshot shows window where you can perform the tasks described.](./media/attendancemanagementservices-tutorial/user4.png)
+ ![Screenshot shows window where you can perform the tasks described.](./media/attendancemanagementservices-tutorial/new-user.png)
a. In the **OBCiD** textbox, type the email of user like `BrittaSimon@contoso.com`.
To enable Azure AD users to sign in to Attendance Management Services, they must
c. Click **Registration**
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Attendance Management Services tile in the Access Panel, you should be automatically signed in to the Attendance Management Services for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Attendance Management Services Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Attendance Management Services Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Attendance Management Services tile in the My Apps, this will redirect to Attendance Management Services Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Attendance Management Services you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Bic Cloud Design Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bic-cloud-design-tutorial.md
Previously updated : 12/16/2020 Last updated : 06/15/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* BIC Cloud Design supports **SP** initiated SSO
+* BIC Cloud Design supports **SP** initiated SSO.
-## Adding BIC Cloud Design from the gallery
+## Add BIC Cloud Design from the gallery
To configure the integration of BIC Cloud Design into Azure AD, you need to add BIC Cloud Design from the gallery to your list of managed SaaS apps.
To configure the integration of BIC Cloud Design into Azure AD, you need to add
1. In the **Add from the gallery** section, type **BIC Cloud Design** in the search box. 1. Select **BIC Cloud Design** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for BIC Cloud Design Configure and test Azure AD SSO with BIC Cloud Design using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BIC Cloud Design.
Configure and test Azure AD SSO with BIC Cloud Design using a test user called *
To configure and test Azure AD SSO with BIC Cloud Design, perform the following steps: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure BIC Cloud Design SSO](#configure-bic-cloud-design-sso)** - to configure the single sign-on settings on application side.
- * **[Create BIC Cloud Design test user](#create-bic-cloud-design-test-user)** - to have a counterpart of B.Simon in BIC Cloud Design that is linked to the Azure AD representation of user.
+ 1. **[Create BIC Cloud Design test user](#create-bic-cloud-design-test-user)** - to have a counterpart of B.Simon in BIC Cloud Design that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
c. After the metadata file is successfully uploaded, the **Identifier** value gets auto populated in Basic SAML Configuration section.
- ![BIC Cloud Design Domain and URLs single sign-on information](common/sp-identifier.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- ```https
- https://<customer-specific-name/tenant>.biccloud.com
- https://<customer-specific-name/tenant>.biccloud.de
- ```
-
+ | Sign-on URL |
+ |--|
+ | `https://<CUSTOMER_SPECIFIC_NAME/TENANT>.biccloud.com` |
+ | `https://<CUSTOMER_SPECIFIC_NAME/TENANT>.biccloud.de` |
+
> [!Note]
- > If the **Identifier** value does not get auto polulated, then please fill in the value manually according to your requirement. The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [BIC Cloud Design Client support team](mailto:bicsupport@gbtec.de) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > If the **Identifier** value does not get auto populated, then please fill in the value manually according to your requirement. The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [BIC Cloud Design Client support team](mailto:bicsupport@gbtec.de) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. BIC Cloud Design application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In this section, you test your Azure AD single sign-on configuration with follow
* You can use Microsoft My Apps. When you click the BIC Cloud Design tile in the My Apps, this will redirect to BIC Cloud Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). - ## Next steps Once you configure the BIC Cloud Design you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Bizagi Studio For Digital Process Automation Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-tutorial.md
Previously updated : 02/27/2020 Last updated : 06/15/2021
In this tutorial, you'll learn how to integrate Bizagi for Digital Process Autom
* Enable your users to be automatically signed-in to a project of Bizagi for Digital Process AutomationServices or Server with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a Bizagi project using Automation services or server.
-* Bizagi for Digital Process Automation supports **SP** initiated SSO
-* Once you configure Bizagi for Digital Process Automation you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Bizagi for Digital Process Automation supports **SP** initiated SSO.
-## Adding Bizagi for Digital Process Automation from the gallery
+## Add Bizagi for Digital Process Automation from the gallery
To configure the integration of Bizagi for Digital Process Automation into Azure AD, you need to add Bizagi for Digital Process Automation from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Bizagi for Digital Process Automation** in the search box. 1. Select **Bizagi for Digital Process Automation** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Bizagi for Digital Process Automation
+## Configure and test Azure AD SSO for Bizagi for Digital Process Automation
Configure and test Azure AD SSO with Bizagi for Digital Process Automation using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in the Bizagi project.
-To configure and test Azure AD SSO with Bizagi for Digital Process Automation, complete the following building blocks:
+To configure and test Azure AD SSO with Bizagi for Digital Process Automation, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Bizagi for Digital Process Automation, c
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Bizagi for Digital Process Automation** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Bizagi for Digital Process Automation** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. Upload the Bizagi metadata file in the **Upload metadata file** option.
-1. Review the configuration. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type the URL of your Bizagi project:
- `https://<COMPANYNAME>.bizagi.com/<PROJECTNAME>`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.bizagi.com/<PROJECT_NAME>`
- b. In the **Identifier (Entity ID)** text box, type the URL of your Bizagi project:
- `https://<COMPANYNAME>.bizagi.com/<PROJECTNAME>`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.bizagi.com/<PROJECT_NAME>`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign-on URL and Identifier. Contact [Bizagi for Digital Process Automation support team](mailto:jarvein.rivera@bizagi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Bizagi for Digital Process Automation support team](mailto:jarvein.rivera@bizagi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
Follow these steps to enable Azure AD SSO in the Azure portal.
This metadata URL must be registered in the authentication options of your Bizagi project.
-1. On the **Set up single sign-on with SAML**page, click the edit/pen icon for **User Attributes & Claims** to edit the Unique User Identifier.
+1. On the **Set up single sign-on with SAML**page, click the pencil icon for **User Attributes & Claims** to edit the Unique User Identifier.
Set the Unique User Identifier as the user.mail.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Bizagi for Digital Process Automation**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Bizagi for Digital Process Automation SSO
In this section, you create a user called Britta Simon in Bizagi for Digital Pro
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Bizagi for Digital Process Automation tile in the Access Panel, you should be automatically signed in to the portal of Bizagi for Digital Process Automation for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Bizagi for Digital Process Automation Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Bizagi for Digital Process Automation Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Bizagi for Digital Process Automation tile in the My Apps, this will redirect to Bizagi for Digital Process Automation Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Bizagi for Digital Process Automation with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Bizagi for Digital Process Automation you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Citrix Cloud Saml Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Citrix Cloud SAML SSO | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Citrix Cloud SAML SSO.
++++++++ Last updated : 06/14/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Citrix Cloud SAML SSO
+
+In this tutorial, you'll learn how to integrate Citrix Cloud SAML SSO with Azure Active Directory (Azure AD). When you integrate Citrix Cloud SAML SSO with Azure AD, you can:
+
+* Control in Azure AD who has access to Citrix Cloud SAML SSO.
+* Enable your users to be automatically signed-in to Citrix Cloud SAML SSO with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Citrix Cloud SAML SSO single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Citrix Cloud SAML SSO supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Citrix Cloud SAML SSO from the gallery
+
+To configure the integration of Citrix Cloud SAML SSO into Azure AD, you need to add Citrix Cloud SAML SSO from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Citrix Cloud SAML SSO** in the search box.
+1. Select **Citrix Cloud SAML SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Citrix Cloud SAML SSO
+
+Configure and test Azure AD SSO with Citrix Cloud SAML SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix Cloud SAML SSO.
+
+To configure and test Azure AD SSO with Citrix Cloud SAML SSO, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Citrix Cloud SAML SSO](#configure-citrix-cloud-saml-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Citrix Cloud SAML SSO test user](#create-citrix-cloud-saml-sso-test-user)** - to have a counterpart of B.Simon in Citrix Cloud SAML SSO that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Citrix Cloud SAML SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following step:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://citrix.cloud.com/go/<CUSTOM_URL>`
+
+ > [!NOTE]
+ > The value is not real. Update the value with the actual Sign-On URL. Contact [Citrix Cloud SAML SSO Client support team](mailto:workspacadmins@citirx.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Citrix Cloud SAML SSO application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Citrix Cloud SAML SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute |
+ | --|--|
+ | cip_sid | user.onpremisesecurityidentifier |
+ | cip_upn | user.userprincipalname |
+ | cip_oid | user.objectid |
+ | cip_email | user.mail |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificate-base64-download.png)
+
+1. On the **Set up Citrix Cloud SAML SSO** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Citrix Cloud SAML SSO.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Citrix Cloud SAML SSO**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Citrix Cloud SAML SSO
+
+1. Log in to your Citrix Cloud SAML SSO company site as an administrator.
+
+1. Navigate to the Citrix Cloud menu and select **Identity and Access Management**.
+
+ ![Account](./media/citrix-cloud-saml-sso-tutorial/menu.png "Account")
+
+1. Under **Authentication**, locate **SAML 2.0** and select **Connect** from the ellipsis menu.
+
+ ![SAML 2.0](./media/citrix-cloud-saml-sso-tutorial/access.png "SAML 2.0")
+
+1. In the **Configure SAML** page, perform the following steps.
+
+ ![Configuration](./media/citrix-cloud-saml-sso-tutorial/connect.png "Configuration")
+
+ a. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.
+
+ b. In the **Sign Authentication Request**, select **Yes** to allow Citrix Cloud to Sign authentication requests.
+
+ c. In the **SSO Service URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+
+ d. Select **Binding Mechanism** from the drop down, you can select either **HTTP-POST** or **HTTP-Redirect** binding.
+
+ e. Select **SAML Response** from the dropdown.
+
+ f. Open the downloaded **Certificate (PEM)** from the Azure portal into Notepad and upload the content file into the **X.509 Certificate**.
+
+ g. In the **Authentication Context**, select **Authentication Context** and **Type** from the dropdown.
+
+ h. Click **Test and Finish**.
+
+### Create Citrix Cloud SAML SSO test user
+
+1. Log in to your Citrix Cloud SAML SSO company site as an administrator.
+
+1. Navigate to the Citrix Cloud menu and select **Identity and Access Management**.
+
+ ![Account](./media/citrix-cloud-saml-sso-tutorial/menu.png "Account")
+
+1. Under **Administrators** section, perform the following steps.
+
+ ![Invite Account](./media/citrix-cloud-saml-sso-tutorial/user.png "Invite Account")
+
+ a. Select **Citrix Identity** as an identity provider from the dropdown.
+
+ b. Give a valid **Email Address** in the textbox.
+
+ c. Click **Invite**.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Citrix Cloud SAML SSO Sign-on URL where you can initiate the login flow.
+
+* Go to Citrix Cloud SAML SSO Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Citrix Cloud SAML SSO tile in the My Apps, this will redirect to Citrix Cloud SAML SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Citrix Cloud SAML SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Discovery Benefits Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/discovery-benefits-sso-tutorial.md
Previously updated : 10/03/2019 Last updated : 06/15/2021
In this tutorial, you'll learn how to integrate Discovery Benefits SSO with Azur
* Enable your users to be automatically signed-in to Discovery Benefits SSO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Discovery Benefits SSO supports **IDP** initiated SSO
+* Discovery Benefits SSO supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Discovery Benefits SSO from the gallery
+## Add Discovery Benefits SSO from the gallery
To configure the integration of Discovery Benefits SSO into Azure AD, you need to add Discovery Benefits SSO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Discovery Benefits SSO** in the search box. 1. Select **Discovery Benefits SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Discovery Benefits SSO
+## Configure and test Azure AD SSO for Discovery Benefits SSO
Configure and test Azure AD SSO with Discovery Benefits SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Discovery Benefits SSO.
To configure and test Azure AD SSO with Discovery Benefits SSO, complete the fol
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Discovery Benefits SSO SSO](#configure-discovery-benefits-sso-sso)** - to configure the single sign-on settings on application side.
+1. **[Configure Discovery Benefits SSO](#configure-discovery-benefits-sso)** - to configure the single sign-on settings on application side.
1. **[Create Discovery Benefits SSO test user](#create-discovery-benefits-sso-test-user)** - to have a counterpart of B.Simon in Discovery Benefits SSO that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
To configure and test Azure AD SSO with Discovery Benefits SSO, complete the fol
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Discovery Benefits SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Discovery Benefits SSO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
a. Click on **Edit** icon to open the **Unique User Identifier (Name ID)** dialog.
- ![Screenshot that shows the "User Attributes & Claims" section with the "Required claim" ellipses on the right side selected.](./media/discovery-benefits-sso-tutorial/attribute01.png)
+ ![Screenshot that shows the "User Attributes & Claims" section with the "Required claim" ellipses on the right side selected.](./media/discovery-benefits-sso-tutorial/user-attribute.png)
- ![Discovery Benefits SSO configuration](./media/discovery-benefits-sso-tutorial/attribute02.png)
+ ![Discovery Benefits SSO configuration](./media/discovery-benefits-sso-tutorial/add-attribute.png)
b. Click on **Edit** icon to open the **Manage transformation** dialog.
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > Discovery Benefits SSO requires a fixed string value to be passed in **Unique User Identifier (Name ID)** field to get this integration working. Azure AD currently doesn't support this feature so as a work around, you can use **ToUpper** or **ToLower** transformations of NameID to set a fixed string value as shown above in the screenshot.
- f. We have auto-populated the additional claims which are required for SSO configuration (`SSOInstance` and `SSOID`). Use the **Edit** icon to map the values as per your organization.
+ f. We have auto-populated the additional claims which are required for SSO configuration (`SSOInstance` and `SSOID`). Use the **pencil** icon to map the values as per your organization.
- ![Screenshot that shows the "User Attributes & Claims" with the "S S O Instance" and "S S O I D" values highlighted.](./media/discovery-benefits-sso-tutorial/attribute03.png)
+ ![Screenshot that shows the "User Attributes & Claims" with the "S S O Instance" and "S S O I D" values highlighted.](./media/discovery-benefits-sso-tutorial/new-attribute.png)
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Discovery Benefits SSO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Discovery Benefits SSO SSO
+## Configure Discovery Benefits SSO
To configure single sign-on on **Discovery Benefits SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Discovery Benefits SSO support team](mailto:Jsimpson@DiscoveryBenefits.com). They set this setting to have the SAML SSO connection set properly on both sides.
In this section, you create a user called Britta Simon in Discovery Benefits SSO
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Discovery Benefits SSO tile in the Access Panel, you should be automatically signed in to the Discovery Benefits SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Discovery Benefits SSO for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Discovery Benefits SSO tile in the My Apps, you should be automatically signed in to the Discovery Benefits SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Discovery Benefits SSO with Azure AD](https://aad.portal.azure.com/)
+Once you configure Discovery Benefits SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Jostle Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jostle-tutorial.md
Previously updated : 02/25/2019 Last updated : 06/14/2021 # Tutorial: Azure Active Directory integration with Jostle
-In this tutorial, you learn how to integrate Jostle with Azure Active Directory (Azure AD).
-Integrating Jostle with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Jostle with Azure Active Directory (Azure AD). When you integrate Jostle with Azure AD, you can:
-* You can control in Azure AD who has access to Jostle.
-* You can enable your users to be automatically signed-in to Jostle (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Jostle.
+* Enable your users to be automatically signed-in to Jostle with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Jostle, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Jostle single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Jostle single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Jostle supports **SP** initiated SSO
-
-## Adding Jostle from the gallery
-
-To configure the integration of Jostle into Azure AD, you need to add Jostle from the gallery to your list of managed SaaS apps.
-
-**To add Jostle from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Jostle supports **SP** initiated SSO.
-4. In the search box, type **Jostle**, select **Jostle** from result panel then click **Add** button to add the application.
-
- ![Jostle in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Jostle based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Jostle needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Jostle, you need to complete the following building blocks:
+## Add Jostle from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Jostle Single Sign-On](#configure-jostle-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Jostle test user](#create-jostle-test-user)** - to have a counterpart of Britta Simon in Jostle that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Jostle into Azure AD, you need to add Jostle from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Jostle** in the search box.
+1. Select **Jostle** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Jostle
-To configure Azure AD single sign-on with Jostle, perform the following steps:
+Configure and test Azure AD SSO with Jostle using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Jostle.
-1. In the [Azure portal](https://portal.azure.com/), on the **Jostle** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Jostle, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Jostle SSO](#configure-jostle-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Jostle test user](#create-jostle-test-user)** - to have a counterpart of B.Simon in Jostle that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Jostle** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Jostle Domain and URLs single sign-on information](common/sp-identifier-reply.png)
-
- a. In the **Sign-on URL** text box, type the URL:
- `https://login-prod.jostle.us`
-
- b. In the **Identifier** box, type the URL:
+ a. In the **Identifier** box, type the URL:
`https://jostle.us`
- c. In the **Reply URL** text box, type the URL:
+ b. In the **Reply URL** text box, type the URL:
`https://login-prod.jostle.us/saml/SSO/alias/newjostle.us`
+ c. In the **Sign-on URL** text box, type the URL:
+ `https://login-prod.jostle.us`
+ 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/metadataxml.png)
To configure Azure AD single sign-on with Jostle, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Jostle Single Sign-On
-
-To configure single sign-on on **Jostle** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Jostle support team](mailto:support@jostle.me). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Jostle.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Jostle**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Jostle**.
-
- ![The Jostle link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Jostle.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Jostle**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure Jostle SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Jostle** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Jostle support team](mailto:support@jostle.me). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Jostle test user
In this section, you create a user called Britta Simon in Jostle. Work with [Jo
> [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Jostle tile in the Access Panel, you should be automatically signed in to the Jostle for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Jostle Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Jostle Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Jostle tile in the My Apps, this will redirect to Jostle Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Jostle you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory On24 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/on24-tutorial.md
Previously updated : 03/13/2019 Last updated : 06/14/2021 # Tutorial: Azure Active Directory integration with ON24 Virtual Environment SAML Connection
-In this tutorial, you learn how to integrate ON24 Virtual Environment SAML Connection with Azure Active Directory (Azure AD).
-Integrating ON24 Virtual Environment SAML Connection with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate ON24 Virtual Environment SAML Connection with Azure Active Directory (Azure AD). When you integrate ON24 Virtual Environment SAML Connection with Azure AD, you can:
-* You can control in Azure AD who has access to ON24 Virtual Environment SAML Connection.
-* You can enable your users to be automatically signed-in to ON24 Virtual Environment SAML Connection (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ON24 Virtual Environment SAML Connection.
+* Enable your users to be automatically signed-in to ON24 Virtual Environment SAML Connection with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with ON24 Virtual Environment SAML Connection, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* ON24 Virtual Environment SAML Connection single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ON24 Virtual Environment SAML Connection single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* ON24 Virtual Environment SAML Connection supports **SP** and **IDP** initiated SSO
-
-## Adding ON24 Virtual Environment SAML Connection from the gallery
-
-To configure the integration of ON24 Virtual Environment SAML Connection into Azure AD, you need to add ON24 Virtual Environment SAML Connection from the gallery to your list of managed SaaS apps.
-
-**To add ON24 Virtual Environment SAML Connection from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **ON24 Virtual Environment SAML Connection**, select **ON24 Virtual Environment SAML Connection** from result panel then click **Add** button to add the application.
-
- ![ON24 Virtual Environment SAML Connection in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+* ON24 Virtual Environment SAML Connection supports **SP** and **IDP** initiated SSO.
-In this section, you configure and test Azure AD single sign-on with ON24 Virtual Environment SAML Connection based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in ON24 Virtual Environment SAML Connection needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with ON24 Virtual Environment SAML Connection, you need to complete the following building blocks:
+## Add ON24 Virtual Environment SAML Connection from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ON24 Virtual Environment SAML Connection Single Sign-On](#configure-on24-virtual-environment-saml-connection-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ON24 Virtual Environment SAML Connection test user](#create-on24-virtual-environment-saml-connection-test-user)** - to have a counterpart of Britta Simon in ON24 Virtual Environment SAML Connection that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of ON24 Virtual Environment SAML Connection into Azure AD, you need to add ON24 Virtual Environment SAML Connection from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ON24 Virtual Environment SAML Connection** in the search box.
+1. Select **ON24 Virtual Environment SAML Connection** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for ON24 Virtual Environment SAML Connection
-To configure Azure AD single sign-on with ON24 Virtual Environment SAML Connection, perform the following steps:
+Configure and test Azure AD SSO with ON24 Virtual Environment SAML Connection using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ON24 Virtual Environment SAML Connection.
-1. In the [Azure portal](https://portal.azure.com/), on the **ON24 Virtual Environment SAML Connection** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with ON24 Virtual Environment SAML Connection, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ON24 Virtual Environment SAML Connection SSO](#configure-on24-virtual-environment-saml-connection-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ON24 Virtual Environment SAML Connection test user](#create-on24-virtual-environment-saml-connection-test-user)** - to have a counterpart of B.Simon in ON24 Virtual Environment SAML Connection that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **ON24 Virtual Environment SAML Connection** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![ON24 Virtual Environment SAML Connection Domain and URLs single sign-on information](common/idp-relay.png)
-
- a. In the **Identifier** text box, type a URL:
-
- **Production Environment URL**
-
- `SAML-VSHOW.on24.com`
-
- `SAML-Gateway.on24.com`
+ a. In the **Identifier** text box, type one of the following values:
- `SAP PROD SAML-EliteAudience.on24.com`
+ | **Production Environment URL** |
+ ||
+ | `SAML-VSHOW.on24.com` |
+ | `SAML-Gateway.on24.com` |
+ | `SAP PROD SAML-EliteAudience.on24.com` |
+ |
- **QA Environment URL**
-
- `SAMLQA-VSHOW.on24.com`
-
- `SAMLQA-Gateway.on24.com`
-
- `SAMLQA-EliteAudience.on24.com`
-
- b. In the **Reply URL** text box, type a URL:
-
- **Production Environment URL**
-
- `https://federation.on24.com/sp/ACS.saml2`
-
- `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1WU2hvdy5vbjI0LmNvbSJ9/ACS.saml2`
-
- `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1HYXRld2F5Lm9uMjQuY29tIn0/ACS.saml2`
-
- `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1FbGl0ZUF1ZGllbmNlLm9uMjQuY29tIn0/ACS.saml2`
-
- **QA Environment URL**
-
- `https://qafederation.on24.com/sp/ACS.saml2`
-
- `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLVZzaG93Lm9uMjQuY29tIn0/ACS.saml2`
-
- `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUdhdGV3YXkub24yNC5jb20ifQ/ACS.saml2`
-
- `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUVsaXRlQXVkaWVuY2Uub24yNC5jb20ifQ/ACS.saml2`
+ | **QA Environment URL** |
+ |--|
+ | `SAMLQA-VSHOW.on24.com` |
+ | `SAMLQA-Gateway.on24.com` |
+ | `SAMLQA-EliteAudience.on24.com` |
+ |
+
+ b. In the **Reply URL** text box, type one of the following URLs:
+
+ | **Production Environment URL** |
+ |--|
+ | `https://federation.on24.com/sp/ACS.saml2` |
+ | `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1WU2hvdy5vbjI0LmNvbSJ9/ACS.saml2` |
+ | `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1HYXRld2F5Lm9uMjQuY29tIn0/ACS.saml2` |
+ | `https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1FbGl0ZUF1ZGllbmNlLm9uMjQuY29tIn0/ACS.saml2` |
+ |
+
+ | **QA Environment URL** |
+ |-|
+ | `https://qafederation.on24.com/sp/ACS.saml2` |
+ | `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLVZzaG93Lm9uMjQuY29tIn0/ACS.saml2` |
+ | `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUdhdGV3YXkub24yNC5jb20ifQ/ACS.saml2` |
+ | `https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUVsaXRlQXVkaWVuY2Uub24yNC5jb20ifQ/ACS.saml2` |
+ |
c. Click **Set additional URLs**.
- d. In the **Relay State** text box, type a URL: `https://vshow.on24.com/vshow/ms_azure_saml_test?r=<ID>`
+ d. In the **Relay State** text box, type a URL using the following pattern: `https://vshow.on24.com/vshow/ms_azure_saml_test?r=<ID>`
5. If you wish to configure the application in **SP** initiated mode, perform the following step:
- ![Screenshot that shows the "Set additional U R Ls" section with the "Sign on U R L" text box highlighted.](common/both-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://vshow.on24.com/vshow/<INSTANCENAME>`
+ `https://vshow.on24.com/vshow/<INSTANCE_NAME>`
> [!NOTE] > These values are not real. Update these values with the actual Relay State and Sign-on URL. Contact [ON24 Virtual Environment SAML Connection Client support team](https://www.on24.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with ON24 Virtual Environment SAML Connecti
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure ON24 Virtual Environment SAML Connection Single Sign-On
-
-To configure single sign-on on **ON24 Virtual Environment SAML Connection** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ON24 Virtual Environment SAML Connection support team](https://www.on24.com/about-us/support/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ON24 Virtual Environment SAML Connection.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ON24 Virtual Environment SAML Connection**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **ON24 Virtual Environment SAML Connection**.
-
- ![The ON24 Virtual Environment SAML Connection link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ON24 Virtual Environment SAML Connection.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ON24 Virtual Environment SAML Connection**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure ON24 Virtual Environment SAML Connection SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **ON24 Virtual Environment SAML Connection** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ON24 Virtual Environment SAML Connection support team](https://www.on24.com/about-us/support/). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create ON24 Virtual Environment SAML Connection test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in ON24 Virtual Environment SAML Connection. Work with [ON24 Virtual Environment SAML Connection support team](https://www.on24.com/about-us/support/) to add the users in the ON24 Virtual Environment SAML Connection platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create ON24 Virtual Environment SAML Connection test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in ON24 Virtual Environment SAML Connection. Work with [ON24 Virtual Environment SAML Connection support team](https://www.on24.com/about-us/support/) to add the users in the ON24 Virtual Environment SAML Connection platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to ON24 Virtual Environment SAML Connection Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to ON24 Virtual Environment SAML Connection Sign-on URL directly and initiate the login flow from there.
-When you click the ON24 Virtual Environment SAML Connection tile in the Access Panel, you should be automatically signed in to the ON24 Virtual Environment SAML Connection for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ON24 Virtual Environment SAML Connection for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ON24 Virtual Environment SAML Connection tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ON24 Virtual Environment SAML Connection for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ON24 Virtual Environment SAML Connection you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Plangrid Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/plangrid-tutorial.md
Previously updated : 03/19/2019 Last updated : 06/14/2021 # Tutorial: Azure Active Directory integration with PlanGrid
-In this tutorial, you learn how to integrate PlanGrid with Azure Active Directory (Azure AD).
-Integrating PlanGrid with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate PlanGrid with Azure Active Directory (Azure AD). When you integrate PlanGrid with Azure AD, you can:
-* You can control in Azure AD who has access to PlanGrid.
-* You can enable your users to be automatically signed-in to PlanGrid (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to PlanGrid.
+* Enable your users to be automatically signed-in to PlanGrid with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with PlanGrid, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* PlanGrid single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* PlanGrid single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* PlanGrid supports **SP** and **IDP** initiated SSO
-
-## Adding PlanGrid from the gallery
-
-To configure the integration of PlanGrid into Azure AD, you need to add PlanGrid from the gallery to your list of managed SaaS apps.
-
-**To add PlanGrid from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* PlanGrid supports **SP** and **IDP** initiated SSO.
-4. In the search box, type **PlanGrid**, select **PlanGrid** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![PlanGrid in the results list](common/search-new-app.png)
+## Add PlanGrid from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with PlanGrid based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in PlanGrid needs to be established.
-
-To configure and test Azure AD single sign-on with PlanGrid, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure PlanGrid Single Sign-On](#configure-plangrid-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create PlanGrid test user](#create-plangrid-test-user)** - to have a counterpart of Britta Simon in PlanGrid that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of PlanGrid into Azure AD, you need to add PlanGrid from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **PlanGrid** in the search box.
+1. Select **PlanGrid** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for PlanGrid
-To configure Azure AD single sign-on with PlanGrid, perform the following steps:
+Configure and test Azure AD SSO with PlanGrid using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PlanGrid.
-1. In the [Azure portal](https://portal.azure.com/), on the **PlanGrid** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with PlanGrid, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure PlanGrid SSO](#configure-plangrid-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create PlanGrid test user](#create-plangrid-test-user)** - to have a counterpart of B.Simon in PlanGrid that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **PlanGrid** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![PlanGrid Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://io.plangrid.com/sessions/saml/metadata` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![image](common/both-preintegrated-signon.png)
-
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.plangrid.com/login` 6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with PlanGrid, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure PlanGrid Single Sign-On
-
-To configure single sign-on on **PlanGrid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [PlanGrid support team](mailto:help@plangrid.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to PlanGrid.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to PlanGrid.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **PlanGrid**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **PlanGrid**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure PlanGrid SSO
-2. In the applications list, select **PlanGrid**.
-
- ![The PlanGrid link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **PlanGrid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [PlanGrid support team](mailto:help@plangrid.com). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create PlanGrid test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in PlanGrid. Work with [PlanGrid support team](mailto:help@plangrid.com) to add the users in the PlanGrid platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create PlanGrid test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in PlanGrid. Work with [PlanGrid support team](mailto:help@plangrid.com) to add the users in the PlanGrid platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to PlanGrid Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to PlanGrid Sign-on URL directly and initiate the login flow from there.
-When you click the PlanGrid tile in the Access Panel, you should be automatically signed in to the PlanGrid for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the PlanGrid for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the PlanGrid tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PlanGrid for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure PlanGrid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Recognize Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/recognize-tutorial.md
Previously updated : 03/27/2019 Last updated : 06/15/2021 # Tutorial: Azure Active Directory integration with Recognize
-In this tutorial, you learn how to integrate Recognize with Azure Active Directory (Azure AD).
-Integrating Recognize with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Recognize with Azure Active Directory (Azure AD). When you integrate Recognize with Azure AD, you can:
-* You can control in Azure AD who has access to Recognize.
-* You can enable your users to be automatically signed-in to Recognize (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Recognize.
+* Enable your users to be automatically signed-in to Recognize with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Recognize, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Recognize single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Recognize single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Recognize supports **SP** initiated SSO
+* Recognize supports **SP** initiated SSO.
-## Adding Recognize from the gallery
+## Add Recognize from the gallery
To configure the integration of Recognize into Azure AD, you need to add Recognize from the gallery to your list of managed SaaS apps.
-**To add Recognize from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Recognize**, select **Recognize** from result panel then click **Add** button to add the application.
-
- ![Recognize in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Recognize based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Recognize needs to be established.
-
-To configure and test Azure AD single sign-on with Recognize, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Recognize** in the search box.
+1. Select **Recognize** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Recognize Single Sign-On](#configure-recognize-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Recognize test user](#create-recognize-test-user)** - to have a counterpart of Britta Simon in Recognize that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Recognize
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Recognize using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Recognize.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Recognize, perform the following steps:
-To configure Azure AD single sign-on with Recognize, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Recognize SSO](#configure-recognize-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Recognize test user](#create-recognize-test-user)** - to have a counterpart of B.Simon in Recognize that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Recognize** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Recognize** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps:
To configure Azure AD single sign-on with Recognize, perform the following steps
c. After the metadata file is successfully uploaded, the **Identifier** value get auto populated in Basic SAML Configuration section.
- ![Recognize Domain and URLs single sign-on information](common/sp-identifier.png)
- In the **Sign on URL** text box, type a URL using the following pattern:
- `https://recognizeapp.com/<your-domain>/saml/sso`
+ `https://recognizeapp.com/<YOUR_DOMAIN>/saml/sso`
> [!Note] > If the **Identifier** value do not get auto populated, you will get the Identifier value by opening the Service Provider Metadata URL from the SSO Settings section that is explained later in the **Configure Recognize Single Sign-On** section of the tutorial. The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact [Recognize Client support team](mailto:support@recognizeapp.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Recognize, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Recognize Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Recognize.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Recognize**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Recognize SSO
1. In a different web browser window, sign in to your Recognize tenant as an administrator. 2. On the upper right corner, click **Menu**. Go to **Company Admin**.
- ![Screenshot shows Company Admin selected from the Settings menu.](./media/recognize-tutorial/tutorial_recognize_000.png)
+ ![Screenshot shows Company Admin selected from the Settings menu.](./media/recognize-tutorial/menu.png)
3. On the left navigation pane, click **Settings**.
- ![Screenshot shows Settings selected from the navigation page.](./media/recognize-tutorial/tutorial_recognize_001.png)
+ ![Screenshot shows Settings selected from the navigation page.](./media/recognize-tutorial/settings.png)
4. Perform the following steps on **SSO Settings** section.
- ![Screenshot shows S S O Settings where you can enter the values described.](./media/recognize-tutorial/tutorial_recognize_002.png)
+ ![Screenshot shows S S O Settings where you can enter the values described.](./media/recognize-tutorial/values.png)
a. As **Enable SSO**, select **ON**.
To configure Azure AD single sign-on with Recognize, perform the following steps
5. Beside the **SSO Settings** section, copy the URL under **Service Provider Metadata url**.
- ![Screenshot shows Notes, where you can copy the Service Provider Metadata.](./media/recognize-tutorial/tutorial_recognize_003.png)
+ ![Screenshot shows Notes, where you can copy the Service Provider Metadata.](./media/recognize-tutorial/metadata.png)
6. Open the **Metadata URL link** under a blank browser to download the metadata document. Then copy the EntityDescriptor value(entityID) from the file and paste it in **Identifier** textbox in **Basic SAML Configuration** on Azure portal.
- ![Screenshot shows a text box with plain text X M L where you can get the entity I D.](./media/recognize-tutorial/tutorial_recognize_004.png)
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Recognize.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Recognize**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Recognize**.
-
- ![The Recognize link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ ![Screenshot shows a text box with plain text X M L where you can get the entity I D.](./media/recognize-tutorial/descriptor.png)
### Create Recognize test user
This app doesn't support SCIM provisioning but has an alternate user sync that p
4. Perform the following steps on **User Sync** section.
- ![New User](./media/recognize-tutorial/tutorial_recognize_005.png "New User")
+ ![New User](./media/recognize-tutorial/user.png "New User")
a. As **Sync Enabled**, select **ON**.
This app doesn't support SCIM provisioning but has an alternate user sync that p
c. Click **Run User Sync**.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Recognize tile in the Access Panel, you should be automatically signed in to the Recognize for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Recognize Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Recognize Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Recognize tile in the My Apps, this will redirect to Recognize Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Recognize you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Textmagic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/textmagic-tutorial.md
Previously updated : 10/17/2019 Last updated : 06/14/2021
In this tutorial, you'll learn how to integrate TextMagic with Azure Active Dire
* Enable your users to be automatically signed-in to TextMagic with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* TextMagic supports **IDP** initiated SSO
+* TextMagic supports **IDP** initiated SSO.
-* TextMagic supports **Just In Time** user provisioning
+* TextMagic supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding TextMagic from the gallery
+## Add TextMagic from the gallery
To configure the integration of TextMagic into Azure AD, you need to add TextMagic from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **TextMagic** in the search box. 1. Select **TextMagic** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for TextMagic
+## Configure and test Azure AD SSO for TextMagic
Configure and test Azure AD SSO with TextMagic using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TextMagic.
-To configure and test Azure AD SSO with TextMagic, complete the following building blocks:
+To configure and test Azure AD SSO with TextMagic, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with TextMagic, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **TextMagic** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **TextMagic** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://my.textmagic.com/saml/metadata` 5. TextMagic application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. TextMagic application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **TextMagic**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure TextMagic SSO
+## Configure TextMagic SSO
1. To automate the configuration within TextMagic, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Select **Account settings** under the username.
- ![Screenshot shows Account settings selected from the user.](./media/textmagic-tutorial/config1.png)
+ ![Screenshot shows Account settings selected from the user.](./media/textmagic-tutorial/account.png)
5. Click on the **Single Sign-On (SSO)** tab and fill in the following fields:
- ![Screenshot shows the Single Sign-On tab where you can enter the values described.](./media/textmagic-tutorial/config2.png)
+ ![Screenshot shows the Single Sign-On tab where you can enter the values described.](./media/textmagic-tutorial/settings.png)
a. In **Identity provider Entity ID:** textbox, paste the value of **Azure AD Identifier**, which you have copied from Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
### Create TextMagic test user
-Application supports **Just in time user provisioning** and after authentication users will be created in the application automatically. You need to fill in the information once at the first login to activate the sub-account into the system.
-There is no action item for you in this section.
+In this section, a user called B.Simon is created in TextMagic. TextMagic supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in TextMagic, a new one is created after authentication.
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the TextMagic tile in the Access Panel, you should be automatically signed in to the TextMagic for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the TextMagic for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the TextMagic tile in the My Apps, you should be automatically signed in to the TextMagic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try TextMagic with Azure AD](https://aad.portal.azure.com/)
+Once you configure TextMagic you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Upwork Enterprise Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/upwork-enterprise-tutorial.md
Previously updated : 12/20/2019 Last updated : 06/14/2021
In this tutorial, you'll learn how to integrate Upwork Enterprise with Azure Act
* Enable your users to be automatically signed-in to Upwork Enterprise with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Upwork Enterprise supports **SP and IDP** initiated SSO
-* Upwork Enterprise supports **Just In Time** user provisioning
+* Upwork Enterprise supports **SP and IDP** initiated SSO.
+* Upwork Enterprise supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Upwork Enterprise from the gallery
+## Add Upwork Enterprise from the gallery
To configure the integration of Upwork Enterprise into Azure AD, you need to add Upwork Enterprise from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Upwork Enterprise** in the search box. 1. Select **Upwork Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Upwork Enterprise
+## Configure and test Azure AD SSO for Upwork Enterprise
Configure and test Azure AD SSO with Upwork Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Upwork Enterprise.
-To configure and test Azure AD SSO with Upwork Enterprise, complete the following building blocks:
+To configure and test Azure AD SSO with Upwork Enterprise, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Upwork Enterprise SSO](#configure-upwork-enterprise-sso)** - to configure the single sign-on settings on application side.
- * **[Create Upwork Enterprise test user](#create-upwork-enterprise-test-user)** - to have a counterpart of B.Simon in Upwork Enterprise that is linked to the Azure AD representation of user.
+ 1. **[Create Upwork Enterprise test user](#create-upwork-enterprise-test-user)** - to have a counterpart of B.Simon in Upwork Enterprise that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Upwork Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Upwork Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type the URL:
`https://www.upwork.com/ab/account-security/login` 1. Click **Save**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Upwork Enterprise**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Upwork Enterprise SSO
In this section, a user called B.Simon is created in Upwork Enterprise. Upwork E
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Upwork Enterprise Sign on URL where you can initiate the login flow.
-When you click the Upwork Enterprise tile in the Access Panel, you should be automatically signed in to the Upwork Enterprise for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Upwork Enterprise Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Upwork Enterprise for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Upwork Enterprise tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Upwork Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Upwork Enterprise with Azure AD](https://aad.portal.azure.com/)
+Once you configure Upwork Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Uservoice Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/uservoice-tutorial.md
Previously updated : 03/29/2019 Last updated : 06/15/2021 # Tutorial: Azure Active Directory integration with UserVoice
-In this tutorial, you learn how to integrate UserVoice with Azure Active Directory (Azure AD).
-Integrating UserVoice with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate UserVoice with Azure Active Directory (Azure AD). When you integrate UserVoice with Azure AD, you can:
-* You can control in Azure AD who has access to UserVoice.
-* You can enable your users to be automatically signed-in to UserVoice (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to UserVoice.
+* Enable your users to be automatically signed-in to UserVoice with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with UserVoice, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* UserVoice single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* UserVoice single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* UserVoice supports **SP** initiated SSO
+* UserVoice supports **SP** initiated SSO.
-## Adding UserVoice from the gallery
+## Add UserVoice from the gallery
To configure the integration of UserVoice into Azure AD, you need to add UserVoice from the gallery to your list of managed SaaS apps.
-**To add UserVoice from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **UserVoice**, select **UserVoice** from result panel then click **Add** button to add the application.
-
- ![UserVoice in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with UserVoice based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in UserVoice needs to be established.
-
-To configure and test Azure AD single sign-on with UserVoice, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **UserVoice** in the search box.
+1. Select **UserVoice** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure UserVoice Single Sign-On](#configure-uservoice-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create UserVoice test user](#create-uservoice-test-user)** - to have a counterpart of Britta Simon in UserVoice that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for UserVoice
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with UserVoice using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UserVoice.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with UserVoice, perform the following steps:
-To configure Azure AD single sign-on with UserVoice, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure UserVoice SSO](#configure-uservoice-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create UserVoice test user](#create-uservoice-test-user)** - to have a counterpart of B.Simon in UserVoice that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **UserVoice** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **UserVoice** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![UserVoice Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<tenantname>.UserVoice.com`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<TENANT_NAME>.UserVoice.com`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<tenantname>.UserVoice.com`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<TENANT_NAME>.UserVoice.com`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [UserVoice Client support team](https://www.uservoice.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [UserVoice Client support team](https://www.uservoice.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
To configure Azure AD single sign-on with UserVoice, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure UserVoice Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UserVoice.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **UserVoice**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure UserVoice SSO
1. In a different web browser window, sign in to your UserVoice company site as an administrator. 2. In the toolbar on the top, click **Settings**, and then select **Web portal** from the menu.
- ![Settings Section On App Side](./media/uservoice-tutorial/ic777519.png "Settings")
+ ![Settings Section On App Side](./media/uservoice-tutorial/portal.png "Settings")
3. On the **Web portal** tab, in the **User authentication** section, click **Edit** to open the **Edit User Authentication** dialog page.
- ![Web portal Tab](./media/uservoice-tutorial/ic777520.png "Web portal")
+ ![Web portal Tab](./media/uservoice-tutorial/user.png "Web portal")
4. On the **Edit User Authentication** dialog page, perform the following steps:
- ![Edit user authentication](./media/uservoice-tutorial/ic777521.png "Edit user authentication")
+ ![Edit user authentication](./media/uservoice-tutorial/authentication.png "Edit user authentication")
a. Click **Single Sign-On (SSO)**.
To configure Azure AD single sign-on with UserVoice, perform the following steps
e. Click **Save authentication settings**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserVoice.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **UserVoice**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **UserVoice**.
-
- ![The UserVoice link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create UserVoice test user To enable Azure AD users to sign in to UserVoice, they must be provisioned into UserVoice. In the case of UserVoice, provisioning is a manual task.
To enable Azure AD users to sign in to UserVoice, they must be provisioned into
2. Go to **Settings**.
- ![Settings](./media/uservoice-tutorial/ic777811.png "Settings")
+ ![Settings](./media/uservoice-tutorial/account.png "Settings")
3. Click **General**. 4. Click **Agents and permissions**.
- ![Agents and permissions](./media/uservoice-tutorial/ic777812.png "Agents and permissions")
+ ![Agents and permissions](./media/uservoice-tutorial/general.png "Agents and permissions")
5. Click **Add admins**.
- ![Add admins](./media/uservoice-tutorial/ic777813.png "Add admins")
+ ![Add admins](./media/uservoice-tutorial/admin.png "Add admins")
6. On the **Invite admins** dialog, perform the following steps:
- ![Invite admins](./media/uservoice-tutorial/ic777814.png "Invite admins")
+ ![Invite admins](./media/uservoice-tutorial/invite.png "Invite admins")
a. In the Emails textbox, type the email address of the account you want to provision, and then click **Add**.
To enable Azure AD users to sign in to UserVoice, they must be provisioned into
> [!NOTE] > You can use any other UserVoice user account creation tools or APIs provided by UserVoice to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the UserVoice tile in the Access Panel, you should be automatically signed in to the UserVoice for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to UserVoice Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to UserVoice Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the UserVoice tile in the My Apps, this will redirect to UserVoice Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure UserVoice you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workplacebyfacebook Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workplacebyfacebook-tutorial.md
Previously updated : 12/28/2020 Last updated : 06/15/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Workplace by Facebook supports **SP** initiated SSO
-* Workplace by Facebook supports **just-in-time provisioning**
-* Workplace by Facebook supports **[automatic User Provisioning](workplacebyfacebook-provisioning-tutorial.md)**
+* Workplace by Facebook supports **SP** initiated SSO.
+* Workplace by Facebook supports **just-in-time provisioning**.
+* Workplace by Facebook supports **[automatic User Provisioning](workplacebyfacebook-provisioning-tutorial.md)**.
* Workplace by Facebook Mobile application can now be configured with Azure AD for enabling SSO. In this tutorial, you configure and test Azure AD SSO in a test environment.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
> [!NOTE] > As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to Azure AD.
-1. On the left navigation panel, navigate to **Security** > **Authentication** tab.
+1. Navigate to **Admin Panel** > **Security** > **Authentication** tab.
- ![Admin Panel](./media/workplacebyfacebook-tutorial/tutorial-workplace-by-facebook-configure01.png)
+ ![Admin Panel](./media/workplacebyfacebook-tutorial/security.png)
a. Check the **Single-sign on(SSO)** option.+
+ b. Select **SSO** as default for new users.
- b. Click on **+Add new SSO Provider**.
+ c. Click on **+Add new SSO Provider**.
> [!NOTE] > Make sure you check the Password login checkbox too. Admins may need this option for login while doing the certificate rollover in order to stop themselves getting locked out.
-1. Under **Authentication** tab, select **Single-Sign On (SSO)** and perform the following steps:
+1. In the **Single Sign-On (SSO) Setup** pop-up window, perform the following steps:
- ![Authentication Tab](./media/workplacebyfacebook-tutorial/tutorial-workplace-by-facebook-configure02.png)
+ ![Authentication Tab](./media/workplacebyfacebook-tutorial/single-sign-on-setup.png)
a. In the **Name of the SSO Provider**, enter the SSO instance name like Azureadsso.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
c. In **SAML Issuer URL** textbox, paste the value of **Azure AD Identifier**, which you have copied from Azure portal.
- d. Open your **base-64 encoded certificate** in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the **SAML Certificate** textbox.
+ d. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad, copy the content of it into your clipboard, and then paste it to the **SAML Certificate** textbox.
e. Copy the **Audience URL** for your instance and paste it in **Identifier (Entity ID)** textbox in **Basic SAML Configuration** section on Azure portal.
active-directory Ziflow Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ziflow-tutorial.md
Previously updated : 03/29/2019 Last updated : 06/15/2021 # Tutorial: Azure Active Directory integration with Ziflow
-In this tutorial, you learn how to integrate Ziflow with Azure Active Directory (Azure AD).
-Integrating Ziflow with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Ziflow with Azure Active Directory (Azure AD). When you integrate Ziflow with Azure AD, you can:
-* You can control in Azure AD who has access to Ziflow.
-* You can enable your users to be automatically signed-in to Ziflow (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Ziflow.
+* Enable your users to be automatically signed-in to Ziflow with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Ziflow, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Ziflow single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Ziflow single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Ziflow supports **SP** initiated SSO
+* Ziflow supports **SP** initiated SSO.
-## Adding Ziflow from the gallery
+## Add Ziflow from the gallery
To configure the integration of Ziflow into Azure AD, you need to add Ziflow from the gallery to your list of managed SaaS apps.
-**To add Ziflow from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Ziflow**, select **Ziflow** from result panel then click **Add** button to add the application.
-
- ![Ziflow in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Ziflow based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Ziflow needs to be established.
-
-To configure and test Azure AD single sign-on with Ziflow, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Ziflow** in the search box.
+1. Select **Ziflow** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Ziflow Single Sign-On](#configure-ziflow-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Ziflow test user](#create-ziflow-test-user)** - to have a counterpart of Britta Simon in Ziflow that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Ziflow
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Ziflow using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Ziflow.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Ziflow, perform the following steps:
-To configure Azure AD single sign-on with Ziflow, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Ziflow SSO](#configure-ziflow-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Ziflow test user](#create-ziflow-test-user)** - to have a counterpart of B.Simon in Ziflow that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Ziflow** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Ziflow** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Ziflow Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://ziflow-production.auth0.com/login/callback?connection=<UniqueID>`
+ a. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
+ `urn:auth0:ziflow-production:<UNIQUE_ID>`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `urn:auth0:ziflow-production:<UniqueID>`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://ziflow-production.auth0.com/login/callback?connection=<UNIQUE_ID>`
> [!NOTE] > The preceding values are not real. You will update the unique ID value in the Identifier and Sign on URL with actual value, which is explained later in the tutorial.
To configure Azure AD single sign-on with Ziflow, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Ziflow Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Ziflow.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Ziflow**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Ziflow SSO
1. In a different web browser window, sign in to Ziflow as a Security Administrator. 2. Click on Avatar in the top right corner, and then click **Manage account**.
- ![Ziflow Configuration Manage](./media/ziflow-tutorial/tutorial_ziflow_manage.png)
+ ![Ziflow Configuration Manage](./media/ziflow-tutorial/manage-account.png)
3. In the top left, click **Single Sign-On**.
- ![Ziflow Configuration Sign](./media/ziflow-tutorial/tutorial_ziflow_signon.png)
+ ![Ziflow Configuration Sign](./media/ziflow-tutorial/configuration.png)
4. On the **Single Sign-On** page, perform the following steps:
- ![Ziflow Configuration Single](./media/ziflow-tutorial/tutorial_ziflow_page.png)
+ ![Ziflow Configuration Single](./media/ziflow-tutorial/page.png)
a. Select **Type** as **SAML2.0**.
To configure Azure AD single sign-on with Ziflow, perform the following steps:
e. From the **Configuration Settings for your Identifier Provider** section, copy the highlighted unique ID value and append it with the Identifier and Sign on URL in the **Basic SAML Configuration** on Azure portal.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Ziflow.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Ziflow**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Ziflow**.
-
- ![The Ziflow link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Ziflow test user To enable Azure AD users to sign in to Ziflow, they must be provisioned into Ziflow. In Ziflow, provisioning is a manual task.
To provision a user account, perform the following steps:
2. Navigate to **People** on the top.
- ![Ziflow Configuration people](./media/ziflow-tutorial/tutorial_ziflow_people.png)
+ ![Ziflow Configuration people](./media/ziflow-tutorial/people.png)
3. Click **Add** and then click **Add user**.
- ![Screenshot shows the Add user option selected.](./media/ziflow-tutorial/tutorial_ziflow_add.png)
+ ![Screenshot shows the Add user option selected.](./media/ziflow-tutorial/add-tab.png)
4. On the **Add a user** popup, perform the following steps:
- ![Screenshot shows the Add a user dialog box where you can enter the values described.](./media/ziflow-tutorial/tutorial_ziflow_adduser.png)
+ ![Screenshot shows the Add a user dialog box where you can enter the values described.](./media/ziflow-tutorial/add-user.png)
a. In **Email** text box, enter the email of user like brittasimon@contoso.com.
To provision a user account, perform the following steps:
> [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Ziflow tile in the Access Panel, you should be automatically signed in to the Ziflow for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Ziflow Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Ziflow Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Ziflow tile in the My Apps, this will redirect to Ziflow Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Ziflow you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory User Help Join Device On Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-join-device-on-network.md
You can make sure that you're joined by looking at your settings.
## To join an already configured Windows 10 device If you've had your device for a while and it's already been set up, you can follow these steps to join your device to the network.
+> [!NOTE]
+> When you join an already configured Windows 10 device to Azure AD, you must use an account that's a member of the local administrators group.
+ 1. Open **Settings**, and then select **Accounts**. 2. Select **Access work or school**, and then select **Connect**.
After you join your device to your organization's network, you should be able to
- If your organization wants you to register your personal device, such as your phone, see [Register your personal device on your organization's network](user-help-register-device-on-network.md). -- If your organization is managed using Microsoft Intune and you have questions about enrollment, sign-in, or any other Intune-related issue, see the [Intune user help content](/intune-user-help/use-managed-devices-to-get-work-done).
+- If your organization is managed using Microsoft Intune and you have questions about enrollment, sign-in, or any other Intune-related issue, see the [Intune user help content](/intune-user-help/use-managed-devices-to-get-work-done).
aks Azure Files Csi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-csi.md
Filesystem
This option is optimized for random access workloads with in-place data updates and provides full POSIX file system support. This section shows you how to use NFS shares with the Azure File CSI driver on an AKS cluster.
-Make sure to check the [limitations](../storage/files/storage-files-compare-protocols.md#limitations) and [region availability](../storage/files/storage-files-compare-protocols.md#regional-availability).
+Make sure to check the [limitations](../storage/files/files-nfs-protocol.md#limitations) and [region availability](../storage/files/files-nfs-protocol.md#regional-availability) during the preview phase.
### Create NFS file share storage class
aks Private Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
Title: Create a private Azure Kubernetes Service cluster
description: Learn how to create a private Azure Kubernetes Service (AKS) cluster Previously updated : 3/31/2021 Last updated : 6/14/2021
Where `--enable-private-cluster` is a mandatory flag for a private cluster.
The following parameters can be leveraged to configure Private DNS Zone. - "System", which is also the default value. If the --private-dns-zone argument is omitted, AKS will create a Private DNS Zone in the Node Resource Group.-- "None", which means AKS will not create a Private DNS Zone (PREVIEW). This requires you to Bring Your Own DNS Server and configure the DNS resolution for the Private FQDN. If you don't configure DNS resolution, DNS is only resolvable within the agent nodes and will cause cluster issues after deployment.
+- "None", defaults to public DNS which means AKS will not create a Private DNS Zone (PREVIEW).
- "CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID", which requires you to create a Private DNS Zone in this format for azure global cloud: `privatelink.<region>.azmk8s.io`. You will need the Resource Id of that Private DNS Zone going forward. Additionally, you will need a user assigned identity or service principal with at least the `private dns zone contributor` and `vnet contributor` roles. - If the Private DNS Zone is in a different subscription than the AKS cluster, you need to register Microsoft.ContainerServices in both the subscriptions. - "fqdn-subdomain" can be utilized with "CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID" only to provide subdomain capabilities to `privatelink.<region>.azmk8s.io` ### Prerequisites
-* The AKS Preview version 0.5.7 or later
-* The api version 2020-11-01 or later
+* The AKS Preview version 0.5.19 or later
+* The api version 2021-05-01 or later
### Create a private AKS cluster with Private DNS Zone
az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --lo
az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster --enable-managed-identity --assign-identity <ResourceId> --private-dns-zone <custom private dns zone ResourceId> --fqdn-subdomain <subdomain-name> ```
+### Create a private AKS cluster with a Public DNS address
+
+#### Register the `EnablePrivateClusterPublicFQDN` preview feature
+
+To use the new Enable Private Cluster Public FQDN API, you must enable the `EnablePrivateClusterPublicFQDN` feature flag on your subscription.
+
+Register the `EnablePrivateClusterPublicFQDN` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "EnablePrivateClusterPublicFQDN"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnablePrivateClusterPublicFQDN')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+#### Create a private AKS cluster with a Public DNS address
+
+```azurecli-interactive
+az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster --enable-managed-identity --assign-identity <ResourceId> --private-dns-zone none --enable-public-fqdn
+```
+ ## Options for connecting to the private cluster The API server endpoint has no public IP address. To manage the API server, you'll need to use a VM that has access to the AKS cluster's Azure Virtual Network (VNet). There are several options for establishing network connectivity to the private cluster.
aks Quotas Skus Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/quotas-skus-regions.md
Each node in an AKS cluster contains a fixed amount of compute resources such as
- Standard_A0 - Standard_A1 - Standard_A1_v2
+- Standard_B1ls
- Standard_B1s - Standard_B1ms - Standard_F1
api-management Api Management Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-faq.md
- Title: Azure API Management FAQ | Microsoft Docs
-description: Learn the answers to frequently asked questions (FAQ), patterns, and best practices in Azure API Management.
------- Previously updated : 11/19/2017---
-# Azure API Management FAQs
-Get the answers to common questions, patterns, and best practices for Azure API Management.
--
-## Frequently asked questions
-* [What does it mean when a feature is in preview?](#what-does-it-mean-when-a-feature-is-in-preview)
-* [How can I secure the connection between the API Management gateway and my back-end services?](#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-back-end-services)
-* [How do I copy my API Management service instance to a new instance?](#how-do-i-copy-my-api-management-service-instance-to-a-new-instance)
-* [Can I manage my API Management instance programmatically?](#can-i-manage-my-api-management-instance-programmatically)
-* [How do I add a user to the Administrators group?](#how-do-i-add-a-user-to-the-administrators-group)
-* [Why is the policy that I want to add unavailable in the policy editor?](#why-is-the-policy-that-i-want-to-add-unavailable-in-the-policy-editor)
-* [How do I set up multiple environments in a single API?](#how-do-i-set-up-multiple-environments-in-a-single-api)
-* [Can I use SOAP with API Management?](#can-i-use-soap-with-api-management)
-* [Can I configure an OAuth 2.0 authorization server with AD FS security?](#can-i-configure-an-oauth-20-authorization-server-with-ad-fs-security)
-* [What routing method does API Management use in deployments to multiple geographic locations?](#what-routing-method-does-api-management-use-in-deployments-to-multiple-geographic-locations)
-* [Can I use an Azure Resource Manager template to create an API Management service instance?](#can-i-use-an-azure-resource-manager-template-to-create-an-api-management-service-instance)
-* [Can I use a self-signed TLS/SSL certificate for a back end?](#can-i-use-a-self-signed-tlsssl-certificate-for-a-back-end)
-* [Why do I get an authentication failure when I try to clone a GIT repository?](#why-do-i-get-an-authentication-failure-when-i-try-to-clone-a-git-repository)
-* [Does API Management work with Azure ExpressRoute?](#does-api-management-work-with-azure-expressroute)
-* [Why do we require a dedicated subnet in Resource Manager style VNETs when API Management is deployed into them?](#why-do-we-require-a-dedicated-subnet-in-resource-manager-style-vnets-when-api-management-is-deployed-into-them)
-* [What is the minimum subnet size needed when deploying API Management into a VNET?](#what-is-the-minimum-subnet-size-needed-when-deploying-api-management-into-a-vnet)
-* [Can I move an API Management service from one subscription to another?](#can-i-move-an-api-management-service-from-one-subscription-to-another)
-* [Are there restrictions on or known issues with importing my API?](#are-there-restrictions-on-or-known-issues-with-importing-my-api)
-
-### What does it mean when a feature is in preview?
-When a feature is in preview, it means that we're actively seeking feedback on how the feature is working for you. A feature in preview is functionally complete, but it's possible that we'll make a breaking change in response to customer feedback. We recommend that you don't depend on a feature that is in preview in your production environment.
-
-### How can I secure the connection between the API Management gateway and my back-end services?
-You have several options to secure the connection between the API Management gateway and your back-end services. You can:
-
-* Use HTTP basic authentication. For more information, see [Import and publish your first API](import-and-publish.md).
-* Use TLS mutual authentication as described in [How to secure back-end services by using client certificate authentication in Azure API Management](api-management-howto-mutual-certificates.md).
-* Use IP filtering on your back-end service. In all tiers of API Management with the exception of Consumption tier, the IP address of the gateway remains constant, with a few caveats described in [the IP documentation article](api-management-howto-ip-addresses.md).
-* Connect your API Management instance to an Azure Virtual Network.
-
-### How do I copy my API Management service instance to a new instance?
-You have several options if you want to copy an API Management instance to a new instance. You can:
-
-* Use the backup and restore function in API Management. For more information, see [How to implement disaster recovery by using service backup and restore in Azure API Management](api-management-howto-disaster-recovery-backup-restore.md).
-* Create your own backup and restore feature by using the [API Management REST API](/rest/api/apimanagement/). Use the REST API to save and restore the entities from the service instance that you want.
-* Download the service configuration by using Git, and then upload it to a new instance. For more information, see [How to save and configure your API Management service configuration by using Git](api-management-configuration-repository-git.md).
-
-### Can I manage my API Management instance programmatically?
-Yes, you can manage API Management programmatically by using:
-
-* The [API Management REST API](/rest/api/apimanagement/).
-* The [Microsoft Azure ApiManagement Service Management Library SDK](https://aka.ms/apimsdk).
-* The [Service deployment](/powershell/module/wds) and [Service management](/powershell/azure/servicemanagement/overview) PowerShell cmdlets.
-
-### How do I add a user to the Administrators group?
-Administrators groups is an immutable system group. Azure subscription administrators are members of this group. You cannot add a user to this group. See [How to create and use groups to manage developer accounts in Azure API Management](./api-management-howto-create-groups.md) for more information.
-
-### Why is the policy that I want to add unavailable in the policy editor?
-If the policy that you want to add appears dimmed or shaded in the policy editor, be sure that you are in the correct scope for the policy. Each policy statement is designed for you to use in specific scopes and policy sections. To review the policy sections and scopes for a policy, see the policy's Usage section in [API Management policies](./api-management-policies.md).
-
-### How do I set up multiple environments in a single API?
-To set up multiple environments, for example, a test environment and a production environment, in a single API, you have two options. You can:
-
-* Host different APIs on the same tenant.
-* Host the same APIs on different tenants.
-
-### Can I use SOAP with API Management?
-[SOAP pass-through](https://azure.microsoft.com/blog/soap-pass-through/) support is now available. Administrators can import the WSDL of their SOAP service, and Azure API Management will create a SOAP front end. Developer portal documentation, test console, policies and analytics are all available for SOAP services.
-
-### Can I configure an OAuth 2.0 authorization server with AD FS security?
-To learn how to configure an OAuth 2.0 authorization server with Active Directory Federation Services (AD FS) security, see [Using ADFS in API Management](https://phvbaars.wordpress.com/2016/02/06/using-adfs-in-api-management/).
-
-### What routing method does API Management use in deployments to multiple geographic locations?
-API Management uses the [performance traffic routing method](../traffic-manager/traffic-manager-routing-methods.md#performance) in deployments to multiple geographic locations. Incoming traffic is routed to the closest API gateway. If one region goes offline, incoming traffic is automatically routed to the next closest gateway. Learn more about routing methods in [Traffic Manager routing methods](../traffic-manager/traffic-manager-routing-methods.md).
-
-### Can I use an Azure Resource Manager template to create an API Management service instance?
-Yes. See the [Azure API Management Service](https://azure.microsoft.com/resources/templates/azure-api-management-create/) quickstart templates.
-
-### Can I use a self-signed TLS/SSL certificate for a back end?
-Yes. This can be done through PowerShell or by directly submitting to the API. This will disable certificate chain validation and will allow you to use self-signed or privately-signed certificates when communicating from API Management to the back end services.
-
-#### Powershell method ####
-Use the [`New-AzApiManagementBackend`](/powershell/module/az.apimanagement/new-azapimanagementbackend) (for new back end) or [`Set-AzApiManagementBackend`](/powershell/module/az.apimanagement/set-azapimanagementbackend) (for existing back end) PowerShell cmdlets and set the `-SkipCertificateChainValidation` parameter to `True`.
-
-```powershell
-$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService'
-New-AzApiManagementBackend -Context $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true
-```
-
-#### Direct API update method ####
-1. Create a [Backend](/rest/api/apimanagement/) entity by using API Management.
-2. Set the **skipCertificateChainValidation** property to **true**.
-3. If you no longer want to allow self-signed certificates, delete the Backend entity, or set the **skipCertificateChainValidation** property to **false**.
-
-### Why do I get an authentication failure when I try to clone a Git repository?
-If you use Git Credential Manager, or if you're trying to clone a Git repository by using Visual Studio, you might run into a known issue with the Windows credentials dialog box. The dialog box limits password length to 127 characters, and it truncates the Microsoft-generated password. We are working on shortening the password. For now, please use Git Bash to clone your Git repository.
-
-### Does API Management work with Azure ExpressRoute?
-Yes. API Management works with Azure ExpressRoute.
-
-### Why do we require a dedicated subnet in Resource Manager style VNETs when API Management is deployed into them?
-The dedicated subnet requirement for API Management comes from the fact, that it is built on Classic (PAAS V1 layer) deployment model. While we can deploy into a Resource Manager VNET (V2 layer), there are consequences to that. The Classic deployment model in Azure is not tightly coupled with the Resource Manager model and so if you create a resource in V2 layer, the V1 layer doesn't know about it and problems can happen, such as API Management trying to use an IP that is already allocated to a NIC (built on V2).
-To learn more about difference of Classic and Resource Manager models in Azure refer to [difference in deployment models](../azure-resource-manager/management/deployment-models.md).
-
-### What is the minimum subnet size needed when deploying API Management into a VNET?
-The minimum subnet size needed to deploy API Management is [/29](../virtual-network/virtual-networks-faq.md#configuration), which is the minimum subnet size that Azure supports.
-
-### Can I move an API Management service from one subscription to another?
-Yes. To learn how, see [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md).
-
-### Are there restrictions on or known issues with importing my API?
-[Known issues and restrictions](api-management-api-import-restrictions.md) for Open API(Swagger), WSDL and WADL formats.
api-management Api Management Howto Create Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-create-subscriptions.md
Get more information on API Management:
+ Learn other [concepts](api-management-terminology.md) in API Management. + Follow our [tutorials](import-and-publish.md) to learn more about API Management.
-+ Check our [FAQ page](api-management-faq.md) for common questions.
++ Check our [FAQ page](api-management-faq.yml) for common questions.
api-management Api Management Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-policies.md
This section provides a reference for the following API Management policies. For
- [Set usage quota by subscription](api-management-access-restriction-policies.md#SetUsageQuota) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. - [Set usage quota by key](api-management-access-restriction-policies.md#SetUsageQuotaByKey) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. - [Validate JWT](api-management-access-restriction-policies.md#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
+ - [Validate client certificate](api-management-access-restriction-policies.md#validate-client-certificate) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
- [Advanced policies](api-management-advanced-policies.md#AdvancedPolicies) - [Control flow](api-management-advanced-policies.md#choose) - Conditionally applies policy statements based on the evaluation of Boolean expressions. - [Forward request](api-management-advanced-policies.md#ForwardRequest) - Forwards the request to the backend service.
api-management Api Management Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-subscriptions.md
Get more information on API Management:
+ Learn other [concepts](api-management-terminology.md) in API Management. + Follow our [tutorials](import-and-publish.md) to learn more about API Management.
-+ Check our [FAQ page](api-management-faq.md) for common questions.
++ Check our [FAQ page](api-management-faq.yml) for common questions.
api-management Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/configure-custom-domain.md
When configuring DNS for your custom domain name, you have two options:
- Configure an A-record that points to your API Management gateway IP address. > [!NOTE]
-> Although the API Managment instance IP address is static, it may change in a few scenarios. Because of this it's recommended to use CNAME when configuring custom domain. Take that into consideration when choosing DNS configuration method. Read more in the [the IP documentation article](api-management-howto-ip-addresses.md#changes-to-the-ip-addresses) and the [API Management FAQ](api-management-faq.md#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-back-end-services).
+> Although the API Managment instance IP address is static, it may change in a few scenarios. Because of this it's recommended to use CNAME when configuring custom domain. Take that into consideration when choosing DNS configuration method. Read more in the [the IP documentation article](api-management-howto-ip-addresses.md#changes-to-the-ip-addresses) and the [API Management FAQ](api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-back-end-services-).
## Next steps
api-management How To Configure Local Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-configure-local-metrics-logs.md
The self-hosted gateway also supports a number of protocols including `localsysl
| Field | Default | Description | | - | - | - | | telemetry.logs.std | `text` | Enables logging to standard streams. Value can be `none`, `text`, `json` |
-| telemetry.logs.local | `none` | Enables local logging. Value can be `none`, `auto`, `localsyslog`, `rfc5424`, `journal` |
+| telemetry.logs.local | `auto` | Enables local logging. Value can be `none`, `auto`, `localsyslog`, `rfc5424`, `journal`, `json` |
| telemetry.logs.local.localsyslog.endpoint | n/a | Specifies localsyslog endpoint. | | telemetry.logs.local.localsyslog.facility | n/a | Specifies localsyslog [facility code](https://en.wikipedia.org/wiki/Syslog#Facility). e.g., `7` | telemetry.logs.local.rfc5424.endpoint | n/a | Specifies rfc5424 endpoint. | | telemetry.logs.local.rfc5424.facility | n/a | Specifies facility code per [rfc5424](https://tools.ietf.org/html/rfc5424). e.g., `7` | | telemetry.logs.local.journal.endpoint | n/a | Specifies journal endpoint. |
+| telemetry.logs.local.json.endpoint | 127.0.0.1:8888 | Specifies UDP endpoint that accepts JSON data: file path, IP:port, or hostname:port.
Here is a sample configuration of local logging:
app-service Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking/private-endpoint.md
description: Connect privately to a Web App using Azure Private Endpoint
ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c Previously updated : 04/27/2021 Last updated : 06/15/2021
# Using Private Endpoints for Azure Web App > [!IMPORTANT]
-> Private Endpoint is available for Windows and Linux Web App, containerized or not, hosted on these App Service Plans : **Isolated**, **PremiumV2**, **PremiumV3**, **Functions Premium** (sometimes referred to as the Elastic Premium plan).
+> Private Endpoint is available for Windows and Linux Web App, containerized or not, hosted on these App Service Plans : **PremiumV2**, **PremiumV3**, **Functions Premium** (sometimes referred to as the Elastic Premium plan).
You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Web App traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.
Remote Debugging functionality is not available when Private Endpoint is enabled
FTP access is provided through the inbound public IP address. Private Endpoint does not support FTP access to the Web App.
-There is a known limitation affecting Private Endpoints and traffic routing with slots (aka [Test in Production feature][TiP]). As of April 2021, automatic and manual request routing between slots will result in a "403 Access Denied". This limitation will be removed in a future release.
- We are improving Private Link feature and Private Endpoint regularly, check [this article][pllimitations] for up-to-date information about limitations. ## Next steps
We are improving Private Link feature and Private Endpoint regularly, check [thi
[howtoguide4]: ../scripts/template-deploy-private-endpoint.md [howtoguide5]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-privateendpoint-vnet-injection [howtoguide6]: ../scripts/terraform-secure-backend-frontend.md
-[TiP]: ../deploy-staging-slots.md#route-traffic
+[TiP]: ../deploy-staging-slots.md#route-traffic
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-java.md
adobe-target-content: ./quickstart-java-uiex
Clone the [Spring Boot Getting Started](https://github.com/spring-guides/gs-spring-boot) sample project.
-```bash
+```azurecli-interactive
git clone https://github.com/spring-guides/gs-spring-boot ``` Change directory to the completed project.
-```bash
+```azurecli-interactive
cd gs-spring-boot/complete ```
cd gs-spring-boot/complete
Execute the following Maven command in the Cloud Shell prompt to create a new app named `helloworld`:
-```bash
+```azurecli-interactive
mvn archetype:generate "-DgroupId=example.demo" "-DartifactId=helloworld" "-DarchetypeArtifactId=maven-archetype-webapp" "-Dversion=1.0-SNAPSHOT" ``` Then change your working directory to the project folder:
-```bash
+```azurecli-interactive
cd helloworld ```
+# [JBoss EAP](#tab/jbosseap)
++
+JBoss EAP is only available on the Linux version of App Service. Please select the **Linux** button at the top of this article to view the quickstart instructions for JBoss EAP.
++
+Clone the Pet Store demo application.
+
+```azurecli-interactive
+git clone https://github.com/agoncal/agoncal-application-petstore-ee7.git
+```
+
+Change directory to the cloned project.
+
+```azurecli-interactive
+cd agoncal-application-petstore-ee7
+```
++ ## Configure the Maven plugin
The deployment process to Azure App Service will use your Azure credentials from
Run the Maven command below to configure the deployment. This command will help you to set up the App Service operating system, Java version, and Tomcat version.
-```bash
-mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
+```azurecli-interactive
+mvn com.microsoft.azure:azure-webapp-maven-plugin:1.16.0:config
``` ::: zone pivot="platform-windows" # [Java SE](#tab/javase)
-1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number print in the line start.
-1. When prompted with **Web App** option, accept the defaut option `<create>` by pressing enter or select an existing app.
-1. When prompted with **OS** option, select **Windows** by entering `3`.
-1. When prompted with **Pricing Tier** option, select **B2** by entering `2`.
-1. Use the default Java version, **Java 8**, by pressing enter.
-1. Finally, press enter on the last prompt to confirm your selections.
+1. If prompted with **Subscription** option, select the proper `Subscription` by entering the number printed at the line start.
+2. When prompted with **Web App** option, select the default option, `<create>`, by pressing enter.
+3. When prompted with **OS** option, select **Windows** by entering `2`.
+4. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
+5. When prompted with **Pricing Tier** option, select **P1v2** by entering `7`.
+6. Finally, press enter on the last prompt to confirm your selections.
Your summary output will look similar to the snippet shown below.
mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
# [Tomcat](#tab/tomcat)
-1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number print in the line start.
-1. When prompted with **Web App** option, accept the defaut option `<create>` by pressing enter or select an existing app.
-1. When prompted with **OS** option, select **Windows** by entering `3`.
-1. When prompted with **Pricing Tier** option, select **B2** by entering `2`.
-1. Use the default Java version, **Java 8**, by pressing enter.
-1. Use the default web container, **Tomcat 8.5**, by pressing enter.
-1. Finally, press enter on the last prompt to confirm your selections.
+1. If prompted with **Subscription** option, select the proper `Subscription` by entering the number printed at the line start.
+2. When prompted with **Web App** option, select the default option, `<create>`, by pressing enter.
+3. When prompted with **OS** option, select **Windows** by entering `2`.
+4. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
+5. When prompted with **webContainer** option, select **Tomcat 8.5** by entering `3`.
+6. When prompted with **Pricing Tier** option, select **P1v2** by entering `7`.
+7. Finally, press enter on the last prompt to confirm your selections.
Your summary output will look similar to the snippet shown below.
mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
[INFO] ```
+# [JBoss EAP](#tab/jbosseap)
+
+JBoss EAP is only available on the Linux version of App Service. Please select the **Linux** button at the top of this article to view the quickstart instructions for JBoss EAP.
+ ::: zone-end ::: zone pivot="platform-linux"
-### [Java SE](#tab/javase)
+# [Java SE](#tab/javase)
-1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number print in the line start.
-1. When prompted with **Web App** option, accept the defaut option `<create>` by pressing enter or select an existing app.
+1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number printed at the line start.
+1. When prompted with **Web App** option, select the default option, `<create>`, by pressing enter.
1. When prompted with **OS** option, select **Linux** by pressing enter.
-1. When prompted with **Pricing Tier** option, select **B2** by entering `2`.
-1. Use the default Java version, **Java 8**, by pressing enter.
-1. Finally, press enter on the last prompt to confirm your selections.
+2. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
+3. When prompted with **Pricing Tier** option, select **P1v2** by entering `6`.
+4. Finally, press enter on the last prompt to confirm your selections.
``` Please confirm webapp properties
mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
[INFO] ```
-### [Tomcat](#tab/tomcat)
+# [Tomcat](#tab/tomcat)
-1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number print in the line start.
-1. When prompted with **Web App** option, accept the defaut option `<create>` by pressing enter or select an existing app.
+1. When prompted with **Subscription** option, select the proper `Subscription` by entering the number printed at the line start.
+1. When prompted with **Web App** option, select the default option, `<create>`, by pressing enter.
1. When prompted with **OS** option, select **Linux** by pressing enter.
-1. When prompted with **Pricing Tier** option, select **B2** by entering `2`.
-1. Use the default Java version, **Java 8**, by pressing enter.
-1. Use the default web container, **Tomcat 8.5**, by pressing enter.
+1. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
+1. When prompted with **runtimeStack** option, select **Tomcat 8.5** by entering `3`.
+1. When prompted with **Pricing Tier** option, select **P1v2** by entering `6`.
1. Finally, press enter on the last prompt to confirm your selections. ```
mvn com.microsoft.azure:azure-webapp-maven-plugin:1.14.0:config
[INFO] ```
+# [JBoss EAP](#tab/jbosseap)
+
+1. If prompted with **Subscription** option, select the proper `Subscription` by entering the number printed at the line start.
+1. When prompted with **Web App** option, accept the default option `<create>` by pressing enter.
+1. When prompted with **OS** option, select **Linux** by pressing enter.
+1. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
+1. When prompted with **runtimeStack** option, select **Jbosseap 7** by entering `1`
+1. When prompted with **pricingTier** option, select **P1v3** by entering `3`
+1. Finally, press enter on the last prompt to confirm your selections.
+
+ ```
+ Please confirm webapp properties
+ Subscription Id : ********-****-****-****-************
+ AppName : petstoreee7-1623451825408
+ ResourceGroup : petstoreee7-1623451825408-rg
+ Region : westeurope
+ PricingTier : P1v3
+ OS : Linux
+ Java : Java 8
+ Web server stack: Jbosseap 7.2
+ Deploy to slot : false
+ Confirm (Y/N) [Y]: y
+ [INFO] Saving configuration to pom.
+ [INFO]
+ [INFO] BUILD SUCCESS
+ [INFO]
+ [INFO] Total time: 01:01 min
+ [INFO] Finished at: 2021-06-11T15:52:25-07:00
+ [INFO]
+ ```
+ ::: zone-end
You can modify the configurations for App Service directly in your `pom.xml` if
Property | Required | Description | Version ||| `<schemaVersion>` | false | Specify the version of the configuration schema. Supported values are: `v1`, `v2`. | 1.5.2
-`<subscriptionId>` | false | Specify the subscription id. | 0.1.0+
+`<subscriptionId>` | false | Specify the subscription ID. | 0.1.0+
`<resourceGroup>` | true | Azure Resource Group for your Web App. | 0.1.0+ `<appName>` | true | The name of your Web App. | 0.1.0+ `<region>` | true | Specifies the region where your Web App will be hosted; the default value is **westeurope**. All valid regions at [Supported Regions](https://azure.microsoft.com/global-infrastructure/services/?products=app-service) section. | 0.1.0+
Property | Required | Description | Version
`<runtime>` | true | The runtime environment configuration, you could see the detail [here](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+ `<deployment>` | true | The deployment configuration, you could see the details [here](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+
-Be careful about the values of `<appName>` and `<resourceGroup>`(`helloworld-1590394316693` and `helloworld-1590394316693-rg` accordingly in the demo), they will be used later.
+Be careful about the values of `<appName>` and `<resourceGroup>` (`helloworld-1590394316693` and `helloworld-1590394316693-rg` accordingly in the demo), they will be used later.
> [!div class="nextstepaction"] > [I ran into an issue](https://www.research.net/r/javae2e?tutorial=quickstart-java&step=config)
Be careful about the values of `<appName>` and `<resourceGroup>`(`helloworld-159
The Maven plugin uses account credentials from the Azure CLI to deploy to App Services. [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli) before continuing.
-```azurecli
+```azurecli-interactive
az login ``` Then you can deploy your Java app to Azure using the following command.
-```bash
+```azurecli-interactive
mvn package azure-webapp:deploy ```
-Once deployment has completed, your application will be ready at `http://<appName>.azurewebsites.net/`(`http://helloworld-1590394316693.azurewebsites.net` in the demo). Open the url with your local web browser, you should see
+
+> [!NOTE]
+> For JBoss EAP, run `mvn package azure-webapp:deploy -DskipTests` to disable testing, as it requires Wildfly to be installed locally.
++
+Once deployment has completed, your application will be ready at `http://<appName>.azurewebsites.net/` (`http://helloworld-1590394316693.azurewebsites.net` in the demo). Open the url with your local web browser, you should see
![Sample app running in Azure App Service](./media/quickstart-java/java-hello-world-in-browser-azure-app-service.png)
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
description: To create highly available and resilient applications in Azure, Ava
Previously updated : 05/27/2021 Last updated : 06/15/2021 -+
To achieve comprehensive business continuity on Azure, build your application ar
| South Central US | | | | | US Gov Virginia | | | | | West US 2 | | | |
-| West US 3* | | | |
+| West US 3 | | | |
\* To learn more about Availability Zones and available services support in these regions, contact your Microsoft sales or customer representative. For the upcoming regions that will support Availability Zones, see [Azure geographies](https://azure.microsoft.com/en-us/global-infrastructure/geographies/).
Azure Availability Zones are available with your Azure subscription. Learn more
## Next steps > [!div class="nextstepaction"]
-> [Regions and Availability Zones in Azure](az-overview.md)
+> [Regions and Availability Zones in Azure](az-overview.md)
azure-app-configuration Push Kv Devops Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/push-kv-devops-pipeline.md
If an unexpected error occurs, debug logs can be enabled by setting the pipeline
Create multiple instances of the Azure App Configuration Push task within the same pipeline to push multiple configuration files to the App Configuration store.
+**How can I create Key Vault references using this task?**
+
+To create Key Vault references, set the "Content Type" parameter to *application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8*. If not all key-values in a configuration file are Key Vault references, put Key Vault references and normal key-values in separate configuration files, and push them separately.
+ **Why am I receiving a 409 error when attempting to push key-values to my configuration store?** A 409 Conflict error message will occur if the task tries to remove or overwrite a key-value that is locked in the App Configuration store.
azure-arc Manage Vm Extensions Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-cli.md
Example:
az connectedmachine extension list --machine-name "myMachineName" --resource-group "myResourceGroup" ```
-By default, the output of Azure CLI commands is in JSON (JavaScript Object Notation). To change the default output to a list or table, for example, use [az configure --output](/cli/azure/reference-index). You can also add `--output` to any command for a one time change in output format.
+By default, the output of Azure CLI commands is in JSON (JavaScript Object Notation). To change the default output to a list or table, for example, use [az config set core.output=table](/cli/azure/reference-index). You can also add `--output` to any command for a one time change in output format.
The following example shows the partial JSON output from the `az connectedmachine extension -list` command:
azure-cache-for-redis Cache Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-configure.md
One thing to consider when choosing a new memory reservation value (**maxmemory-
> [!IMPORTANT] > The **maxmemory-reserved** and **maxfragmentationmemory-reserved** settings are available only for Standard and Premium caches. >
-> The `noeviction` eviction policy is the only memory policy that's available for an Enterprise tier cache.
->
#### Keyspace notifications (advanced settings)
azure-functions Functions Networking Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-networking-faq.md
- Title: Frequently asked questions about networking in Azure Functions
-description: Answers to some of the most common questions and scenarios for networking with Azure Functions.
- Previously updated : 4/11/2019---
-# Frequently asked questions about networking in Azure Functions
-
-This article lists frequently asked questions about networking in Azure Functions. For a more comprehensive overview, see [Functions networking options](functions-networking-options.md).
-
-## How do I set a static IP in Functions?
-
-Deploying a function in an App Service Environment is the primary way to have static inbound and outbound IP addresses for your functions. For details on using an App Service Environment, start with the article [Create and use an internal load balancer with an App Service Environment](../app-service/environment/create-ilb-ase.md).
-
-You can also use a virtual network NAT gateway to route outbound traffic through a public IP address that you control. To learn more, see [Tutorial: Control Azure Functions outbound IP with an Azure virtual network NAT gateway](functions-how-to-use-nat-gateway.md).
-
-## How do I restrict internet access to my function?
-
-You can restrict internet access in a couple of ways:
-
-* [IP restrictions](../app-service/app-service-ip-restrictions.md): Restrict inbound traffic to your function app by IP range.
- * Under IP restrictions, you are also able to configure [Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md), which restrict your Function to only accept inbound traffic from a particular virtual network.
-* Removal of all HTTP triggers. For some applications, it's enough to simply avoid HTTP triggers and use any other event source to trigger your function.
-
-Keep in mind that the Azure portal editor requires direct access to your running function. Any code changes through the Azure portal will require the device you're using to browse the portal to have its IP added to the approved list. But you can still use anything under the platform features tab with network restrictions in place.
-
-## How do I restrict my function app to a virtual network?
-
-You are able to restrict **inbound** traffic for a function app to a virtual network using [Service Endpoints](./functions-networking-options.md#use-service-endpoints). This configuration still allows the function app to make outbound calls to the internet.
-
-To completely restrict a function such that all traffic flows through a virtual network, you can use a [private endpoints](./functions-networking-options.md#private-endpoint-connections) with outbound virtual network integration or an App Service Environment. To learn more, see [Integrate Azure Functions with an Azure virtual network by using private endpoints](functions-create-vnet.md).
-
-## How can I access resources in a virtual network from a function app?
-
-You can access resources in a virtual network from a running function by using virtual network integration. For more information, see [Virtual network integration](functions-networking-options.md#virtual-network-integration).
-
-## How do I access resources protected by service endpoints?
-
-By using virtual network integration you can access service-endpoint-secured resources from a running function. For more information, see [virtual network integration](functions-networking-options.md#virtual-network-integration).
-
-## How can I trigger a function from a resource in a virtual network?
-
-You are able to allow HTTP triggers to be called from a virtual network using [Service Endpoints](./functions-networking-options.md#use-service-endpoints) or [Private Endpoint connections](./functions-networking-options.md#private-endpoint-connections).
-
-You can also trigger a function from all other resources in a virtual network by deploying your function app to a Premium plan, App Service plan, or App Service Environment. See [non-HTTP virtual network triggers](./functions-networking-options.md#virtual-network-triggers-non-http)
-for more information
-
-## How can I deploy my function app in a virtual network?
-
-Deploying to an App Service Environment is the only way to create a function app that's wholly inside a virtual network. For details on using an internal load balancer with an App Service Environment, start with the article [Create and use an internal load balancer with an App Service Environment](../app-service/environment/create-ilb-ase.md).
-
-For scenarios where you need only one-way access to virtual network resources, or less comprehensive network isolation, see the [Functions networking overview](functions-networking-options.md).
-
-## Next steps
-
-To learn more about networking and functions:
-
-* [Follow the tutorial about getting started with virtual network integration](./functions-create-vnet.md)
-* [Learn more about the networking options in Azure Functions](./functions-networking-options.md)
-* [Learn more about virtual network integration with App Service and Functions](../app-service/web-sites-integrate-with-vnet.md)
-* [Learn more about virtual networks in Azure](../virtual-network/virtual-networks-overview.md)
-* [Enable more networking features and control with App Service Environments](../app-service/environment/intro.md)
azure-functions Functions Networking Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-networking-options.md
The following APIs let you programmatically manage regional virtual network inte
To learn more about networking and Azure Functions: * [Follow the tutorial about getting started with virtual network integration](./functions-create-vnet.md)
-* [Read the Functions networking FAQ](./functions-networking-faq.md)
+* [Read the Functions networking FAQ](./functions-networking-faq.yml)
* [Learn more about virtual network integration with App Service/Functions](../app-service/web-sites-integrate-with-vnet.md) * [Learn more about virtual networks in Azure](../virtual-network/virtual-networks-overview.md) * [Enable more networking features and control with App Service Environments](../app-service/environment/intro.md)
azure-government Documentation Government Stig Linux Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-stig-linux-vm.md
Previously updated : 04/28/2021 Last updated : 06/14/2021 # Deploy STIG-compliant Linux Virtual Machines (Preview)
Sign in at the [Azure portal](https://ms.portal.azure.com/) or [Azure Government
a. Enter the *VM name*.
- b. Select the *Linux OS version*.
+ b. Select the *Availability options*. To learn about availability sets, see [Availability sets overview](../virtual-machines/availability-set-overview.md).
- c. Select the instance *Size*.
+ c. Select the *Linux OS version*.
- d. Enter the administrator account *Username*.
+ d. Select the instance *Size*.
- e. Select the Authentication type by choosing either *Password* or *Public key*.
+ e. Enter the administrator account *Username*.
- f. Enter a *Password* or *Public key*.
+ f. Select the Authentication type by choosing either *Password* or *Public key*.
- g. Confirm *Password* (*Public key* only needs to be input once).
+ g. Enter a *Password* or *Public key*.
+
+ h. Confirm *Password* (*Public key* only needs to be input once).
> [!NOTE] > For instructions on creating an SSH RSA public-private key pair for SSH client connections, see **[Create and manage SSH keys for authentication to a Linux VM in Azure](../virtual-machines/linux/create-ssh-keys-detailed.md).**
azure-government Documentation Government Stig Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-stig-windows-vm.md
Previously updated : 04/28/2021 Last updated : 06/14/2021 # Deploy STIG-compliant Windows Virtual Machines (Preview)
Sign in at the [Azure portal](https://ms.portal.azure.com/) or [Azure Government
a. Enter the *VM name*.
- b. Select the *Windows OS version*.
+ b. Select the *Availability options*. To learn about availability sets, see [Availability sets overview](../virtual-machines/availability-set-overview.md).
- c. Select the instance *Size*.
+ c. Select the *Windows OS version*.
- d. Enter the administrator account *Username*.
+ d. Select the instance *Size*.
- e. Enter the administrator account *Password*.
+ e. Enter the administrator account *Username*.
- f. Confirm *Password*.
+ f. Enter the administrator account *Password*.
+
+ g. Confirm *Password*.
+
+ h. Check if using an existing Windows Server license.
:::image type="content" source="./media/stig-windows-instance-details.png" alt-text="Instance details section where you provide a name for the virtual machine and select its region, image, and size" border="false":::
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agents-overview.md
The following tables provide a quick comparison of the Azure Monitor agents for
| **Services and**<br>**features**<br>**supported** | Log Analytics<br>Metrics explorer | | Metrics explorer | VM insights<br>Log Analytics<br>Azure Automation<br>Azure Security Center<br>Azure Sentinel | VM insights<br>Service Map |
-## Azure Monitor agent (preview)
+## Azure Monitor agent
-The [Azure Monitor agent](azure-monitor-agent-overview.md) is currently in preview and will replace the Log Analytics agent and Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure Monitor Metrics and uses [Data Collection Rules (DCR)](data-collection-rule-overview.md) which provide a more scalable method of configuring data collection and destinations for each agent.
+The [Azure Monitor agent](azure-monitor-agent-overview.md) is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure Monitor Metrics and uses [Data Collection Rules (DCR)](data-collection-rule-overview.md) which provide a more scalable method of configuring data collection and destinations for each agent.
Use the Azure Monitor agent if you need to:
Use the Azure Monitor agent if you need to:
- Send data to third-party tools using [Azure Event Hubs](./diagnostics-extension-stream-event-hubs.md). - Manage the security of your machines using [Azure Security Center](../../security-center/security-center-introduction.md) or [Azure Sentinel](../../sentinel/overview.md). (Not available in preview.)
-Limitations of the Azure Monitor agent include:
--- Currently in public preview. See [Current limitations](azure-monitor-agent-overview.md#current-limitations) for a list of limitations during public preview.
+See [current feature gaps](../faq.md#is-the-new-azure-monitor-agent-at-parity-with-existing-agents) when compared to existing agents.
## Log Analytics agent
azure-monitor Azure Monitor Agent Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-install.md
-# Install the Azure Monitor agent (preview)
+# Install the Azure Monitor agent
This article provides the different options currently available to install the [Azure Monitor agent](azure-monitor-agent-overview.md) on both Azure virtual machines and Azure Arc enabled servers and also the options to create [associations with data collection rules](data-collection-rule-azure-monitor-agent.md) that define which data the agent should collect. ## Prerequisites
The following prerequisites are required prior to installing the Azure Monitor a
- [Managed system identity](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) must be enabled on Azure virtual machines. This is not required for Azure Arc enabled servers. The system identity will be enabled automatically if the agent is installed as part of the process for [creating and assigning a data collection rule using the Azure portal](#install-with-azure-portal). - The [AzureResourceManager service tag](../../virtual-network/service-tags-overview.md) must be enabled on the virtual network for the virtual machine.
+- The virtual machine must have access to the following HTTPS endpoints:
+ - *.ods.opinsights.azure.com
+ - *.ingest.monitor.azure.com
+ - *.control.monitor.azure.com
> [!IMPORTANT]
-> The Azure Monitor agent does not currently support network proxies.
+> The Azure Monitor agent does not currently support network proxies or private links.
## Virtual machine extension details The Azure Monitor Agent is implemented as an [Azure VM extension](../../virtual-machines/extensions/overview.md) with the details in the following table. It can be installed using any of the methods to install virtual machine extensions including those described in this article.
azure-monitor Azure Monitor Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-overview.md
Last updated 03/16/2021
-# Azure Monitor agent overview (preview)
-The Azure Monitor agent (AMA) collects monitoring data from the guest operating system of azure virtual machines and delivers it to Azure Monitor. This articles provides an overview of the Azure Monitor agent including how to install it and how to configure data collection.
+# Azure Monitor agent overview
+The Azure Monitor agent (AMA) collects monitoring data from the guest operating system of Azure virtual machines and delivers it to Azure Monitor. This articles provides an overview of the Azure Monitor agent including how to install it and how to configure data collection.
## Relationship to other agents
-The Azure Monitor Agent replaces the following agents that are currently used by Azure Monitor to collect guest data from virtual machines:
+The Azure Monitor Agent replaces the following agents that are currently used by Azure Monitor to collect guest data from virtual machines ([view known gaps](../faq.md#is-the-new-azure-monitor-agent-at-parity-with-existing-agents)):
- [Log Analytics agent](./log-analytics-agent.md) - Sends data to Log Analytics workspace and supports VM insights and monitoring solutions. - [Diagnostic extension](./diagnostics-extension-overview.md) - Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure Storage.
Azure Monitor agent uses [Data Collection Rules (DCR)](data-collection-rule-over
## Should I switch to Azure Monitor agent? Azure Monitor agent coexists with the [generally available agents for Azure Monitor](agents-overview.md), but you may consider transitioning your VMs off the current agents during the Azure Monitor agent public preview period. Consider the following factors when making this determination. -- **Environment requirements.** Azure Monitor agent has a more limited set of supported operating systems, environments, and networking requirements than the current agents. Future environment support such as new operating system versions and types of networking requirements will most likely be provided only in Azure Monitor agent. You should assess whether your environment is supported by Azure Monitor agent. If not, then you will need to stay with the current agent. If Azure Monitor agent supports your current environment, then you should consider transitioning to it.-- **Public preview risk tolerance.** While Azure Monitor agent has been thoroughly tested for the currently supported scenarios, the agent is still in public preview. Version updates and functionality improvements will occur frequently and may introduce bugs. You should assess your risk of a bug in the agent on your VMs that could stop data collection. If a gap in data collection isnΓÇÖt going to have a significant impact on your services, then proceed with Azure Monitor agent. If you have a low tolerance for any instability, then you should stay with the generally available agents until Azure Monitor agent reaches this status.-- **Current and new feature requirements.** Azure Monitor agent introduces several new capabilities such as filtering, scoping, and multi-homing, but it isnΓÇÖt at parity yet with the current agents for other functionality such as custom log collection and integration with solutions. Most new capabilities in Azure Monitor will only be made available with Azure Monitor agent, so over time more functionality will only be available in the new agent. You should consider whether Azure Monitor agent has the features you require and if there are some features that you can temporarily do without to get other important features in the new agent. If Azure Monitor agent has all the core capabilities you require then consider transitioning to it. If there are critical features that you require then continue with the current agent until Azure Monitor agent reaches parity.-- **Tolerance for rework.** If you're setting up a new environment with resources such as deployment scripts and onboarding templates, you should consider whether you will be able to rework them when Azure Monitor agent becomes generally available. If the effort for this rework will be minimal, then stay with the current agents for now. If it will take a significant amount of work, then consider setting up your new environment with the new agent. The Azure Monitor agent is expected to become generally available and a deprecation date published for the Log Analytics agents in 2021. The current agents will be supported for several years once deprecation begins.
+- **Environment requirements.** Azure Monitor agent supports [these operating systems](./agents-overview.md#supported-operating-systems) today latest operating systems and future environment support such as new operating system versions and types of networking requirements will most likely be provided only in this new agent. You should assess whether your environment is supported by Azure Monitor agent. If not, then you may need to stay with the current agent. If Azure Monitor agent supports your current environment, then you should consider transitioning to it.
+- **Current and new feature requirements.** Azure Monitor agent introduces several new capabilities such as filtering, scoping, and multi-homing, but it isnΓÇÖt at parity yet with the current agents for other functionality such as custom log collection and integration with all solutions ([see solutions in preview](../faq.md#which-log-analytics-solutions-are-supported-on-the-new-azure-monitor-agent)). Most new capabilities in Azure Monitor will only be made available with Azure Monitor agent, so over time more functionality will only be available in the new agent. You should consider whether Azure Monitor agent has the features you require and if there are some features that you can temporarily do without to get other important features in the new agent. If Azure Monitor agent has all the core capabilities you require then consider transitioning to it. If there are critical features that you require then continue with the current agent until Azure Monitor agent reaches parity.
+- **Tolerance for rework.** If you're setting up a new environment with resources such as deployment scripts and onboarding templates, asses the effort involved. If it will take a significant amount of work, then consider setting up your new environment with the new agent as it is now generally available. A deprecation date published for the Log Analytics agents in August, 2021. The current agents will be supported for several years once deprecation begins.
-## Current limitations
-The following limitations apply during public preview of the Azure Monitor Agent:
--- The Azure Monitor agent does not support solutions and insights such as VM insights and Azure Security Center. The only scenario currently supported is collecting data using the data collection rules that you configure. -- Data collection rules must be created in the same region as any Log Analytics workspace used as a destination.-- Azure virtual machines, virtual machine scale sets, and Azure Arc enabled servers are currently supported. Azure Kubernetes Service and other compute resource types are not currently supported.-- The virtual machine must have access to the following HTTPS endpoints:
- - *.ods.opinsights.azure.com
- - *.ingest.monitor.azure.com
- - *.control.monitor.azure.com
+## Supported resource types
+Azure virtual machines, virtual machine scale sets, and Azure Arc enabled servers are currently supported. Azure Kubernetes Service and other compute resource types are not currently supported.
## Supported regions
-Azure Monitor agent currently supports resources in the following regions:
--- East Asia-- Southeast Asia-- Australia Central-- Australia East-- Australia Southeast-- Canada Central-- North Europe-- West Europe-- France Central-- Germany West Central-- Central India-- Japan East-- Korea Central-- South Africa North-- Switzerland North-- UK South-- UK West-- Central US-- East US-- East US 2-- North Central US-- South Central US-- West US-- West US 2-- West Central US
+Azure Monitor agent is available in all public regions that supports Log Analytics. Government regions and clouds are not currently supported.
## Coexistence with other agents
-The Azure Monitor agent can coexist with the existing agents so that you can continue to use their existing functionality during evaluation or migration. This is particularly important because of the limitations in public preview in supporting existing solutions. You should be careful though in collecting duplicate data since this could skew query results and result in additional charges for data ingestion and retention.
+The Azure Monitor agent can coexist with the existing agents so that you can continue to use their existing functionality during evaluation or migration. This is particularly important because of the limitations supporting existing solutions. You should be careful though in collecting duplicate data since this could skew query results and result in additional charges for data ingestion and retention.
For example, VM insights uses the Log Analytics agent to send performance data to a Log Analytics workspace. You may also have configured the workspace to collect Windows events and Syslog events from agents. If you install the Azure Monitor agent and create a data collection rule for these same events and performance data, it will result in duplicate data.
+As such, ensure you're not collecting the same data from both agents, and if so, ensure they are going to separate destinations.
+ ## Costs There is no cost for Azure Monitor agent, but you may incur charges for the data ingested. See [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for details on Log Analytics data collection and retention and for customer metrics.
azure-monitor Data Collection Rule Azure Monitor Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-rule-azure-monitor-agent.md
Last updated 03/16/2021
-# Configure data collection for the Azure Monitor agent (preview)
+# Configure data collection for the Azure Monitor agent
Data Collection Rules (DCR) define data coming into Azure Monitor and specify where it should be sent. This article describes how to create a data collection rule to collect data from virtual machines using the Azure Monitor agent.
-For a complete description of data collection rules, see [Data collection rules in Azure Monitor (preview)](data-collection-rule-overview.md).
+For a complete description of data collection rules, see [Data collection rules in Azure Monitor](data-collection-rule-overview.md).
> [!NOTE]
-> This article describes how to configure data for virtual machines with the Azure Monitor agent which is currently in preview. See [Overview of Azure Monitor agents](agents-overview.md) for a description of agents that are generally available and how to use them to collect data.
+> This article describes how to configure data for virtual machines with the Azure Monitor agent only.
## Data collection rule associations
Follow the steps below to create a data collection rule and association
3. Create an association for each virtual machine to the data collection rule using the [REST API](/rest/api/monitor/datacollectionruleassociations/create#examples).
-## Create association using Resource Manager template
+## Create rule and association using Resource Manager template
> [!NOTE] > If you wish to send data to Log Analytics, you must create the data collection rule in the **same region** where your Log Analytics workspace resides. The rule can be associated to machines in other supported region(s).
-You can create an association between an Azure virtual machine or Azure Arc enabled server using a Resource Manager template. See [Resource Manager template samples for data collection rules in Azure Monitor](./resource-manager-data-collection-rules.md) for sample templates.
+You can create a rule and an association for an Azure virtual machine or Azure Arc enabled server using Resource Manager templates. See [Resource Manager template samples for data collection rules in Azure Monitor](./resource-manager-data-collection-rules.md) for sample templates).
## Manage rules and association using PowerShell
azure-monitor Data Collection Rule Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-rule-overview.md
-# Data collection rules in Azure Monitor (preview)
+# Data collection rules in Azure Monitor
Data Collection Rules (DCR) define data coming into Azure Monitor and specify where that data should be sent or stored. This article provides an overview of data collection rules including their contents and structure and how you can create and work with them. ## Input sources Data collection rules currently support the following input sources: -- Azure virtual machine with the Azure Monitor agent. See [Configure data collection for the Azure Monitor agent (preview)](../agents/data-collection-rule-azure-monitor-agent.md).
+- Azure Monitor Agent running on virtual machines, virtual machine scale sets and Azure Arc for servers. See [Configure data collection for the Azure Monitor agent (preview)](../agents/data-collection-rule-azure-monitor-agent.md).
A data collection rule includes the following components.
|:|:| | Data sources | Unique source of monitoring data with its own format and method of exposing its data. Examples of a data source include Windows event log, performance counters, and syslog. Each data source matches a particular data source type as described below. | | Streams | Unique handle that describes a set of data sources that will be transformed and schematized as one type. Each data source requires one or more streams, and one stream may be used by multiple data sources. All data sources in a stream share a common schema. Use multiple streams for example, when you want to send a particular data source to multiple tables in the same Log Analytics workspace. |
-| Destinations | Set of destinations where the data should be sent. Examples include Log Analytics workspace, Azure Monitor Metrics, and Azure Event Hubs. |
+| Destinations | Set of destinations where the data should be sent. Examples include Log Analytics workspace and Azure Monitor Metrics. |
| Data flows | Definition of which streams should be sent to which destinations. |
+Data collection rules are stored regionally, and are available in all public regions where Log Analytics is supported. Government regions and clouds are not currently supported.
+ The following diagram shows the components of a data collection rule and their relationship [![Diagram of DCR](media/data-collection-rule-overview/data-collection-rule-components.png)](media/data-collection-rule-overview/data-collection-rule-components.png#lightbox)
You can currently use any of the following methods to create a DCR:
- [Remove-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRuleAssociation.md) ## Sample data collection rule
-The sample data collection rule below is for virtual machines with Azure Management agent and has the following details:
+The sample data collection rule below is for virtual machines with Azure Monitor agent and has the following details:
- Performance data - Collects specific Processor, Memory, Logical Disk, and Physical Disk counters every 15 seconds and uploads every minute.
azure-monitor Diagnostics Extension Windows Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/diagnostics-extension-windows-install.md
You can install and configure the diagnostics extension on an individual virtual
10. Click **Save** to save the configuration. > [!NOTE]
-> While the configuration for diagnostics extension can be formatted in either JSON or XML, any configuration done in the Azure portal will always be stored as JSON. If you use XML with another configuration method and then change your configuration with the Azure portal, the settings will be changed to JSON.
+> While the configuration for diagnostics extension can be formatted in either JSON or XML, any configuration done in the Azure portal will always be stored as JSON. If you use XML with another configuration method and then change your configuration with the Azure portal, the settings will be changed to JSON. Also, there is no option to set up the retention period for these logs.
## Resource Manager template See [Use monitoring and diagnostics with a Windows VM and Azure Resource Manager templates](../../virtual-machines/extensions/diagnostics-template.md) on deploying the diagnostics extension with Azure Resource Manager templates.
azure-monitor Resource Manager Data Collection Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/resource-manager-data-collection-rules.md
This article includes sample [Azure Resource Manager templates](../../azure-reso
[!INCLUDE [azure-monitor-samples](../../../includes/azure-monitor-resource-manager-samples.md)]
+## Create rule (sample)
+
+View [template format](/azure/templates/microsoft.insights/datacollectionrules)
## Create association with Azure VM
The following sample creates an association between an Azure Arc-enabled server
"resources": [ { "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations",
- "name": "[concat(parameters('machineName'),'/microsoft.insights/', parameters('associationName'))]",
+ "name": "[concat(parameters('vmName'),'/microsoft.insights/', parameters('associationName'))]",
"apiVersion": "2019-11-01-preview", "properties": { "description": "Association of data collection rule. Deleting this association will break the data collection for this Arc server.",
The following sample creates an association between an Azure Arc-enabled server
* [Get other sample templates for Azure Monitor](../resource-manager-samples.md). * [Learn more about Log Analytics agent](./log-analytics-agent.md).
-* [Learn more about diagnostic extension](./diagnostics-extension-overview.md).
+* [Learn more about diagnostic extension](./diagnostics-extension-overview.md).
azure-monitor Alerts Metric Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-metric-logs.md
description: Tutorial on creating near-real time metric alerts on popular log an
Previously updated : 02/14/2021 Last updated : 06/15/2021
[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
-You can use metric alerts on popular Log Analytics logs extracted as metrics as part of Metrics from Logs including resources in Azure or on-premises. The supported Log Analytics solutions are listed below:
+**Metric Alerts for Logs** allows you to leverage metric alerts capabilities on a predefined set of Log Analytics logs. The monitored logs, which can be collected from Azure or on-premises computers, are converted to metrics, and then monitored with metric alert rules just like any other metric.
+The supported Log Analytics logs are the following:
-- [Performance counters](./../agents/data-sources-performance-counters.md) for Windows & Linux machines
+- [Performance counters](./../agents/data-sources-performance-counters.md) for Windows & Linux machines (corresponding with the supported [Log Analytics workspace metrics](../essentials/metrics-supported.md#microsoftoperationalinsightsworkspaces))
- [Heartbeat records for Agent Health](../insights/solution-agenthealth.md) - [Update management](../../automation/update-management/overview.md) records - [Event data](./../agents/data-sources-windows-events.md) logs There are many benefits for using **Metric Alerts for Logs** over query based [Log Alerts](./alerts-log.md) in Azure; some of them are listed below: -- Metric Alerts offer near-real time monitoring capability and Metric Alerts for Logs forks data from log source to ensure the same.
+- Metric Alerts offer near-real time monitoring capability and Metric Alerts for Logs forks data from the log source to ensure the same.
- Metric Alerts are stateful - only notifying once when alert is fired and once when alert is resolved; as opposed to Log alerts, which are stateless and keep firing at every interval if the alert condition is met.-- Metric Alerts for Log provide multiple dimensions, allowing filtering to specific values like Computers, OS Type, etc. simpler; without the need for penning query in analytics.
+- Metric Alerts for Log provide multiple dimensions, allowing filtering to specific values like Computers, OS Type, etc. simpler; without the need for defining a complex query in Log Analytics.
> [!NOTE]
-> Specific metric and/or dimension will only be shown if data for it exists in chosen period. These metrics are available for customers with Azure Log Analytics workspaces.
+> Specific metric and/or dimension will only be shown if data for it exists in the chosen period. These metrics are available for customers with Azure Log Analytics workspaces.
## Metrics and dimensions supported for logs
- Metric alerts support alerting for metrics that use dimensions. You can use dimensions to filter your metric to the right level. The full list of metrics supported for Logs from [Log Analytics workspaces](../essentials/metrics-supported.md#microsoftoperationalinsightsworkspaces) is listed; across supported solutions.
+Metric alerts support alerting for metrics that use dimensions. You can use dimensions to filter your metric to the right level. The full list of metrics supported for Logs is equivalent to the list of [Log Analytics workspace metric](../essentials/metrics-supported.md#microsoftoperationalinsightsworkspaces).
> [!NOTE] > To view a supported metric extracted from a Log Analytics workspace via [Azure Monitor - Metrics](../essentials/metrics-charts.md), a metric alert for log must be created on that specific metric. The dimensions chosen in the metric alert for logs - will only appear for exploration via Azure Monitor - Metrics.
Before Metric for Logs gathered on Log Analytics data works, the following must
1. **Active Log Analytics Workspace**: A valid and active Log Analytics workspace must be present. For more information, see [Create a Log Analytics Workspace in Azure portal](../logs/quick-create-workspace.md). 2. **Agent is configured for Log Analytics Workspace**: Agent needs to be configured for Azure VMs (and/or) on-premises VMs to send data into the Log Analytics Workspace used in earlier step. For more information, see [Log Analytics - Agent Overview](./../agents/agents-overview.md).
-3. **Supported Log Analytics Solutions is installed**: Log Analytics solution should be configured and sending data into Log Analytics workspace - supported solutions are [Performance counters for Windows & Linux](./../agents/data-sources-performance-counters.md), [Heartbeat records for Agent Health](../insights/solution-agenthealth.md), [Update management](../../automation/update-management/overview.md), and [Event data](./../agents/data-sources-windows-events.md).
+3. **Supported Log Analytics solution is installed**: Log Analytics solution should be configured and sending data into Log Analytics workspace - supported solutions are [Performance counters for Windows & Linux](./../agents/data-sources-performance-counters.md), [Heartbeat records for Agent Health](../insights/solution-agenthealth.md), [Update management](../../automation/update-management/overview.md), and [Event data](./../agents/data-sources-windows-events.md).
4. **Log Analytics solutions configured to send logs**: Log Analytics solution should have the required logs/data corresponding to [metrics supported for Log Analytics workspaces](../essentials/metrics-supported.md#microsoftoperationalinsightsworkspaces) enabled. For example, for *% Available Memory* counter of it must be configured in [Performance counters](./../agents/data-sources-performance-counters.md) solution first. ## Configuring Metric Alert for Logs
For step-by-step details and samples - see [creating and managing metric alerts]
- If **not** using Azure portal for creating metric alert for selected *Log Analytics workspace*; then user must manually first create an explicit rule for converting log data into a metric using [Azure Monitor - Scheduled Query Rules](/rest/api/monitor/scheduledqueryrules). > [!NOTE]
-> When creating metric alert for Log Analytics workspace via Azure portal - corresponding rule for converting log data into metric via [Azure Monitor - Scheduled Query Rules](/rest/api/monitor/scheduledqueryrules) is automatically created in background, *without the need of any user intervention or action*. For metric alert for logs creation using means other than Azure portal, see [Resource Template for Metric Alerts for Logs](#resource-template-for-metric-alerts-for-logs) section on sample means of creating a ScheduledQueryRule based log to metric conversion rule before metric alert creation - else there will be no data for the metric alert on logs created.
+> When creating a metric alert for log via Azure portal - a corresponding rule for converting log data into metric via [Azure Monitor - Scheduled Query Rules](/rest/api/monitor/scheduledqueryrules) is automatically created in the background, *without the need for any user intervention or action*. For metric alert for logs created using means other than Azure portal, see [Resource Template for Metric Alerts for Logs](#resource-template-for-metric-alerts-for-logs) section on sample means of creating a ScheduledQueryRule based log to metric conversion rule before metric alert creation - else there will be no data for the metric alert on logs created.
## Resource Template for Metric Alerts for Logs
-As stated earlier, the process for creation of metric alerts from logs is two pronged:
+As stated earlier, the process for creating metric alerts for logs is two pronged:
1. Create a rule for extracting metrics from supported logs using scheduledQueryRule API 2. Create a metric alert for metric extracted from log (in step1) and Log Analytics workspace as a target resource
azure-monitor Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-core.md
The `.cshtml` file names referenced earlier are from a default MVC application t
If your project doesn't include `_Layout.cshtml`, you can still add [client-side monitoring](./website-monitoring.md). To do this, add the JavaScript snippet to an equivalent file that controls the `<head>` of all pages within your app. Or you can add the snippet to multiple pages, but this solution is difficult to maintain and we generally don't recommend it.
+> [!NOTE]
+> JavaScript injection provides a default configuration experience. If you require [configuration](./javascript.md#configuration) beyond setting the instrumentation key, you are required to manually add the [JavaScript SDK](./javascript.md#adding-the-javascript-sdk).
+ ## Configure the Application Insights SDK You can customize the Application Insights SDK for ASP.NET Core to change the default configuration. Users of the Application Insights ASP.NET SDK might be familiar with changing configuration by using `ApplicationInsights.config` or by modifying `TelemetryConfiguration.Active`. For ASP.NET Core, make almost all configuration changes in the `ConfigureServices()` method of your `Startup.cs` class, unless you're directed otherwise. The following sections offer more information.
azure-monitor Container Insights Log Search https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/containers/container-insights-log-search.md
InsightsMetrics
| sort by TimeGenerated asc<br> &#124; project RequestsPerMinute = Val - prev(Val), TimeGenerated | render barchart ```
+### Pods by name and namespace
+
+```kusto
+let startTimestamp = ago(1h);
+KubePodInventory
+| where TimeGenerated > startTimestamp
+| project ContainerID, PodName=Name, Namespace
+| where PodName contains "name" and Namespace startswith "namespace"
+| distinct ContainerID, PodName
+| join
+(
+ ContainerLog
+ | where TimeGenerated > startTimestamp
+)
+on ContainerID
+// at this point before the next pipe, columns from both tables are available to be "projected". Due to both
+// tables having a "Name" column, we assign an alias as PodName to one column which we actually want
+| project TimeGenerated, PodName, LogEntry, LogEntrySource
+| extend TimeGenerated = TimeGenerated - 21600s | order by TimeGenerated desc
+| summarize by TimeGenerated, LogEntry
+| order by TimeGenerated desc
+```
## Query Prometheus metrics data
The output shows results similar to the following example:
## Next steps
-Container insights does not include a predefined set of alerts. Review the [Create performance alerts with Container insights](./container-insights-log-alerts.md) to learn how to create recommended alerts for high CPU and memory utilization to support your DevOps or operational processes and procedures.
+Container insights does not include a predefined set of alerts. Review the [Create performance alerts with Container insights](./container-insights-log-alerts.md) to learn how to create recommended alerts for high CPU and memory utilization to support your DevOps or operational processes and procedures.
azure-monitor Resource Logs Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/resource-logs-schema.md
The schema for resource logs varies depending on the resource and log category.
| Azure Digital Twins | [Set up Azure Digital Twins Diagnostics](../../digital-twins/troubleshoot-diagnostics.md#log-schemas) | Event Hubs |[Azure Event Hubs logs](../../event-hubs/event-hubs-diagnostic-logs.md) | | Express Route | Schema not available. |
-| Azure Firewall | Schema not available. |
+| Azure Firewall | [Logging for Azure Firewall](../../firewall/logs-and-metrics.md#diagnostic-logs) |
| Front Door | [Logging for Front Door](../../frontdoor/front-door-diagnostics.md) | | IoT Hub | [IoT Hub Operations](../../iot-hub/monitor-iot-hub-reference.md#resource-logs) | | Key Vault |[Azure Key Vault Logging](../../key-vault/general/logging.md) |
azure-monitor Sql Insights Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/sql-insights-troubleshoot.md
To see error messages from telegraf service run it manually with the following c
### mdsd service logs
-Check [Current Limitations](../agents/azure-monitor-agent-overview.md#current-limitations) for the Azure Monitor agent.
+Check [prerequisites](../agents/azure-monitor-agent-install.md#prerequisites) for the Azure Monitor agent.
Service logs:
azure-monitor Private Link Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-security.md
As explained in [Planning your Private Link setup](#planning-your-private-link-s
* All in - the simplest and most secure approach is to add all of your Application Insights components to the AMPLS. For components that you wish to still access from other networks as well, leave the ΓÇ£Allow public internet access for ingestion/queryΓÇ¥ flags set to Yes (the default). * Isolate networks - if you are (or can align with) using spoke vnets, follow the guidance in [Hub-spoke network topology in Azure](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke). Then, setup separate private link settings in the relevant spoke VNets. Make sure to separate DNS zones as well, since sharing DNS zones with other spoke networks will cause [DNS overrides](#the-issue-of-dns-overrides). * Use custom DNS zones for specific apps - this solution allows you to access select Application Insights components over a Private Link, while keeping all other traffic over the public routes.
- - Set up a [custom private DNS zone](../../private-link/private-endpoint-dns.md), and give it a unique name, such as internal.monitor.azure.com
+ - Set up a [custom private DNS zone](../../private-link/private-endpoint-dns.md), called in.applicationinsights.azure.com
- Create an AMPLS and a Private Endpoint, and choose **not** to auto-integrate with private DNS - Go to Private Endpoint -> DNS Configuration and review the suggested mapping of FQDNs.
- - Choose to Add Configuration and pick the internal.monitor.azure.com zone you just created
+ - Choose to Add Configuration and pick the in.applicationinsights.azure.com zone you just created
- Add records for the above ![Screenshot of configured DNS zone](./media/private-link-security/private-endpoint-global-dns-zone.png) - Go to your Application Insights component and copy its [Connection String](../app/sdk-connection-string.md).
- - Apps or scripts that wish to call this component over a Private Link should use the connection string with the EndpointSuffix=internal.monitor.azure.com
+ - Apps or scripts that wish to call this component over a Private Link should use the connection string
* Map endpoints through hosts files instead of DNS - to have a Private Link access only from a specific machine/VM in your network: - Set up an AMPLS and a Private Endpoint, and choose **not** to auto-integrate with private DNS - Configure the above A records on a machine that runs the app in the hosts file
azure-monitor Vminsights Health Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/vm/vminsights-health-troubleshoot.md
Last updated 02/25/2021
# Troubleshoot VM insights guest health (preview) This article describes troubleshooting steps that you can take when you have issues with VM insights health.
+## Installation errors
+If any of the following solutions do not solve your installation issue, collect VM Health agent log located at `/var/log/azure/Microsoft.Azure.Monitor.VirtualMachines.GuestHealthLinuxAgent/*.log` and contact Microsoft for further investigation.
-## Upgrade available message is still displayed after upgrading guest health
+### Error message showing db5 error
+Your installation didnΓÇÖt succeed and your installation error message is similar to the following:
+
+```
+script execution exit with error: error: db5 error(5) from dbenv->open: Input/output error
+error: cannot open Packages index using db5 - Input/output error (5)
+error: cannot open Packages database in /var/lib/rpm
+error: db5 error(5) from dbenv->open: Input/output error
+error: cannot open Packages database in /var/lib/rpm
+```
+This is because your package manager rpm database is corrupted, try following the guidance at [RPM Database Recovery](https://rpm.org/user_doc/db_recovery.html) to recover. Once your rpm database is recovered, try to install again.
+
+### Init file already exist error
+Your installation didnΓÇÖt succeed and your installation error message is similar to the following:
+
+```
+Exiting with the following error: "Failed to install VM Guest Health Agent: Init already exists: /etc/systemd/system/vmGuestHealthAgent.service"install vmGuestHealthAgent service execution failed with exit code 37
+```
+
+VM Health Agent will uninstall the existing service first before installing the current version. The reason for this error is likely because the previous service file didnΓÇÖt get cleaned up due to some reason. Login to the VM and run the following command backup existing service file and try re-install again.
+
+```
+sudo mv /etc/systemd/system/vmGuestHealthAgent.service /etc/systemd/system/vmGuestHealthAgent.service.bak
+```
+
+If the installation succeeded, run the following command to remove backup file.
+
+```
+sudo rm /etc/systemd/system/vmGuestHealthAgent.service.bak
+```
+
+### Installation Failed to Exit Code 37
+Your installation didnΓÇÖt succeed and your installation error message is similar to the following:
+
+```
+Exiting with the following error: "Failed to install VM Guest Health Agent: exit status 1"install vmGuestHealthAgent service execution failed with exit code 37
+```
+This is likely because VM Guest Agent couldnΓÇÖt acquire the lock for the service file. Try to reboot your VM which will release the lock.
++
+## Upgrade errors
+
+### Upgrade available message is still displayed after upgrading guest health
- Verify that VM is running in global Azure. Arc enabled servers are not yet supported. - Verify that the virtual machine's region and operating system version are supported as described in [Enable Azure Monitor for VMs guest health (preview)](vminsights-health-enable.md).
This article describes troubleshooting steps that you can take when you have iss
- For Windows: Check logs at _C:\WindowsAzure\Resources\*{vmName}.AMADataStore_.
+## Usage errors
-
-## Error message that no data is available
+### Error message that no data is available
![No data](media/vminsights-health-troubleshoot/no-data.png)
-### Verify that the virtual machine meets configuration requirements
+#### Verify that the virtual machine meets configuration requirements
1. Verify that the virtual machine is an Azure virtual machine. Azure Arc for servers is not currently supported. 2. Verify that the virtual machine is running a [supported operating system](vminsights-health-enable.md?current-limitations.md). 3. Verify that the virtual machine is installed in a [supported region](vminsights-health-enable.md?current-limitations.md). 4. Verify that the Log Analytics workspace is installed in a [supported region](vminsights-health-enable.md?current-limitations.md).
-### Verify that the VM is properly onboarded
+#### Verify that the VM is properly onboarded
Verify that the Azure Monitor agent extension and Guest VM Health agent are successfully provisioned on the virtual machine. Select **Extensions** from the virtual machine's menu in the Azure portal and make sure that the two agents are listed. ![VM extensions](media/vminsights-health-troubleshoot/extensions.png)
-### Verify the system assigned identity is enabled on the virtual machine
+#### Verify the system assigned identity is enabled on the virtual machine
Verify that the system assigned identity is enabled on the virtual machine. Select **Identity** from the virtual machine's menu in the Azure portal. If user managed identity is enabled, regardless of the status of the system managed identity, Azure Monitor agent will not be able to communicate with the configuration service, and the guest health extension will not work. ![System assigned identity](media/vminsights-health-troubleshoot/system-identity.png)
-### Verify data collection rule
+#### Verify data collection rule
Verify that the data collection rule specifying health extension as a data source is associated with the virtual machine.
-## Error message for bad request due to insufficient permissions
+### Error message for bad request due to insufficient permissions
This error indicates that the **Microsoft.WorkloadMonitor** resource provider wasnΓÇÖt registered in the subscription. See [Azure resource providers and types](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) for details on registering this resource provider. ![Bad request](media/vminsights-health-troubleshoot/bad-request.png)
-## Health shows as "unknown" after guest health is enabled.
+### Health shows as "unknown" after guest health is enabled.
-### Verify that performance counters on Windows nodes are working correctly
+#### Verify that performance counters on Windows nodes are working correctly
Guest health relies on the agent being able to collect performance counters from the node. he base set of performance counter libraries may become corrupted and may need to be rebuilt. Follow the instructions at [Manually rebuild performance counter library values](/troubleshoot/windows-server/performance/rebuild-performance-counter-library-values) to rebuild the performance counters.
Guest health relies on the agent being able to collect performance counters from
## Next steps -- [Get an overview of the guest health feature of VM insights](vminsights-health-overview.md)
+- [Get an overview of the guest health feature of VM insights](vminsights-health-overview.md)
azure-netapp-files Storage Service Add Ons https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/storage-service-add-ons.md
na ms.devlang: na Previously updated : 05/06/2021 Last updated : 06/15/2021 # Storage service add-ons for Azure NetApp Files
-The **Storage service add-ons** portal menu of Azure NetApp Files provides a ΓÇ£launching padΓÇ¥ for supported third-party, ecosystem add-ons to the Azure NetApp Files storage service.
+The **Storage service add-ons** portal menu of Azure NetApp Files provides a ΓÇ£launching padΓÇ¥ for available third-party, ecosystem add-ons to the Azure NetApp Files storage service.
## Access storage service add-ons
Clicking a category (for example, **NetApp add-ons**) under **Storage service ad
## Next steps
-* [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
+* [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/whats-new.md
na ms.devlang: na Previously updated : 06/14/2021 Last updated : 06/15/2021
Azure NetApp Files is updated regularly. This article provides a summary about t
* [Azure NetApp Files storage service add-ons](storage-service-add-ons.md)
- The new Azure NetApp Files **Storage service add-ons** menu option provides an Azure portal ΓÇ£launching padΓÇ¥ for supported third-party, ecosystem add-ons to the Azure NetApp Files storage service. With this new portal menu option, you can enter a landing page by clicking an add-on tile to quickly access the add-on.
+ The new Azure NetApp Files **Storage service add-ons** menu option provides an Azure portal ΓÇ£launching padΓÇ¥ for available third-party, ecosystem add-ons to the Azure NetApp Files storage service. With this new portal menu option, you can enter a landing page by clicking an add-on tile to quickly access the add-on.
**NetApp add-ons** is the first category of add-ons introduced under **Storage service add-ons**. It provides access to **NetApp Cloud Compliance**. Clicking the **NetApp Cloud Compliance** tile opens a new browser and directs you to the add-on installation page.
azure-resource-manager Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-cli.md
To avoid conflicts with concurrent deployments and to ensure unique entries in t
## Next steps * To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](../templates/rollback-on-error.md).
-* To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/syntax.md).
+- To understand how to define parameters in your file, see [Understand the structure and syntax of Bicep files](file.md).
* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](../templates/common-deployment-errors.md).
azure-resource-manager Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/deploy-powershell.md
New-AzResourceGroupDeployment -ResourceGroupName testgroup `
### Parameter files
-Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. The parameter file can be a local file or an external file with an accessible URI.Bicep file uses JSON parameter files.
+Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. The parameter file can be a local file or an external file with an accessible URI. Bicep file uses JSON parameter files.
For more information about the parameter file, see [Create Resource Manager parameter file](./parameter-files.md).
To avoid conflicts with concurrent deployments and to ensure unique entries in t
## Next steps - To roll back to a successful deployment when you get an error, see [Rollback on error to successful deployment](../templates/rollback-on-error.md).-- To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](../templates/syntax.md).
+- To understand how to define parameters in your file, see [Understand the structure and syntax of Bicep files](file.md).
- For information about deploying a template that requires a SAS token, see [Deploy private ARM template with SAS token](../templates/secure-template-with-sas-token.md).
azure-resource-manager Outputs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/outputs.md
Last updated 06/01/2021
# Outputs in Bicep
-This article describes how to define output values in your Azure Resource Manager template (ARM template) and Bicep file. You use outputs when you need to return values from the deployed resources.
+This article describes how to define output values in a Bicep file. You use outputs when you need to return values from the deployed resources.
The format of each output value must resolve to one of the [data types](data-types.md).
azure-resource-manager Move Support Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-support-resources.md
Third-party services currently don't support the move operation.
- For commands to move resources, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md). - [Learn more](../../resource-mover/overview.md) about the Resource Mover service.-- To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv).
+- To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv) for resource group and subscription move support. If you want those properties and region move support, download [move-support-resources-with-regions.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources-with-regions.csv).
azure-resource-manager Frequently Asked Questions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/frequently-asked-questions.md
- Title: ARM template frequently asked questions
-description: Frequently asked questions (FAQ) about Azure Resource Manager templates (ARM templates).
- Previously updated : 03/03/2021----
-# Frequently asked questions about ARM templates
-
-This article answers frequently asked questions about Azure Resource Manager templates (ARM templates).
-
-## Getting started
-
-* **What are ARM templates, and why should I use them?**
-
- ARM templates are JSON files where you define what you want to deploy to Azure. Templates help you implement an infrastructure-as-code solution for Azure. Your organization can repeatedly and reliably deploy the required infrastructure to different environments.
-
- To learn more about how ARM templates help you manage your Azure infrastructure, see [What are ARM templates?](overview.md)
-
-* **How do I get started with templates?**
-
- To simplify authoring ARM templates, you need the right tools. We recommend installing [Visual Studio Code](https://code.visualstudio.com/) and the [Azure Resource Manager tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For a quick introduction to these tools, see [Quickstart: Create ARM templates with Visual Studio Code](quickstart-create-templates-use-visual-studio-code.md).
-
- When you're ready to learn about creating ARM templates, start the [beginner tutorial series on ARM templates](template-tutorial-create-first-template.md). These tutorials take you step by step through the process of constructing an ARM template. You learn about the different sections of the template and how to they work together. This content is also available as a [Microsoft Learn module](/learn/modules/authoring-arm-templates/).
-
-* **Should I use ARM templates or Terraform to deploy to Azure?**
-
- Use the option that you like the best. Both services assist you with automating deployments to Azure.
-
- We believe there are benefits to using ARM templates over other infrastructure-as-code services. To learn about those benefits, see [Why choose ARM templates?](overview.md#why-choose-arm-templates)
-
-## Build 2020
-
-* **I missed your presentation at Microsoft Build 2020. Is the presentation available for viewing?**
-
- Yes, please [watch it anytime](https://mybuild.microsoft.com/sessions/82984db4-37a4-4ed3-bf8b-13298841ed18?source=sessions).
-
-* **Where can I get more information about the new features you announced at Build?**
-
- For general information about features we're working, join our [Azure Advisors Deployments Yammer group](https://aka.ms/ARMMeet).
-
- To learn about the new template language, [sign up for notifications](https://aka.ms/armLangUpdates).
-
- To learn about template specs, see [Azure Resource Manager template specs](template-specs.md).
-
-## Creating and testing templates
-
-* **Where can I learn about best practices for ARM templates?**
-
- For recommendations about how you implement your templates, see [ARM template best practices](./best-practices.md). After creating a template, run the [ARM test toolkit](https://github.com/azure/arm-ttk). It checks whether your template matches recommended practices.
-
-* **I have set up my environment through the portal. Is there some way to get the template from an existing resource group?**
-
- Yes, you can [export the template](export-template-portal.md) from a resource group. The exported template is a good starting point for learning about templates, but you'll probably want to revise it before using it in a production environment.
-
- When exporting the template, you can select which resources you want to include in the template.
-
-* **Can I create a resource group in an ARM template and deploy resources to it?**
-
- Yes, you can create a resource group in a template when you deploy the template at the level of your Azure subscription. For an example of creating a resource group and deploying resources, see [Resource group and resources](deploy-to-subscription.md#resource-groups).
-
-* **Can I create a subscription in an ARM template?**
-
- Yes, for more information, see [Programmatically create Azure subscriptions with the latest APIs](../../cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement.md).
-
-* **How can I test my template before deploying it?**
-
- We recommend running the [ARM test toolkit](https://github.com/azure/arm-ttk) and the [what-if operation](./deploy-what-if.md) on your templates before deploying them. The test toolkit checks whether your template uses best practices. It provides warnings when it identifies changes that could improve how you've implemented your template.
-
- The what-if operation shows the changes your template will make to your environment. You can see unintended changes before they're deployed. What-if also returns any errors it can detect during preflight validation. For example, if your template contains a syntactical error, it returns that error. It also returns any errors it can determine about the final state of the deployed resources. For example, if your template deploys a storage account with a name that is already in use, what-if returns that error.
-
-* **Where can I find information about the properties that are available for each resource type?**
-
- VS Code provides intellisense for working with the resource properties. You can also view the [template reference](/azure/templates/) for properties and descriptions.
-
-* **I need to create multiple instances of a resource type. How do I create an iterator in my template?**
-
- Use the copy element to specify more than one instance. You can use copy on [resources](copy-resources.md), [properties](copy-properties.md), [variables](copy-variables.md), and [outputs](copy-outputs.md).
-
-## Template language
-
-* **I've heard you're working on a new template language. Where can I find out more about it?**
-
- To learn about the new language, see [What is Bicep (Preview)?](../bicep/overview.md).
-
-* **Is there a plan to support creating templates in YAML?**
-
- Currently, there's no plan to support YAML. We believe the new template language will offer a solution that is easier to use than YAML or JSON.
-
-* **Can I still write templates in JSON after the new template language has been released?**
-
- Yes, you can continue using JSON templates.
-
-* **Will you offer a tool to convert my JSON templates to the new template language?**
-
- Yes. See [Converting ARM templates between JSON and Bicep](../bicep/decompile.md).
-
-## Template Specs
-
-* **How are template specs and Azure Blueprints related?**
-
- Azure Blueprints will use template specs in its implementation by replacing the `blueprint definition` resource with a `template spec` resource. We'll provide a migration path to convert the blueprint definition into a template spec, but the blueprint definition APIs will still be supported. There are no changes to the `blueprint assignment` resource. Blueprints will remain a user-experience to compose a governed environment in Azure.
-
-* **Do template specs replace linked templates?**
-
- No, but template specs are designed to work well with linked templates. You don't have to move the linked template to a publicly accessible endpoint before deploying the parent template. Instead, you package the parent template and its artifacts together when creating the template spec.
-
-* **Can template specs be shared across subscriptions?**
-
- Yes, they can be used across subscriptions as long as the user has read access to the template spec. Template specs can't be used across tenants.
-
-## Scripts in templates
-
-* **Can I include a script in my template to do tasks that aren't possible in a template?**
-
- Yes, use [deployment scripts](deployment-script-template.md). You can include Azure PowerShell or Azure CLI scripts in your templates.
-
-* **Can I still use custom script extensions and desired state configuration (DSC)?**
-
- Those options are still available and haven't changed. Deployment scripts are designed to perform actions that aren't related to the VM guest. If you need to run a script on a host operating system in a VM, then the custom script extension and/or DSC would be a better choice. However, deployment scripts have advantages, such as setting the timeout duration.
-
-* **Are deployment scripts supported in Azure Government?**
-
- Yes, you can use deployment scripts in US Gov Arizona and US Gov Virginia.
-
-## Preview changes before deployment
-
-* **Can I preview the changes that will happen before deploying a template?**
-
- Yes, use the [what-if feature](./deploy-what-if.md). It evaluates the current state of your environment and compares it to the state that will exist after deployment. You can examine the summarized changes to make sure the template doesn't have any unexpected results.
-
-* **Can I use what-if with both incremental and complete modes?**
-
- Yes, both [deployment modes](deployment-modes.md) are supported. For an example of using incremental mode, see [Run what-if operation](./deploy-what-if.md#run-what-if-operation). For an example of using complete mode, see [Confirm deletion](./deploy-what-if.md#confirm-deletion).
-
-* **Does what-if work with linked templates?**
-
- Yes, what-if evaluates the state of the parent template and its linked templates.
-
-* **Can I use what-if in an Azure Pipeline?**
-
- Yes, you can use what-if to verify that the Pipeline should continue.
-
-* **When I use what-if, I see changes in properties that aren't in my template. Is this "noise" expected?**
-
- We're working on reducing the noise. You help us improve by submitting issues in our GitHub repo here: https://aka.ms/WhatIfIssues
-
-## Template visualizer
-
-* **Is there a way for me to visualize my ARM template and its resources?**
-
- We have a [community-contributed VS Code extension](https://aka.ms/ARMVisualizer) that does a great job of visualizing your ARM template. It shows the resources you're deploying and the relationships between them.
-
-* **Can I use the template visualizer outside of VS Code?**
-
- The template visualizer is being previewed in the portal. For more information, watch this [short session from Build](https://mybuild.microsoft.com/sessions/0525094b-1fd2-4f69-bfd6-6d2fff6ffe5f?source=sessions).
-
-## Deployment limits
-
-* **How many resource groups can I deploy to in a single deployment operation?**
-
- In the past, this limit was five resource groups. It has recently been increased to 800 resource groups. For more information, see [Create resource groups and resources at the subscription level](deploy-to-subscription.md).
-
-* **I got an error about being limited to 800 deployments in the deployment history. What should I do?**
-
- We're changing how the deployment history for a resource group is maintained. In the past, you had to manually delete deployments from this history to avoid this error. Starting in June 2020, we'll automatically delete deployments from the history as you get near the limit. For more information, see [Automatic deletions from deployment history](deployment-history-deletions.md).
-
- Deleting a deployment from the history doesn't affect the deployed resources.
-
-## Templates and DevOps
-
-* **Can I integrate ARM templates into Azure Pipelines?**
-
- Yes. For an explanation of how to use template and pipelines, see [Tutorial: Continuous integration of ARM templates with Azure Pipelines](deployment-tutorial-pipeline.md) and [Integrate ARM templates with Azure Pipelines](add-template-to-azure-pipelines.md).
-
-* **Can I use GitHub actions to deploy a template?**
-
- Yes, see [Deploy ARM templates by using GitHub Actions](deploy-github-actions.md).
-
-## Next steps
-
-For an introduction to ARM templates, see [What are ARM templates?](overview.md).
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/overview.md
This approach means you can safely share templates that meet your organization's
* To learn about ARM templates through a guided set of modules on Microsoft Learn, see [Deploy and manage resources in Azure by using ARM templates](/learn/paths/deploy-manage-resource-manager-templates/). * For information about the properties in template files, see [Understand the structure and syntax of ARM templates](./syntax.md). * To learn about exporting templates, see [Quickstart: Create and deploy ARM templates by using the Azure portal](quickstart-create-templates-use-the-portal.md).
-* For answers to common questions, see [Frequently asked questions about ARM templates](frequently-asked-questions.md).
+* For answers to common questions, see [Frequently asked questions about ARM templates](frequently-asked-questions.yml).
azure-resource-manager Syntax https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/syntax.md
You can break a string into multiple lines. For example, see the `location` prop
* For details about the functions you can use from within a template, see [ARM template functions](template-functions.md). * To combine several templates during deployment, see [Using linked and nested templates when deploying Azure resources](linked-templates.md). * For recommendations about creating templates, see [ARM template best practices](./best-practices.md).
-* For answers to common questions, see [Frequently asked questions about ARM templates](frequently-asked-questions.md).
+* For answers to common questions, see [Frequently asked questions about ARM templates](frequently-asked-questions.yml).
azure-sql Monitor Tune Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/monitor-tune-overview.md
ms.devlang: ---+++ Last updated 03/17/2021 # Monitoring and performance tuning in Azure SQL Database and Azure SQL Managed Instance
azure-sql Planned Maintenance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/planned-maintenance.md
Ensuring that your client application is resilient to maintenance events prior t
Any client production application that connects to a cloud database service should implement a robust connection [retry logic](troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors). This will help make reconfigurations transparent to the end users, or at least minimize negative effects.
+### Service Health Alert
+
+If you want to receive alerts for service issues or planned maintenance activities, you can use Service Health alerts in the Azure portal with appropriate event type and action groups. For more information, see this [Receive alerts on Azure service notifications](../../service-health/alerts-activity-log-service-notifications-portal.md#create-service-health-alert-using-azure-portal).
+ ## Resource health If your database is experiencing log-on failures, check the [Resource Health](../../service-health/resource-health-overview.md#get-started) window in the [Azure portal](https://portal.azure.com) for the current status. The Health History section contains the downtime reason for each event (when available).
azure-sql Scale Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/scale-resources.md
ms.devlang: ---+++ Last updated 06/25/2019
When demand for your app grows from a handful of devices and customers to millio
You can mitigate performance issues due to increased usage of your application that cannot be fixed using indexing or query rewrite methods. Adding more resources enables you to quickly react when your database hits the current resource limits and needs more power to handle the incoming workload. Azure SQL Database also enables you to scale-down the resources when they are not needed to lower the cost.
-You donΓÇÖt need to worry about purchasing hardware and changing underlying infrastructure. Scaling a database can be easily done via the Azure portal using a slider.
+You don't need to worry about purchasing hardware and changing underlying infrastructure. Scaling a database can be easily done via the Azure portal using a slider.
![Scale database performance](./media/scale-resources/scale-performance.svg)
azure-sql Service Tier Business Critical https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/service-tier-business-critical.md
ms.devlang: ---+++ Last updated 12/04/2018 # Business Critical tier - Azure SQL Database and Azure SQL Managed Instance
In addition, Business Critical cluster has built-in [Read Scale-Out](read-scale-
Business Critical service tier is designed for applications that require low-latency responses from the underlying SSD storage (1-2 ms in average), fast recovery if the underlying infrastructure fails, or need to off-load reports, analytics, and read-only queries to the free of charge readable secondary replica of the primary database. The key reasons why you should choose Business Critical service tier instead of General Purpose tier are:-- **Low I/O latency requirements** ΓÇô workloads that need a fast response from the storage layer (1-2 milliseconds in average) should use Business Critical tier. -- **Frequent communication between application and database**. Applications that cannot leverage application-layer caching or [request batching](../performance-improve-use-batching.md) and need to send many SQL queries that must be quickly processed are good candidates for the Business Critical tier.-- **Large number of updates** ΓÇô insert, update, and delete operations modify the data pages in memory (dirty page) that must be saved to data files with `CHECKPOINT` operation. Potential database engine process crash or a failover of the database with a large number of dirty pages might increase recovery time in General Purpose tier. Use Business Critical tier if you have a workload that causes many in-memory changes. -- **Long running transactions that modify data**. Transactions that are opened for a longer time prevent log file truncation, which might increase log size and number of [Virtual log files (VLF)](/sql/relational-databases/sql-server-transaction-log-architecture-and-management-guide#physical_arch). High number of VLFs can slow down recovery of database after failover.-- **Workload with reporting and analytic queries** that can be redirected to the free-of-charge secondary read-only replica.
+- **Low I/O latency requirements** ΓÇô workloads that need a fast response from the storage layer (1-2 milliseconds in average) should use Business Critical tier.
+- **Frequent communication between application and database**. Applications that cannot leverage application-layer caching or [request batching](../performance-improve-use-batching.md) and need to send many SQL queries that must be quickly processed are good candidates for the Business Critical tier.
+- **Large number of updates** ΓÇô insert, update, and delete operations modify the data pages in memory (dirty page) that must be saved to data files with `CHECKPOINT` operation. Potential database engine process crash or a failover of the database with a large number of dirty pages might increase recovery time in General Purpose tier. Use Business Critical tier if you have a workload that causes many in-memory changes.
+- **Long running transactions that modify data**. Transactions that are opened for a longer time prevent log file truncation, which might increase log size and number of [Virtual log files (VLF)](/sql/relational-databases/sql-server-transaction-log-architecture-and-management-guide#physical_arch). High number of VLFs can slow down recovery of database after failover.
+- **Workload with reporting and analytic queries** that can be redirected to the free-of-charge secondary read-only replica.
- **Higher resiliency and faster recovery from failures**. In a case of system failure, the database on primary instance will be disabled and one of the secondary replicas will be immediately became new read-write primary database that is ready to process queries. The database engine doesn't need to analyze and redo transactions from the log file and load all data in the memory buffer. - **Advanced data corruption protection**. Business Critical tier leverages database replicas behind-the-scenes for business continuity purposes, and so the service also then leverages automatic page repair, which is the same technology used for SQL Server database [mirroring and availability groups](/sql/sql-server/failover-clusters/automatic-page-repair-availability-groups-database-mirroring). In the event that a replica cannot read a page due to a data integrity issue, a fresh copy of the page will be retrieved from another replica, replacing the unreadable page without data loss or customer downtime. This functionality is applicable in General Purpose tier if the database has geo-secondary replica. - **Higher availability** - Business Critical tier in Multi-AZ configuration guarantees 99.995% availability, compared to 99.99% of General Purpose tier.
azure-sql Service Tier General Purpose https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/service-tier-general-purpose.md
ms.devlang: ---+++ Last updated 02/07/2019 # General Purpose service tier - Azure SQL Database and Azure SQL Managed Instance
azure-sql Restore Sample Database Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/restore-sample-database-quickstart.md
ms.devlang: --++ Last updated 12/14/2018
azure-sql Oracle To Sql On Azure Vm Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/oracle-to-sql-on-azure-vm-guide.md
To publish your schema and migrate the data, follow these steps:
![Screenshot that shows a SQL Server instance in SSMA.](./media/oracle-to-sql-on-azure-vm-guide/validate-in-ssms.png) Instead of using SSMA, you could use SQL Server Integration Services (SSIS) to migrate the data. To learn more, see: -- The article [SQL Server Integration Services](//sql/integration-services/sql-server-integration-services).
+- The article [SQL Server Integration Services](/sql/integration-services/sql-server-integration-services).
- The white paper [SSIS for Azure and Hybrid Data Movement](https://download.microsoft.com/download/D/2/0/D20E1C5F-72EA-4505-9F26-FEF9550EFD44/SSIS%20Hybrid%20and%20Azure.docx).
azure-sql Multi Model Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/multi-model-features.md
ms.devlang: ---+++ Last updated 12/17/2018 # Multi-model capabilities of Azure SQL Database & SQL Managed Instance
azure-video-analyzer Animated Characters Recognition How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/animated-characters-recognition-how-to.md
Title: Animated character detection with Azure Video Analyzer for Media (formerly Video Indexer) how to-+ description: This how to demonstrates how to use animated character detection with Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 12/07/2020
azure-video-analyzer Animated Characters Recognition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/animated-characters-recognition.md
Title: Animated character detection with Azure Video Analyzer for Media (formerly Video Indexer)-+ description: This topic demonstrates how to use animated character detection with Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 11/19/2019
For details, see [Use the animated character detection with portal and API](anim
## Next steps
-[Video Analyzer for Media overview](video-indexer-overview.md)
+[Video Analyzer for Media overview](video-indexer-overview.md)
azure-video-analyzer Audio Effects Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/audio-effects-detection.md
+ Last updated 05/12/2021
azure-video-analyzer Compare Video Indexer With Media Services Presets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/compare-video-indexer-with-media-services-presets.md
Title: Comparison of Azure Video Analyzer for Media (formerly Video Indexer) and Azure Media Services v3 presets description: This article compares Azure Video Analyzer for Media (formerly Video Indexer) capabilities and Azure Media Services v3 presets.-+ documentationcenter: ''
na ms.devlang: na + Last updated 02/24/2020
azure-video-analyzer Concepts Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/concepts-overview.md
Title: Azure Video Analyzer for Media (formerly Video Indexer) concepts - Azure description: This article gives a brief overview of Azure Video Analyzer for Media (formerly Video Indexer) terminology and concepts.-+ + Last updated 01/19/2021
azure-video-analyzer Connect To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/connect-to-azure.md
Title: Create a Azure Video Analyzer for Media (formerly Video Indexer) account connected to Azure-+ description: Learn how to create a Azure Video Analyzer for Media (formerly Video Indexer) account connected to Azure.-+ + Last updated 01/14/2021
azure-video-analyzer Considerations When Use At Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/considerations-when-use-at-scale.md
Title: Things to consider when using Azure Video Analyzer for Media (formerly Video Indexer) at scale - Azure-+ description: This topic explains what things to consider when using Azure Video Analyzer for Media (formerly Video Indexer) at scale.-+ + Last updated 11/13/2020
Therefore, we recommend you to verify that you get the right results for your us
## Next steps
-[Examine the Azure Video Analyzer for Media output produced by API](video-indexer-output-json-v2.md)
+[Examine the Azure Video Analyzer for Media output produced by API](video-indexer-output-json-v2.md)
azure-video-analyzer Customize Brands Model Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-brands-model-overview.md
Title: Customize a Brands model in Azure Video Analyzer for Media (formerly Video Indexer) - Azure -+ description: This article gives an overview of what is a Brands model in Azure Video Analyzer for Media (formerly Video Indexer) and how to customize it. -+ + Last updated 12/15/2019
azure-video-analyzer Customize Brands Model With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-brands-model-with-api.md
Title: Customize a Brands model with Azure Video Analyzer for Media (formerly Video Indexer) API-+ description: Learn how to customize a Brands model with the Azure Video Analyzer for Media (formerly Video Indexer) API.-+ + Last updated 01/14/2020
azure-video-analyzer Customize Brands Model With Website https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-brands-model-with-website.md
Title: Customize a Brands model with the Azure Video Analyzer for Media (formerly Video Indexer) website-+ description: Learn how to customize a Brands model with the Azure Video Analyzer for Media (formerly Video Indexer) website.-+ + Last updated 12/15/2019
azure-video-analyzer Customize Content Models Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-content-models-overview.md
Title: Customizing content models in Azure Video Analyzer for Media (formerly Video Indexer)-+ description: This article gives links to the conceptual articles that explain the benefits of each type of customization. This article also links to how-to guides that show how you can implement the customization of each model.-+ + Last updated 06/26/2019
azure-video-analyzer Customize Language Model Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-language-model-overview.md
Title: Customize a Language model in Azure Video Analyzer for Media (formerly Video Indexer) - Azure -+ description: This article gives an overview of what is a Language model in Azure Video Analyzer for Media (formerly Video Indexer) and how to customize it.-+ + Last updated 05/15/2019
azure-video-analyzer Customize Language Model With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-language-model-with-api.md
Title: Customize a Language model with Azure Video Analyzer for Media (formerly Video Indexer) API-+ description: Learn how to customize a Language model with the Azure Video Analyzer for Media (formerly Video Indexer) API.-+ + Last updated 02/04/2020
azure-video-analyzer Customize Language Model With Website https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-language-model-with-website.md
Title: Customize Language model with Azure Video Analyzer for Media (formerly Video Indexer) website-+ description: Learn how to customize a Language model with the Azure Video Analyzer for Media (formerly Video Indexer) website.-+ + Last updated 08/10/2020
azure-video-analyzer Customize Person Model Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-person-model-overview.md
Title: Customize a Person model in Azure Video Analyzer for Media (formerly Video Indexer) - Azure -+ description: This article gives an overview of what is a Person model in Azure Video Analyzer for Media (formerly Video Indexer) and how to customize it. -+ + Last updated 05/15/2019
azure-video-analyzer Customize Person Model With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-person-model-with-api.md
Title: Customize a Person model with Azure Video Analyzer for Media (formerly Video Indexer) API-+ description: Learn how to customize a Person model with the Azure Video Analyzer for Media (formerly Video Indexer) API.-+ + Last updated 01/14/2020
azure-video-analyzer Customize Person Model With Website https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/customize-person-model-with-website.md
Title: Customize a Person model with Azure Video Analyzer for Media (formerly Video Indexer) website-+ description: Learn how to customize a Person model with the Azure Video Analyzer for Media (formerly Video Indexer) website.-+ + Last updated 12/16/2020
azure-video-analyzer Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/faq.md
Title: Frequently asked questions about Azure Video Analyzer for Media (formerly Video Indexer) - Azure-+ description: This article gives answers to frequently asked questions about Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 05/25/2021
Yes, Video Analyzer for Media offers a free trial that gives full service and AP
## Next steps * [Overview](video-indexer-overview.md)
-* [Stack Overflow](https://stackoverflow.com/search?q=video-indexer)
+* [Stack Overflow](https://stackoverflow.com/search?q=video-indexer)
azure-video-analyzer Invite Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/invite-users.md
Title: Invite users to Azure Video Analyzer for Media (former Video Analyzer for Media) - Azure -+ description: This article shows how to invite users to Azure Video Analyzer for Media (former Video Analyzer for Media).-+ + Last updated 02/03/2021
azure-video-analyzer Language Identification Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/language-identification-model.md
Title: Use Azure Video Analyzer for Media (formerly Video Indexer) to auto identify spoken languages - Azure-+ description: This article describes how the Azure Video Analyzer for Media (formerly Video Indexer) language identification model is used to automatically identifying the spoken language in a video.-+ + Last updated 04/12/2020
azure-video-analyzer Live Stream Analysis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/live-stream-analysis.md
Title: Live stream analysis using Azure Video Analyzer for Media (formerly Video Indexer)-+ description: This article shows how to perform a live stream analysis using Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 11/13/2019
azure-video-analyzer Logic Apps Connector Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/logic-apps-connector-tutorial.md
++ Last updated 09/21/2020
azure-video-analyzer Manage Account Connected To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/manage-account-connected-to-azure.md
Title: Manage a Azure Video Analyzer for Media (formerly Video Indexer) account-+ description: Learn how to manage a Azure Video Analyzer for Media (formerly Video Indexer) account connected to Azure.-+ + Last updated 01/14/2021
azure-video-analyzer Manage Multiple Tenants https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/manage-multiple-tenants.md
Title: Manage multiple tenants with Azure Video Analyzer for Media (formerly Video Indexer) - Azure description: This article suggests different integration options for managing multiple tenants with Azure Video Analyzer for Media (formerly Video Indexer).-+ documentationcenter: '' editor: '' + Last updated 05/15/2019
azure-video-analyzer Multi Language Identification Transcription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/multi-language-identification-transcription.md
Title: Automatically identify and transcribe multi-language content with Azure Video Analyzer for Media (formerly Video Indexer)-+ description: This topic demonstrates how to automatically identify and transcribe multi-language content with Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 09/01/2019
azure-video-analyzer Observed People Tracing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/observed-people-tracing.md
Title: Trace observed people in a video-+ description: This topic gives an overview of a Trace observed people in a video concept.-+ + Last updated 04/30/2021
azure-video-analyzer Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/regions.md
Title: Regions in which Azure Video Analyzer for Media (formerly Video Indexer) is available - Azure -
+ Title: Regions in which Azure Video Analyzer for Media (formerly Video Indexer) is available
+ description: This article talks about Azure regions in which Azure Video Analyzer for Media (formerly Video Indexer) is available.-+ + Last updated 09/14/2020
azure-video-analyzer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/release-notes.md
Title: Azure Video Analyzer for Media (formerly Video Indexer) release notes | Microsoft Docs description: To stay up-to-date with the most recent developments, this article provides you with the latest updates on Azure Video Analyzer for Media (formerly Video Indexer).-+ documentationcenter: '' editor: '' + Last updated 05/06/2021
Three new Git-Hub projects are available at our [GitHub repository](https://gith
### New option to toggle bounding boxes (for observed people) on the player
-When indexing a video through our advanced video settings, you can view our new observed people capabilities.
-
-If there are people detected in your media file, you can enable a bounding box on the detected person through the media player.
+When indexing a video through our advanced video settings, you can view our new observed people capabilities. If there are people detected in your media file, you can enable a bounding box on the detected person through the media player.
## April 2021
azure-video-analyzer Scenes Shots Keyframes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/scenes-shots-keyframes.md
Title: Azure Video Analyzer for Media (formerly Video Indexer) scenes, shots, and keyframes -+ description: This topic gives an overview of the Azure Video Analyzer for Media (formerly Video Indexer) scenes, shots, and keyframes.-+ + Last updated 07/05/2019
azure-video-analyzer Upload Index Videos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/upload-index-videos.md
Title: Upload and index videos with Azure Video Analyzer for Media (formerly Video Indexer)-+ description: This topic demonstrates how to use APIs to upload and index your videos with Azure Video Analyzer for Media (formerly Video Indexer). + Last updated 05/12/2021
azure-video-analyzer Use Editor Create Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/use-editor-create-project.md
Title: Use the Azure Video Analyzer for Media (formerly Video Indexer) editor to create projects and add video clips-+ description: This topic demonstrates how to use the Azure Video Analyzer for Media (formerly Video Indexer) editor to create projects and add video clips.-+ + Last updated 11/28/2020
azure-video-analyzer Video Indexer Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-disaster-recovery.md
Title: Azure Video Analyzer for Media (formerly Video Indexer) failover and disaster recovery-+ description: Learn how to failover to a secondary Azure Video Analyzer for Media (formerly Video Indexer) account if a regional datacenter failure or disaster occurs.-+ documentationcenter: '' editor: '' + Last updated 07/29/2019
azure-video-analyzer Video Indexer Embed Widgets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-embed-widgets.md
Title: Embed Azure Video Analyzer for Media (formerly Video Indexer) widgets in your apps-+ description: Learn how to embed Azure Video Analyzer for Media (formerly Video Indexer) widgets in your apps.-+ + Last updated 01/25/2021
azure-video-analyzer Video Indexer Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-get-started.md
Title: Sign up for Azure Video Analyzer for Media (formerly Video Indexer) and upload your first video - Azure-+ description: Learn how to sign up and upload your first video using the Azure Video Analyzer for Media (formerly Video Indexer) portal.-+ + Last updated 01/25/2021
azure-video-analyzer Video Indexer Output Json V2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-output-json-v2.md
Title: Examine the Azure Video Analyzer for Media (formerly Video Indexer) output produced by v2 API - Azure-+ description: This topic examines the Azure Video Analyzer for Media (formerly Video Indexer) output produced by v2 API.-+ + Last updated 11/16/2020
azure-video-analyzer Video Indexer Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-overview.md
Title: What is Azure Video Analyzer for Media (formerly Video Indexer)?-+ description: This article gives an overview of the Azure Video Analyzer for Media (formerly Video Indexer) service.-+ + Last updated 02/05/2021
azure-video-analyzer Video Indexer Search https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-search.md
Title: Search for exact moments in videos with Azure Video Analyzer for Media (formerly Video Indexer)-+ description: Learn how to search for exact moments in videos using Azure Video Analyzer for Media (formerly Video Indexer).-+ + Last updated 11/23/2019
azure-video-analyzer Video Indexer Use Apis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-use-apis.md
Title: Use the Azure Video Analyzer for Media (formerly Video Indexer) API-+ description: This article describes how to get started with Azure Video Analyzer for Media (formerly Video Indexer) API.-+ + Last updated 01/07/2021
azure-video-analyzer Video Indexer View Edit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-view-edit.md
Title: View and edit Azure Video Analyzer for Media (formerly Video Indexer) insights-+ description: This article demonstrates how to view and edit Azure Video Analyzer for Media (formerly Video Indexer) insights.-+ + Last updated 05/15/2019
azure-vmware Ecosystem Back Up Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/ecosystem-back-up-vms.md
Our backup partners have industry-leading backup and restore solutions in VMware
Backup network traffic between Azure VMware Solution VMs and the backup repository in Azure travels over a high-bandwidth, low-latency link. Replication traffic across regions travels over the internal Azure backplane network, which lowers bandwidth costs for users. >[!NOTE]
->For common questions, see [our third-party backup solution FAQ](/azure/azure-vmware/faq.yml#third-party-backup-and-recovery).
+>For common questions, see [our third-party backup solution FAQ](/azure/azure-vmware/faq#third-party-backup-and-recovery).
++ You can find more information on these backup solutions here: - [Cohesity](https://www.cohesity.com/blogs/expanding-cohesitys-support-for-microsofts-ecosystem-azure-stack-and-azure-vmware-solution/)
azure-vmware Integrate Azure Native Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/integrate-azure-native-services.md
Last updated 06/14/2021
# Integrate and deploy Azure native services
-Microsoft Azure native services let you monitor, manage, and protect your virtual machines (VMs) in a hybrid environment (Azure, Azure VMware Solution, and on-premises). For more information, see [Supported features for VMs](../security-center/security-center-services.md).
-
-The Azure native services that you can integrate with Azure VMware Solution include:
+Microsoft Azure native services let you monitor, manage, and protect your virtual machines (VMs) in a hybrid environment (Azure, Azure VMware Solution, and on-premises). The Azure native services that you can integrate with Azure VMware Solution include:
- **Log Analytics workspace:** Each workspace has its own data repository and configuration for storing log data. Data sources and solutions are configured to store their data in a specific workspace. Easily deploy the Log Analytics agent using Azure Arc enabled servers VM extension support for new and existing VMs. - **Azure Security Center:** Unified infrastructure security management system that strengthens security of data centers, and provides advanced threat protection across hybrid workloads in the cloud or on premises.
In this article, you'll integrate Azure native services in your Azure VMware Sol
## Enable Azure Security Center
-Azure Security Center provides advanced threat protection across your Azure VMware Solution and on-premises virtual machines (VMs). It assesses the vulnerability of Azure VMware Solution VMs and raise alerts as needed. These security alerts can be forwarded to Azure Monitor for resolution.
+Azure Security Center provides advanced threat protection across your Azure VMware Solution and on-premises virtual machines (VMs). It assesses the vulnerability of Azure VMware Solution VMs and raise alerts as needed. These security alerts can be forwarded to Azure Monitor for resolution. For more information, see [Supported features for VMs](../security-center/security-center-services.md).
Azure Security Center offers many features, including: - File integrity monitoring
You can monitor guest operating system performance and discover and map applicat
- [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/alerts/alerts-metric.md). - [Create, view, and manage log alerts using Azure Monitor](../azure-monitor/alerts/alerts-log.md). - [Action rules](../azure-monitor/alerts/alerts-action-rules.md) to set automated actions and notifications.
- - [Connect Azure to ITSM tools using IT Service Management Connector](../azure-monitor/alerts/itsmc-overview.md).
+ - [Connect Azure to ITSM tools using IT Service Management Connector](../azure-monitor/alerts/itsmc-overview.md).
azure-vmware Tutorial Expressroute Global Reach Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/tutorial-expressroute-global-reach-private-cloud.md
Before you enable connectivity between two ExpressRoute circuits using ExpressRo
- A separate, functioning ExpressRoute circuit used to connect on-premises environments to Azure, which is _circuit 1_ for peering. - Ensure that all gateways, including the ExpressRoute provider's service, supports 4-byte Autonomous System Number (ASN). Azure VMware Solution uses 4-byte public ASNs for advertising routes.
+[!NOTE]
+> If advertising a default route to Azure (0.0.0.0/0), ensure a more specific route containing your on-premises networks is advertised in addition to the default route to enable management access to AVS. A single 0.0.0.0/0 route will be discarded by Azure VMware Solution's management network to ensure successful operation of the service.
## Create an ExpressRoute auth key in the on-premises ExpressRoute circuit
backup Backup Blobs Storage Account Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-blobs-storage-account-ps.md
Type : Microsoft.DataProtection/backupVaults
After creation of vault, let's create a backup policy to protect Azure blobs. > [!IMPORTANT]
-> Though you'll see the Backup storage redundancy of the vault, the redundancy doesn't apply to the operational backup of blobs as the backup is local in nature and no data is stored in the Backup vault. The Backup vault. Here, the backup vault is the management entity to help you manage the protection of block blobs in your storage accounts.
+> Though you'll see the Backup storage redundancy of the vault, the redundancy doesn't apply to the operational backup of blobs as the backup is local in nature and no data is stored in the Backup vault. Here, the backup vault is the management entity to help you manage the protection of block blobs in your storage accounts.
## Create a Backup policy
blobrg-PSTestSA-3df6ac08-9496-4839-8fb5-8b78e594f166 Microsoft.DataProtection/ba
## Next steps
-[Restore Azure blobs using Azure PowerShell](restore-blobs-storage-account-ps.md)
+[Restore Azure blobs using Azure PowerShell](restore-blobs-storage-account-ps.md)
backup Sql Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/sql-support-matrix.md
Title: Azure Backup support matrix for SQL Server Backup in Azure VMs description: Provides a summary of support settings and limitations when backing up SQL Server in Azure VMs with the Azure Backup service. Previously updated : 04/07/2021 Last updated : 06/07/2021
You can use Azure Backup to back up SQL Server databases in Azure VMs hosted on
**Support** | **Details** | **Supported deployments** | SQL Marketplace Azure VMs and non-Marketplace (SQL Server manually installed) VMs are supported.
-**Supported regions** | Australia South East (ASE), East Australia (AE), Australia Central (AC), Australia Central 2 (AC) <br> Brazil South (BRS)<br> Canada Central (CNC), Canada East (CE)<br> South East Asia (SEA), East Asia (EA) <br> East US (EUS), East US 2 (EUS2), West Central US (WCUS), West US (WUS); West US 2 (WUS 2) North Central US (NCUS) Central US (CUS) South Central US (SCUS) <br> India Central (INC), India South (INS), India West <br> Japan East (JPE), Japan West (JPW) <br> Korea Central (KRC), Korea South (KRS) <br> North Europe (NE), West Europe <br> UK South (UKS), UK West (UKW) <br> US Gov Arizona, US Gov Virginia, US Gov Texas, US DoD Central, US DoD East <br> Germany North, Germany West Central <br> Switzerland North, Switzerland West <br> France Central <br> China East, China East 2, China North, China North 2
+**Supported regions** | Azure Backup for SQL Server databases is available in all regions, except France South (FRS), UK North (UKN), UK South 2 (UKS2), UG IOWA (UGI), and Germany (Black Forest).
**Supported operating systems** | Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2 SP1 <br/><br/> Linux isn't currently supported. **Supported SQL Server versions** | SQL Server 2019, SQL Server 2017 as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202017), SQL Server 2016 and SPs as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202016%20service%20pack), SQL Server 2014, SQL Server 2012, SQL Server 2008 R2, SQL Server 2008 <br/><br/> Enterprise, Standard, Web, Developer, Express.<br><br>Express Local DB versions aren't supported. **Supported .NET versions** | .NET Framework 4.5.2 or later installed on the VM
cloud-services-extended-support Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/faq.md
Cloud Services (extended support) has adopted the same process as other compute
### Can I use one Key Vault for all my deployments in all regions? No. Key Vault is a regional resource and customers need one Key Vault in each region. However, one Key Vault can be used for all deployments within a given region.
+### When specifying secrets/certificates to be installed to a Cloud Service, must the KeyVault resource be in the same Azure subscription as the Cloud Service resource?
+Yes. We do not allow cross subscription key vault references in Cloud Services to guard against escalation of privilege attacks through CS-ES. The subscription is not a boundary that CS-ES will cross for references to secrets. The reason we do not allow cross subscription references is as an important final step to prevent malicious users from using CS-ES as a privilege escalation mechanism to access other users secrets. Subscription isnΓÇÖt a security boundary, but defense in depth is a requirement. However, you can use the Key Vault extension to get cross subscription and cross region support for your certificates. Please refer to the documentation [here](https://docs.microsoft.com/azure/cloud-services-extended-support/enable-key-vault-virtual-machine)
+
+### When specifying secrets/certificates to be installed to a Cloud Service, must the KeyVault resource be in the same region as the Cloud Service resource?
+Yes. The reason that we enforce region boundaries is to prevent users from creating architectures that have cross region dependencies. Regional isolation is a key design principle of cloud based applications. However, you can use the Key Vault extension to get cross subscription and cross region support for your certificates. Please refer to the documentation [here](https://docs.microsoft.com/azure/cloud-services-extended-support/enable-key-vault-virtual-machine)
+ ## Next steps
-To start using Cloud Services (extended support), see [Deploy a Cloud Service (extended support) using PowerShell](deploy-powershell.md)
+To start using Cloud Services (extended support), see [Deploy a Cloud Service (extended support) using PowerShell](deploy-powershell.md)
cognitive-services Migrate Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/Tutorials/migrate-knowledge-base.md
Last updated 11/09/2020
# Migrate a knowledge base using export-import
-Migration is the process of creating a new knowledge base from an existing knowledge base. You may do this for several reasons:
+You may want to create a copy of your knowledge base for several reasons:
-* backup and restore process
-* CI/CD pipeline
-* move regions
-
-Migrating a knowledge base requires exporting from an existing knowledge base, then importing into another.
-
-> [!NOTE]
-> Follow the below instructions to migrate your existing knowledge base to a new QnA Maker managed (Preview).
+* Copy a knowledge base from QnA Maker GA to Custom question answering
+* To implement a backup and restore process
+* Integrate with your CI/CD pipeline
+* When you wish to move your data to different regions
## Prerequisites
-> * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
- # [QnA Maker GA (stable release)](#tab/v1)
+> * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
> * A [QnA Maker resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource. > * Set up a new [QnA Maker service](../How-To/set-up-qnamaker-service-azure.md) # [Custom question answering (preview release)](#tab/v2)
+> * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
> * A [Text Analytics resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and Text Analytics resource name you selected when you created the resource.
-> * Set up a new [QnA Maker service](../How-To/set-up-qnamaker-service-azure.md)
+> * Set up [Custom question answering](../How-To/set-up-qnamaker-service-azure.md)
-## Migrate a knowledge base from QnA Maker
+## Export a knowledge base
1. Sign in to [QnA Maker portal](https://qnamaker.ai). 1. Select the knowledge base you want to migrate.
-1. On the **Settings** page, select **Export knowledge base** to download a .tsv file that contains the content of your origin knowledge base - questions, answers, metadata, follow-up prompts, and the data source names from which they were extracted. The QnA IDs that are exported with the questions and answers may be used to update a specific QnA pair using the [update API](/rest/api/cognitiveservices/qnamaker/knowledgebase/update). The QnA ID for a specific QnA pair remains unchanged across multiple export operations.
+1. On the **Settings** page, you have the options to export **QnAs**, **Synonyms**, or **Knowledge Base Replica**. You can choose to download the data in .tsv/.xlsx.
-1. Select **Create a knowledge base** from the top menu then create an _empty_ knowledge base. It is empty because when you create it, you are not going to add any URLs or files. Those are added during the import step, after creation.
+ 1. **QnAs**: When exporting QnAs, all QnA pairs (with questions, answers, metadata, follow-up prompts, and the data source names) are downloaded. The QnA IDs that are exported with the questions and answers may be used to update a specific QnA pair using the [update API](/rest/api/cognitiveservices/qnamaker/knowledgebase/update). The QnA ID for a specific QnA pair remains unchanged across multiple export operations.
+ 2. **Synonyms**: You can export Synonyms that have been added to the knowledge base.
+ 4. **Knowledge Base Replica**: If you want to download the entire knowledge base with synonyms and other settings, you can choose this option.
- Configure the knowledge base. Set the new knowledge base name only. Duplicate names are supported and special characters are supported as well.
+## Import a knowledge base
+1. Click **Create a knowledge base** from the top menu of the qnamaker.ai portal and then create an _empty_ knowledge base by not adding any URLs or files. Set the name of your choice for the new knowledge base and then ClickΓÇ»**Create your KB**.
- Do not select anything from Step 4 because those values will be overwritten when you import the file.
+1. In this new knowledge base, open the **Settings** tab and and under _Import knowledge base_ select one of the following options: **QnAs**, **Synonyms**, or **Knowledge Base Replica**.
-1. In Step 5, select **Create**.
+ 1. **QnAs**: This option imports all QnA pairs. **The QnA pairs created in the new knowledge base shall have the same QnA ID as present in the exported file**. You can refer [SampleQnAs.xlsx](https://aka.ms/qnamaker-sampleqnas), [SampleQnAs.tsv](https://aka.ms/qnamaker-sampleqnastsv) to import QnAs.
+ 2. **Synonyms**: This option can be used to import synonyms to the knowledge base. You can refer [SampleSynonyms.xlsx](https://aka.ms/qnamaker-samplesynonyms), [SampleSynonyms.tsv](https://aka.ms/qnamaker-samplesynonymstsv) to import synonyms.
+ 3. **Knowledge Base Replica**: This option can be used to import KB replica with QnAs, Synonyms and Settings. You can refer [KBReplicaSampleExcel](https://aka.ms/qnamaker-samplereplica), [KBReplicaSampleTSV](https://aka.ms/qnamaker-samplereplicatsv) for more details. If you also want to add unstructured content to the replica, refer [CustomQnAKBReplicaSample](https://aka.ms/qnamaker-samplev2replica).
-1. In this new knowledge base, open the **Settings** tab and select **Import knowledge base**. This imports the questions, answers, metadata, follow-up prompts, and retains the data source names from which they were extracted. **The QnA pairs created in the new knowledge base shall have the same QnA ID as present in the exported file**. This helps you create an exact replica of the knowledge base.
+ Either QnAs or Unstructured content is required when importing replica. Unstructured documents are only valid for Custom question answering.
+ Synonyms file is not mandatory when importing replica.
+ Settings file is mandatory when importing replica.
- > [!div class="mx-imgBorder"]
- > [![Import knowledge base](../media/qnamaker-how-to-migrate-kb/Import.png)](../media/qnamaker-how-to-migrate-kb/Import.png#lightbox)
+ |Settings|Update permitted when importing to QnA Maker KB?|Update permitted when importing to Custom question answering KB?|
+ |:--|--|--|
+ |DefaultAnswerForKB|No|Yes|
+ |EnableActiveLearning (True/False)|Yes|No|
+ |EnableMultiTurnExtraction (True/False)|Yes|Yes|
+ |DefaultAnswerforMultiturn|Yes|Yes|
+ |Language|No|No|
1. **Test** the new knowledge base using the Test panel. Learn how to [test your knowledge base](../How-To/test-knowledge-base.md). 1. **Publish** the knowledge base and create a chat bot. Learn how to [publish your knowledge base](../Quickstarts/create-publish-knowledge-base.md#publish-the-knowledge-base).
+ > [!div class="mx-imgBorder"]
+ > ![Migrate knowledge base](../media/qnamaker-how-to-migrate-kb/import-export-kb.png)
+ ## Programmatically migrate a knowledge base from QnA Maker The migration process is programmatically available using the following REST APIs:
The migration process is programmatically available using the following REST API
* [Create API (load with new knowledge base ID)](/rest/api/cognitiveservices/qnamaker4.0/knowledgebase/create)
-## Chat logs and alterations
-Case-insensitive alterations (synonyms) are not imported automatically. Use the [V4 APIs](/rest/api/cognitiveservices/qnamaker4.0/knowledgebase) to move the alterations in the new knowledge base.
-
+## Chat logs
There is no way to migrate chat logs, since the new knowledge base uses Application Insights for storing chat logs. ## Next steps > [!div class="nextstepaction"]
-> [Edit a knowledge base](../How-To/edit-knowledge-base.md)
+> [Edit a knowledge base](../How-To/edit-knowledge-base.md)
cognitive-services Cognitive Services Virtual Networks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-virtual-networks.md
Network rules are enforced on all network protocols to Azure Cognitive Services,
## Supported regions and service offerings
-Virtual networks (VNETs) are supported in [regions where Cognitive Services are available](https://azure.microsoft.com/global-infrastructure/services/). Cognitive Services supports service tags for network rules configuration. The services listed below are included in the **CognitiveServicesManagement** service tag.
+Virtual networks (VNETs) are supported in [regions where Cognitive Services are available](https://azure.microsoft.com/global-infrastructure/services/). Currently multi-service resource does not support VNET. Cognitive Services supports service tags for network rules configuration. The services listed below are included in the **CognitiveServicesManagement** service tag.
> [!div class="checklist"] > * Anomaly Detector
cognitive-services Manage Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/manage-resources.md
Previously updated : 06/08/2021 Last updated : 06/14/2021
This article provides instructions on how to recover a Cognitive Services resour
* If the deleted resource used customer-managed keys with Azure Key Vault and the key vault has also been deleted, then you must restore the key vault before you restore the Cognitive Services resource. For more information, see [Azure Key Vault recovery management](../key-vault/general/key-vault-recovery.md). * If the deleted resource used a customer-managed storage and storage account has also been deleted, you must restore the storage account before you restore the Cognitive Services resource. For instructions, see [Recover a deleted storage account](../storage/common/storage-account-recover.md).
+Your subscription must have `Microsoft.CognitiveServices/locations/resourceGroups/deletedAccounts/delete` permissions to purge resources, such as [Cognitive Services Contributor](/azure/role-based-access-control/built-in-roles#cognitive-services-contributor) or [Contributor](/azure/role-based-access-control/built-in-roles#contributor).
+ ## Recover a deleted resource To recover a deleted cognitive service resource, use the following commands. Where applicable, replace:
connectors Managed https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/managed.md
Some Logic Apps Standard connectors support [on-premises systems](#on-premises-c
[![Azure Blog Storage managed connector icon in Logic Apps][azure-blob-storage-icon]][azure-blob-storage-doc] \ \
- [**Azure Blog Storage**][azure-blob-storage-doc]
+ [**Azure Blob Storage**][azure-blob-storage-doc]
\ \ Connect to your Azure Storage account so that you can create and manage blob content.
container-registry Container Registry Java Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-java-quickstart.md
Finally, you'll update your project configuration and use the command prompt to
1. Log in to your Azure Container Registry from the Azure CLI using the following command. Be sure to replace the placeholder with your own registry name. ```azurecli
- az configure --defaults acr=<your registry name>
+ az config set defaults.acr=<your registry name>
az acr login ```
- The `az configure` command sets the default registry name to use with `az acr` commands.
+ The `az config` command sets the default registry name to use with `az acr` commands.
1. Navigate to the completed project directory for your Spring Boot application (for example, "*C:\SpringBoot\gs-spring-boot-docker\complete*" or "*/users/robert/SpringBoot/gs-spring-boot-docker/complete*"), and open the *pom.xml* file with a text editor.
container-registry Container Registry Tasks Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-tasks-overview.md
Title: ACR Tasks overview description: An introduction to ACR Tasks, a suite of features in Azure Container Registry that provides secure, automated container image build, management, and patching in the cloud. Previously updated : 08/12/2020 Last updated : 06/14/2021 # Automate container image builds and maintenance with ACR Tasks
ACR Tasks supports the following triggers when you set a Git repo as the task's
| Commit | Yes | | Pull request | No |
-To configure a source code update trigger, you need to provide the task a personal access token (PAT) to set the webhook in the public or private GitHub or Azure DevOps repo.
- > [!NOTE] > Currently, ACR Tasks doesn't support commit or pull request triggers in GitHub Enterprise repos. Learn how to trigger builds on source code commit in the second ACR Tasks tutorial, [Automate container image builds with Azure Container Registry Tasks](container-registry-tutorial-build-task.md).
+### Personal access token
+
+To configure a source code update trigger, you need to provide the task a personal access token (PAT) to set the webhook in the public or private GitHub or Azure DevOps repo. Required scopes for the PAT are as follows:
+
+| Repo type |GitHub |DevOps |
+||||
+|Public repo | repo:status<br/>public_repo | Code (Read) |
+|Private repo | repo (Full control) | Code (Read) |
+
+To create a PAT, see the [GitHub](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) or [Azure DevOps](/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate) documentation.
+ ## Automate OS and framework patching The power of ACR Tasks to truly enhance your container build workflow comes from its ability to detect an update to a *base image*. A feature of most container images, a base image is a parent image on which one or more application images are based. Base images typically contain the operating system, and sometimes application frameworks.
The following table shows examples of supported context locations for ACR Tasks:
| Artifact in container registry | [OCI artifact](container-registry-oci-artifacts.md) files in a container registry repository. | `oci://myregistry.azurecr.io/myartifact:mytag` | > [!NOTE]
-> When using a private Git repo as a context for a task, you need to provide a personal access token (PAT).
+> When using a Git repo as a context for a task triggered by a source code update, you need to provide a [personal access token (PAT)](#personal-access-token).
## Image platforms
container-registry Container Registry Tasks Reference Yaml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-tasks-reference-yaml.md
There are several sample task files referenced in the following sections of this
az acr run -f build-push-hello-world.yaml https://github.com/Azure-Samples/acr-tasks.git ```
-The formatting of the sample commands assumes you've configured a default registry in the Azure CLI, so they omit the `--registry` parameter. To configure a default registry, use the [az configure][az-configure] command with the `--defaults` parameter, which accepts an `acr=REGISTRY_NAME` value.
+The formatting of the sample commands assumes you've configured a default registry in the Azure CLI, so they omit the `--registry` parameter. To configure a default registry, use the [az config][az-config] command with the `set` command, which accepts an `defaults.acr=REGISTRY_NAME` key value pair.
For example, to configure the Azure CLI with a default registry named "myregistry": ```azurecli
-az configure --defaults acr=myregistry
+az config set defaults.acr=myregistry
``` ## Task properties
Task properties typically appear at the top of an `acr-task.yaml` file, and are
| Property | Type | Optional | Description | Override supported | Default value | | -- | - | -- | -- | | - | | `version` | string | Yes | The version of the `acr-task.yaml` file as parsed by the ACR Tasks service. While ACR Tasks strives to maintain backward compatibility, this value allows ACR Tasks to maintain compatibility within a defined version. If unspecified, defaults to the latest version. | No | None |
-| `stepTimeout` | int (seconds) | Yes | The maximum number of seconds a step can run. If the property is specified on a task, it sets the default `timeout` property of all the steps. If the `timeout` property is specified on a step, it overrides the property provided by the task. | Yes | 600 (10 minutes) |
+| `stepTimeout` | int (seconds) | Yes | The maximum number of seconds a step can run. If the `stepTimeout` property is specified on a task, it sets the default `timeout` property of all the steps. If the `timeout` property is specified on a step, it overrides the `stepTimeout` property provided by the task.<br/><br/>The sum of the step timeout values for a task should equal the value of the task's run `timeout` property (for example, set by passing `--timeout` to the `az acr task create` command). If the tasks's run `timeout` value is smaller, it takes priority. | Yes | 600 (10 minutes) |
| `workingDirectory` | string | Yes | The working directory of the container during runtime. If the property is specified on a task, it sets the default `workingDirectory` property of all the steps. If specified on a step, it overrides the property provided by the task. | Yes | `c:\workspace` in Windows or `/workspace` in Linux | | `env` | [string, string, ...] | Yes | Array of strings in `key=value` format that define the environment variables for the task. If the property is specified on a task, it sets the default `env` property of all the steps. If specified on a step, it overrides any environment variables inherited from the task. | Yes | None | | `secrets` | [secret, secret, ...] | Yes | Array of [secret](#secret) objects. | No | None |
For single-step builds, see the [ACR Tasks overview](container-registry-tasks-ov
<!-- LINKS - Internal --> [az-acr-run]: /cli/azure/acr#az_acr_run [az-acr-task-create]: /cli/azure/acr/task#az_acr_task_create
-[az-configure]: /cli/azure/reference-index#az_configure
+[az-config]: /cli/azure/reference-index#az_config
container-registry Tasks Agent Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/tasks-agent-pools.md
Agent pool tiers provide the following resources per instance in the pool.
### Set default registry (optional)
-To simplify Azure CLI commands that follow, set the default registry by running the [az configure][az-configure] command:
+To simplify Azure CLI commands that follow, set the default registry by running the [az config][az-config] command:
```azurecli
-az configure --defaults acr=<registryName>
+az config set defaults.acr=<registryName>
``` The following examples assume that you've set the default registry. If not, pass a `--registry <registryName>` parameter in each `az acr` command.
For more examples of container image builds and maintenance in the cloud, check
[azure-cli]: /cli/azure/install-azure-cli [open-support-ticket]: https://aka.ms/acr/support/create-ticket [terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
-[az-configure]: /cli/azure#az_configure
+[az-config]: /cli/azure#az_config
[az-acr-agentpool-create]: /cli/azure/acr/agentpool#az_acr_agentpool_create [az-acr-agentpool-update]: /cli/azure/acr/agentpool#az_acr_agentpool_update [az-acr-agentpool-show]: /cli/azure/acr/agentpool#az_acr_agentpool_show
cosmos-db How To Setup Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-setup-rbac.md
az cosmosdb sql role definition list --account-name $accountName --resource-grou
### Using Azure Resource Manager templates
-See [this page](/rest/api/cosmos-db-resource-provider/2021-04-15/sqlresources2/createupdatesqlroledefinition) for a reference and examples of using Azure Resource Manager templates to create role definitions.
+See [this page](/rest/api/cosmos-db-resource-provider/2021-04-01-preview/sqlresources2/create-update-sql-role-definition) for a reference and examples of using Azure Resource Manager templates to create role definitions.
## <a id="role-assignments"></a> Create role assignments
az cosmosdb sql role assignment create --account-name $accountName --resource-gr
### Using Azure Resource Manager templates
-See [this page](/rest/api/cosmos-db-resource-provider/2021-04-15/sqlresources2/createupdatesqlroleassignment) for a reference and examples of using Azure Resource Manager templates to create role assignments.
+See [this page](/rest/api/cosmos-db-resource-provider/2021-04-01-preview/sqlresources2/create-update-sql-role-assignment) for a reference and examples of using Azure Resource Manager templates to create role assignments.
## Initialize the SDK with Azure AD
Disabling the account primary/secondary keys is not currently possible.
## Next steps - Get an overview of [secure access to data in Cosmos DB](secure-access-to-data.md).-- Learn more about [RBAC for Azure Cosmos DB management](role-based-access-control.md).
+- Learn more about [RBAC for Azure Cosmos DB management](role-based-access-control.md).
cosmos-db Sql Api Sdk Dotnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet-core.md
ms.devlang: dotnet Previously updated : 04/06/2021 Last updated : 06/15/2021
|**Web app tutorial**|[Web application development with Azure Cosmos DB](sql-api-dotnet-application.md)| |**Current supported framework**|[.NET Standard 1.6 and .NET Standard 1.5](https://www.nuget.org/packages/NETStandard.Library)|
-## Release Notes
- > [!NOTE] > If you are using .NET Core, please see the latest version 3.x of the [.NET SDK](sql-api-sdk-dotnet-standard.md), which targets .NET Standard.
cosmos-db Sql Api Sdk Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-dotnet.md
ms.devlang: dotnet Previously updated : 04/06/2021 Last updated : 06/15/2021
|**Web app tutorial**|[Web application development with Azure Cosmos DB](sql-api-dotnet-application.md)| |**Current supported framework**|[Microsoft .NET Framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653)|
-## Release notes
- > [!NOTE] > If you are using .NET Framework, please see the latest version 3.x of the [.NET SDK](sql-api-sdk-dotnet-standard.md), which targets .NET Standard.
cost-management-billing Analyze Cost Data Azure Cost Management Power Bi Template App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/analyze-cost-data-azure-cost-management-power-bi-template-app.md
Title: Analyze Azure costs with the Power BI App
description: This article explains how to install and use the Azure Cost Management Power BI App. Previously updated : 02/19/2021 Last updated : 06/15/2021
To install the app:
:::image type="content" source="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/connect-your-data.png" alt-text="Screenshot highlighting the Connect your data link." lightbox="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/connect-your-data.png" ::: 1. In the dialog that appears, enter your EA enrollment number for **BillingProfileIdOrEnrollmentNumber**. Specify the number of months of data to get. Leave the default **Scope** value of **Enrollment Number**, then select **Next**. :::image type="content" source="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/ea-number.png" alt-text="Screenshot showing where you enter your E A enrollment information." lightbox="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/ea-number.png" :::
-1. The next dialog connects to Azure and gets data. *Leave the default values as configured* and select **Sign in and continue**.
- :::image type="content" source="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/autofit.png" alt-text="Screenshot showing the Connect to Azure Cost Management App dialog box with default values." lightbox="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/autofit.png" :::
-1. The final installation step connects to your EA enrollment and requires an [Enterprise Administrator](../manage/understand-ea-roles.md) account. Leave all the default values. Select **Sign in and connect**.
+1. The next installation step connects to your EA enrollment and requires an [Enterprise Administrator](../manage/understand-ea-roles.md) account. Leave all the default values. Select **Sign in and connect**.
:::image type="content" source="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/ea-auth.png" alt-text="Screenshot showing the Connect to Azure Cost Management App dialog box with default values to connect with." lightbox="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/ea-auth.png" :::
+1. The final dialog connects to Azure and gets data. *Leave the default values as configured* and select **Sign in and continue**.
+ :::image type="content" source="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/autofit.png" alt-text="Screenshot showing the Connect to Azure Cost Management App dialog box with default values." lightbox="./media/analyze-cost-data-azure-cost-management-power-bi-template-app/autofit.png" :::
1. You are prompted to authenticate with your EA enrollment. Authenticate with Power BI. After you're authenticated, a Power BI data refresh starts. > [!NOTE] > The data refresh process might take quite a while to complete. The length depends on the number of months specified and the amount of data needed to sync.
cost-management-billing Understand Vm Reservation Charges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/understand-vm-reservation-charges.md
The following table illustrates the costs for your virtual machine after you pur
A reservation discount is "*use-it-or-lose-it*". So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.
-When you shut down a resource, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.
+When you shut down a resource or scale the number of VMs, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.
## Reservation discount for non-Windows VMs
To learn more about Azure Reservations, see the following articles:
- [Understand reservation usage for your Pay-As-You-Go subscription](../reservations/understand-reserved-instance-usage.md) - [Understand reservation usage for your Enterprise enrollment](../reservations/understand-reserved-instance-usage-ea.md) - [Understand reservation usage for CSP subscriptions](/partner-center/azure-reservations)-- [Windows software costs not included with reservations](../reservations/reserved-instance-windows-software-costs.md)
+- [Windows software costs not included with reservations](../reservations/reserved-instance-windows-software-costs.md)
cost-management-billing Microsoft Customer Agreement Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/microsoft-customer-agreement/microsoft-customer-agreement-get-started.md
tags: billing
Previously updated : 05/21/2021 Last updated : 06/14/2021
Some of the benefits under the agreement include:
- Free tools to help you understand and optimize your costs. - A single place to manage your Azure purchases at Azure.com.
+## Start building your solutions in Azure
+
+When you move existing subscriptions to your Microsoft Customer Agreement billing profile, service isn't changed and there's no service downtime. If youΓÇÖre a new customer, Azure automatically creates a default subscription for you.
+
+- [Move your existing pay-as-you-go subscriptions](../manage/mca-request-billing-ownership.md). You can link your subscriptions to the new MCA billing account by using billing ownership transfer.
+- [Move your existing EA subscriptions](../manage/mca-setup-account.md).
+- No previous Azure subscriptions? [Create an additional Azure subscription](../manage/create-subscription.md).
+
+After your subscriptions are moved, access to the subscriptions is unchanged for your users. All consumption against the subscriptions route invoices under your new contract.
+When you start consuming Azure services, your new invoice under the Microsoft Customer Agreement is generated on the fifth day of every month and your default payment method is wire transfer. [Learn how to set up your payment method to avoid delays](../understand/pay-bill.md#wire-bank-details).
+ ## How billing works under the agreement When you or your organization signed the Microsoft Customer Agreement, a billing account was automatically created. You use your Microsoft Customer Agreement (billing account) to track costs and manage billing. By default, the user who accepted the Microsoft Customer Agreement becomes the owner of the billing account. They have permission to manage billing for the account. The user can add other users, who also have permission to view and manage the billing account. - [Get started with your Microsoft Azure billing account](../understand/mca-overview.md). - [Organize your costs](https://www.youtube.com/watch?v=7RxTfShGHwU) and [customize billing to meet your needs](../manage/mca-section-invoice.md).
+- Learn who has [access to your billing account](https://www.youtube.com/watch?v=9sqglBlKkho) and understand [how admin roles work in Azure](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
-## Start building your solutions in Azure
-
-When you move existing subscriptions to your Microsoft Customer Agreement billing profile, service isn't changed and there's no service downtime.
+## Update your PO and tax ID number
-If you're a new customer, Azure automatically creates a default subscription for you. You can use the subscription to create resources and build your solutions. When you have existing pay-as-you-go subscriptions, you can link your subscriptions to the new MCA billing account by using billing ownership transfer.
+[Update your PO number](../manage/change-azure-account-profile.md#update-a-po-number) in your billing profile and, after moving your subscriptions, ensure you [update your tax ID](/manage/change-azure-account-profile.md#update-your-tax-id). The tax ID is used for tax exemption calculations and appears on your invoice. [Learn more about how to update your billing account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).
-- [Move your existing pay-as-you-go subscriptions](../manage/mca-request-billing-ownership.md).-- [Move your existing EA subscriptions](../manage/mca-setup-account.md).-- No previous Azure subscriptions? [Create an additional Azure subscription](../manage/create-subscription.md).-
-After your subscriptions are moved, access to the subscriptions is unchanged for your users. All consumption against the subscriptions route invoices under your new contract.
-
-When you start consuming Azure services, your new invoice under the Microsoft Customer Agreement is generated on the fifth day of every month. Your default payment method is wire transfer. To learn how to set up your payment method to avoid delays, see [How to pay for your subscription](../understand/pay-bill.md#wire-bank-details). The article explains how to get the required bank payment information.
## Confirm payment details
When you move from a pay-as-you-go or an enterprise agreement to a Microsoft Cus
Make sure that you complete any outstanding payments for your older [pay-as-you-go](../understand/download-azure-invoice.md) or [EA](../manage/ea-portal-enrollment-invoices.md) contract subscription invoices. For more information, see [Understand your Microsoft Customer Agreement Invoice in Azure](../understand/mca-understand-your-invoice.md#billing-period).
-## Update a PO number
-
-By default, an invoice for billing profile doesn't have an associated PO number. After you add a PO number for a billing profile, it appears on invoices for the billing profile.
-
-To add or change the PO number for a billing profile, use the following steps.
-
-1. Sign in to the Azure portal.
-1. Search for **Cost Management + Billing** and then select **Billing scopes**.
-1. Select your billing scope.
-1. In the left menu under **Billing**, select **Billing profiles**.
-1. Select the appropriate billing profile.
-1. In the left menu under **Settings**, select **Properties**.
-1. Select **Update PO number**.
-1. Enter a PO number and then select **Update**.
--
-## Update your tax ID
-
-Ensure you update your tax ID after moving your subscriptions. The tax ID is used for tax exemption calculations and appears on your invoice.
-
-**To update billing account information**
-
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/).
-1. Select **Manage**, and then select **Billing accounts**.
-1. On **Overview**, select **Edit billing account information**.
-1. Make your updates, and then select **Save**.
-
-[Learn more about how to update your billing account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).
- ## Cancel support plan Learn how to [cancel a previous support plan](../manage/mca-request-billing-ownership.md?toc=/azure/cost-management-billing/microsoft-customer-agreement/toc.json#cancel-a-prior-support-plan).
cost-management-billing Manage Reserved Vm Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/manage-reserved-vm-instance.md
If you're a billing administrator, use following steps to view and manage all re
3. The complete list of reservations for your EA enrollment or billing profile is shown. 4. Billing administrators can take ownership of a reservation by selecting it and then selecting **Grant access** in the window that appears.
+## Change Billing Subscription for an Azure Reservation
+
+We donΓÇÖt allow changing Billing subscription after a reservation is purchased. If you want to change the subscription, use the exchange process to set the right billing subscription for the reservation.
+ ## Split a single reservation into two reservations After you buy more than one resource instance within a reservation, you may want to assign instances within that reservation to different subscriptions. By default, all instances have one scope - either single subscription, resource group or shared. Lets say, you bought a reservation for 10 VM instances and specified the scope to be subscription A. You now want to change the scope for seven VM instances to subscription A and the remaining three to subscription B. Splitting a reservation allows you todo that. After you split a reservation, the original ReservationID is canceled and two new reservations are created. Split doesn't impact the reservation order - there's no new commercial transaction with split and the new reservations have the same end date as the one that was split.
cost-management-billing View Purchase Refunds https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/view-purchase-refunds.md
Previously updated : 04/27/2021 Last updated : 06/14/2021
An Enterprise enrollment or Microsoft Customer Agreement billing administrator c
## View reservation transactions in Power BI
-An Enterprise enrollment or Microsoft Customer Agreement billing administrator can view reservation transactions with the Cost Management Power BI app.
+An Enterprise enrollment administrator can view reservation transactions with the Cost Management Power BI app.
1. Get the [Cost Management Power BI App](https://appsource.microsoft.com/product/power-bi/costmanagement.azurecostmanagementapp). 1. Navigate to the RI Purchases report.
data-factory Connector Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-database.md
Previously updated : 03/17/2021 Last updated : 06/15/2021 # Copy and transform data in Azure SQL Database by using Azure Data Factory
For Copy activity, this Azure SQL Database connector supports these functions:
If you use Azure SQL Database [serverless tier](../azure-sql/database/serverless-tier-overview.md), note when the server is paused, activity run fails instead of waiting for the auto resume to be ready. You can add activity retry or chain additional activities to make sure the server is live upon the actual execution.
->[!NOTE]
-> Azure SQL Database [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) isn't supported by this connector now. To work around, you can use a [generic ODBC connector](connector-odbc.md) and a SQL Server ODBC driver via a self-hosted integration runtime. Learn more from [Using Always Encrypted](#using-always-encrypted) section.
> [!IMPORTANT] > If you copy data by using the Azure integration runtime, configure a [server-level firewall rule](../azure-sql/database/firewall-configure.md) so that Azure services can access the server.
These properties are supported for an Azure SQL Database linked service:
| servicePrincipalKey | Specify the application's key. Mark this field as **SecureString** to store it securely in Azure Data Factory or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes, when you use Azure AD authentication with a service principal | | tenant | Specify the tenant information, like the domain name or tenant ID, under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes, when you use Azure AD authentication with a service principal | | azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory's cloud environment is used. | No |
+| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see the JSON example following the table and [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No |
| connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is located in a private network. If not specified, the default Azure integration runtime is used. | No |
+> [!NOTE]
+> Azure SQL Database [**Always Encrypted**](/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15) is not supported in data flow.
+ For different authentication types, refer to the following sections on prerequisites and JSON samples, respectively: - [SQL authentication](#sql-authentication)
For different authentication types, refer to the following sections on prerequis
} ```
+**Example: Use Always Encrypted**
+
+```json
+{
+ "name": "AzureSqlDbLinkedService",
+ "properties": {
+ "type": "AzureSqlDatabase",
+ "typeProperties": {
+ "connectionString": "Data Source=tcp:<servername>.database.windows.net,1433;Initial Catalog=<databasename>;User ID=<username>@<servername>;Password=<password>;Trusted_Connection=False;Encrypt=True;Connection Timeout=30"
+ },
+ "alwaysEncryptedSettings": {
+ "alwaysEncryptedAkvAuthType": "ServicePrincipal",
+ "servicePrincipalId": "<service principal id>",
+ "servicePrincipalKey": {
+ "type": "SecureString",
+ "value": "<service principal key>"
+ }
+ },
+ "connectVia": {
+ "referenceName": "<name of Integration Runtime>",
+ "type": "IntegrationRuntimeReference"
+ }
+ }
+}
+```
+ ### Service principal authentication To use a service principal-based Azure AD application token authentication, follow these steps:
To learn details about the properties, check [GetMetadata activity](control-flow
## Using Always Encrypted
-When you copy data from/to Azure SQL Database with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), use [generic ODBC connector](connector-odbc.md) and SQL Server ODBC driver via Self-hosted Integration Runtime. This Azure SQL Database connector does not support Always Encrypted now.
-
-More specifically:
-
-1. Set up a Self-hosted Integration Runtime if you don't have one. See [Self-hosted Integration Runtime](create-self-hosted-integration-runtime.md) article for details.
-
-2. Download the 64-bit ODBC driver for SQL Server from [here](/sql/connect/odbc/download-odbc-driver-for-sql-server), and install on the Integration Runtime machine. Learn more about how this driver works from [Using Always Encrypted with the ODBC Driver for SQL Server](/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver#using-the-azure-key-vault-provider).
+When you copy data from/to SQL Server with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), follow below steps:
-3. Create linked service with ODBC type to connect to your SQL database, refer to the following samples:
+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) in an [Azure Key Vault](/azure/key-vault/general/overview). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)
- - To use **SQL authentication**: Specify the ODBC connection string as below, and select **Basic** authentication to set the user name and password.
+2. Make sure to great access to the key vault where the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) is stored. Refer to this [article](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15#key-vaults) for required permissions.
- ```
- Driver={ODBC Driver 17 for SQL Server};Server=<serverName>;Database=<databaseName>;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<servicePrincipalKey>;KeyStoreSecret=<servicePrincipalKey>
- ```
+3. Create linked service to connect to your SQL database and enable 'Always Encrypted' function by using either managed identity or service principal.
- - If you run Self-hosted Integration Runtime on Azure Virtual Machine, you can use **Managed Identity authentication** with Azure VM's identity:
-
- 1. Follow the same [prerequisites](#managed-identity) to create database user for the managed identity and grant the proper role in your database.
- 2. In linked service, specify the ODBC connection string as below, and select **Anonymous** authentication as the connection string itself indicates`Authentication=ActiveDirectoryMsi`.
-
- ```
- Driver={ODBC Driver 17 for SQL Server};Server=<serverName>;Database=<databaseName>;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<servicePrincipalKey>;KeyStoreSecret=<servicePrincipalKey>; Authentication=ActiveDirectoryMsi;
- ```
-
-4. Create dataset and copy activity with ODBC type accordingly. Learn more from [ODBC connector](connector-odbc.md) article.
+>[!NOTE]
+>SQL Server [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) supports below scenarios:
+>1. Either source or sink data stores is using managed identity or service principal as key provider authentication type.
+>2. Both source and sink data stores are using managed identity as key provider authentication type.
+>3. Both source and sink data stores are using the same service principal as key provider authentication type.
## Next steps
data-factory Connector Azure Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-azure-sql-managed-instance.md
Previously updated : 03/17/2021 Last updated : 06/15/2021 # Copy and transform data in Azure SQL Managed Instance by using Azure Data Factory
For Copy activity, this Azure SQL Database connector supports these functions:
- As a source, retrieving data by using a SQL query or a stored procedure. You can also choose to parallel copy from SQL MI source, see the [Parallel copy from SQL MI](#parallel-copy-from-sql-mi) section for details. - As a sink, automatically creating destination table if not exists based on the source schema; appending data to a table or invoking a stored procedure with custom logic during copy.
->[!NOTE]
-> SQL Managed Instance [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) isn't supported by this connector now. To work around, you can use a [generic ODBC connector](connector-odbc.md) and a SQL Server ODBC driver via a self-hosted integration runtime. Learn more from [Using Always Encrypted](#using-always-encrypted) section.
- ## Prerequisites To access the SQL Managed Instance [public endpoint](../azure-sql/managed-instance/public-endpoint-overview.md), you can use an Azure Data Factory managed Azure integration runtime. Make sure that you enable the public endpoint and also allow public endpoint traffic on the network security group so that Azure Data Factory can connect to your database. For more information, see [this guidance](../azure-sql/managed-instance/public-endpoint-configure.md).
The following properties are supported for the SQL Managed Instance linked servi
| servicePrincipalKey | Specify the application's key. Mark this field as **SecureString** to store it securely in Azure Data Factory or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes, when you use Azure AD authentication with a service principal | | tenant | Specify the tenant information, like the domain name or tenant ID, under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes, when you use Azure AD authentication with a service principal | | azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory's cloud environment is used. | No |
+| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see the JSON example following the table and [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No |
| connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. You can use a self-hosted integration runtime or an Azure integration runtime if your managed instance has a public endpoint and allows Azure Data Factory to access it. If not specified, the default Azure integration runtime is used. |Yes |
+> [!NOTE]
+> SQL Managed Instance [**Always Encrypted**](/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15) is not supported in data flow.
+ For different authentication types, refer to the following sections on prerequisites and JSON samples, respectively: - [SQL authentication](#sql-authentication)
For different authentication types, refer to the following sections on prerequis
} ```
+**Example 3: use SQL authentication with Always Encrypted**
+
+```json
+{
+ "name": "AzureSqlMILinkedService",
+ "properties": {
+ "type": "AzureSqlMI",
+ "typeProperties": {
+ "connectionString": "Data Source=<hostname,port>;Initial Catalog=<databasename>;Integrated Security=False;User ID=<username>;Password=<password>;"
+ },
+ "alwaysEncryptedSettings": {
+ "alwaysEncryptedAkvAuthType": "ServicePrincipal",
+ "servicePrincipalId": "<service principal id>",
+ "servicePrincipalKey": {
+ "type": "SecureString",
+ "value": "<service principal key>"
+ }
+ },
+ "connectVia": {
+ "referenceName": "<name of Integration Runtime>",
+ "type": "IntegrationRuntimeReference"
+ }
+ }
+}
+```
+ ### Service principal authentication To use a service principal-based Azure AD application token authentication, follow these steps:
When data is copied to and from SQL Managed Instance using copy activity, the fo
## Using Always Encrypted
-When you copy data from/to Azure SQL Managed Instance with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), use [generic ODBC connector](connector-odbc.md) and SQL Server ODBC driver via Self-hosted Integration Runtime. This Azure SQL Managed Instance connector does not support Always Encrypted now.
-
-More specifically:
-
-1. Set up a Self-hosted Integration Runtime if you don't have one. See [Self-hosted Integration Runtime](create-self-hosted-integration-runtime.md) article for details.
-
-2. Download the 64-bit ODBC driver for SQL Server from [here](/sql/connect/odbc/download-odbc-driver-for-sql-server), and install on the Integration Runtime machine. Learn more about how this driver works from [Using Always Encrypted with the ODBC Driver for SQL Server](/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver#using-the-azure-key-vault-provider).
+When you copy data from/to SQL Server with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), follow below steps:
-3. Create linked service with ODBC type to connect to your SQL database, refer to the following samples:
+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) in an [Azure Key Vault](/azure/key-vault/general/overview). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)
- - To use **SQL authentication**: Specify the ODBC connection string as below, and select **Basic** authentication to set the user name and password.
+2. Make sure to great access to the key vault where the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) is stored. Refer to this [article](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15#key-vaults) for required permissions.
- ```
- Driver={ODBC Driver 17 for SQL Server};Server=<serverName>;Database=<databaseName>;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<servicePrincipalKey>;KeyStoreSecret=<servicePrincipalKey>
- ```
+3. Create linked service to connect to your SQL database and enable 'Always Encrypted' function by using either managed identity or service principal.
- - If you run Self-hosted Integration Runtime on Azure Virtual Machine, you can use **Managed Identity authentication** with Azure VM's identity:
-
- 1. Follow the same [prerequisites](#managed-identity) to create database user for the managed identity and grant the proper role in your database.
- 2. In linked service, specify the ODBC connection string as below, and select **Anonymous** authentication as the connection string itself indicates`Authentication=ActiveDirectoryMsi`.
-
- ```
- Driver={ODBC Driver 17 for SQL Server};Server=<serverName>;Database=<databaseName>;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<servicePrincipalKey>;KeyStoreSecret=<servicePrincipalKey>; Authentication=ActiveDirectoryMsi;
- ```
-
-4. Create dataset and copy activity with ODBC type accordingly. Learn more from [ODBC connector](connector-odbc.md) article.
+>[!NOTE]
+>SQL Server [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) supports below scenarios:
+>1. Either source or sink data stores is using managed identity or service principal as key provider authentication type.
+>2. Both source and sink data stores are using managed identity as key provider authentication type.
+>3. Both source and sink data stores are using the same service principal as key provider authentication type.
## Next steps For a list of data stores supported as sources and sinks by the copy activity in Azure Data Factory, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).
data-factory Connector Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-servicenow.md
If you have a filter in your query, use "Actual" schema which has better copy pe
### Index
-ServiceNow table index can help improve query performance, refer to [Create a table index](https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/administer/table_administration/task/t_CreateCustomIndex.html).
+ServiceNow table index can help improve query performance, refer to [Create a table index](https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/table-administration/task/t_CreateCustomIndex.html).
## Lookup activity properties
data-factory Connector Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-sql-server.md
Previously updated : 05/26/2021 Last updated : 06/08/2021 # Copy and transform data to and from SQL Server by using Azure Data Factory
Specifically, this SQL Server connector supports:
[SQL Server Express LocalDB](/sql/database-engine/configure-windows/sql-server-express-localdb) is not supported.
->[!NOTE]
->SQL Server [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) isn't supported by this connector now. To work around, you can use a [generic ODBC connector](connector-odbc.md) and a SQL Server ODBC driver. Follow [this guidance](/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver) with ODBC driver download and connection string configurations.
## Prerequisites
The following properties are supported for the SQL Server linked service:
| connectionString |Specify **connectionString** information that's needed to connect to the SQL Server database by using either SQL authentication or Windows authentication. Refer to the following samples.<br/>You also can put a password in Azure Key Vault. If it's SQL authentication, pull the `password` configuration out of the connection string. For more information, see the JSON example following the table and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md). |Yes | | userName |Specify a user name if you use Windows authentication. An example is **domainname\\username**. |No | | password |Specify a password for the user account you specified for the user name. Mark this field as **SecureString** to store it securely in Azure Data Factory. Or, you can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). |No |
+| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see the JSON example following the table and [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No |
| connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, the default Azure integration runtime is used. |No |
+> [!NOTE]
+> SQL Server [**Always Encrypted**](/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15) is not supported in data flow.
+ >[!TIP] >If you hit an error with the error code "UserErrorFailedToConnectToSqlServer" and a message like "The session limit for the database is XXX and has been reached," add `Pooling=false` to your connection string and try again.
The following properties are supported for the SQL Server linked service:
"referenceName": "<name of Integration Runtime>", "type": "IntegrationRuntimeReference" }
- }
+ }
+}
+```
+
+**Example 4: Use Always Encrypted**
+
+```json
+{
+ "name": "SqlServerLinkedService",
+ "properties": {
+ "type": "SqlServer",
+ "typeProperties": {
+ "connectionString": "Data Source=<servername>\\<instance name if using named instance>;Initial Catalog=<databasename>;Integrated Security=False;User ID=<username>;Password=<password>;"
+ },
+ "alwaysEncryptedSettings": {
+ "alwaysEncryptedAkvAuthType": "ServicePrincipal",
+ "servicePrincipalId": "<service principal id>",
+ "servicePrincipalKey": {
+ "type": "SecureString",
+ "value": "<service principal key>"
+ }
+ },
+ "connectVia": {
+ "referenceName": "<name of Integration Runtime>",
+ "type": "IntegrationRuntimeReference"
+ }
+ }
} ```
To learn details about the properties, check [GetMetadata activity](control-flow
## Using Always Encrypted
-When you copy data from/to SQL Server with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), use [generic ODBC connector](connector-odbc.md) and SQL Server ODBC driver via Self-hosted Integration Runtime. This SQL Server connector does not support Always Encrypted now.
+When you copy data from/to SQL Server with [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine), follow below steps:
-More specifically:
+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) in an [Azure Key Vault](/azure/key-vault/general/overview). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)
-1. Set up a Self-hosted Integration Runtime if you don't have one. See [Self-hosted Integration Runtime](create-self-hosted-integration-runtime.md) article for details.
+2. Make sure to grant access to the key vault where the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15) is stored. Refer to this [article](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15#key-vaults) for required permissions.
-2. Download the 64-bit ODBC driver for SQL Server from [here](/sql/connect/odbc/download-odbc-driver-for-sql-server), and install on the Integration Runtime machine. Learn more about how this driver works from [Using Always Encrypted with the ODBC Driver for SQL Server](/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver#using-the-azure-key-vault-provider).
+3. Create linked service to connect to your SQL database and enable 'Always Encrypted' function by using either managed identity or service principal.
-3. Create linked service with ODBC type to connect to your SQL database. To use SQL authentication, specify the ODBC connection string as below, and select **Basic** authentication to set the user name and password.
- ```
- Driver={ODBC Driver 17 for SQL Server};Server=<serverName>;Database=<databaseName>;ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultClientSecret;KeyStorePrincipalId=<servicePrincipalKey>;KeyStoreSecret=<servicePrincipalKey>
- ```
-
-4. Create dataset and copy activity with ODBC type accordingly. Learn more from [ODBC connector](connector-odbc.md) article.
+>[!NOTE]
+>SQL Server [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) supports below scenarios:
+>1. Either source or sink data stores is using managed identity or service principal as key provider authentication type.
+>2. Both source and sink data stores are using managed identity as key provider authentication type.
+>3. Both source and sink data stores are using the same service principal as key provider authentication type.
## Troubleshoot connection issues
databox Data Box Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-troubleshoot.md
These are errors related to data exceeding the size of data allowed in a contain
- Identify the folders that have this issue from the error logs and make sure that the files in that folder are under 5 TiB. - The 5 TiB limit does not apply to a storage account that allows large file shares. However, you must have large file shares configured when you place your order. - Contact [Microsoft Support](data-box-disk-contact-microsoft-support.md) and request a new shipping label.
- - [Enable large file shares on the storage account.](../storage/files/storage-files-how-to-create-large-file-share.md#enable-large-files-shares-on-an-existing-account)
- - [Expand the file shares in the storage account](../storage/files/storage-files-how-to-create-large-file-share.md#expand-existing-file-shares) and set the quota to 100 TiB.
+ - [Enable large file shares on the storage account](../storage/files/storage-how-to-create-file-share.md#enable-large-files-shares-on-an-existing-account)
+ - [Expand the file shares in the storage account](../storage/files/storage-how-to-create-file-share.md#expand-existing-file-shares) and set the quota to 100 TiB.
## Object or file size limit errors
digital-twins Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-security.md
Azure supports two types of managed identities: system-assigned and user-assigne
You can use a system-assigned managed identity for your Azure Digital Instance to authenticate to a [custom-defined endpoint](concepts-route-events.md#create-an-endpoint). Azure Digital Twins supports system-assigned identity-based authentication to endpoints for [Event Hub](../event-hubs/event-hubs-about.md) and [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md) destinations, and to an [Azure Storage Container](../storage/blobs/storage-blobs-introduction.md) endpoint for [dead-letter events](concepts-route-events.md#dead-letter-events). [Event Grid](../event-grid/overview.md) endpoints are currently not supported for managed identities.
-For instructions on how to enable a system-managed identity for Azure Digital Twins and use it to route events, see [How-to: Enable a managed identity for routing events (preview)](./how-to-enable-managed-identities-portal.md).
+For instructions on how to enable a system-managed identity for Azure Digital Twins and use it to route events, see [How-to: Route events with a managed identity](./how-to-route-with-managed-identity.md).
## Private network access with Azure Private Link (preview)
digital-twins How To Enable Managed Identities Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-enable-managed-identities-cli.md
-
-# Mandatory fields.
Title: Enable a managed identity for routing events (preview) - CLI-
-description: See how to enable a system-assigned identity for Azure Digital Twins and use it to forward events, using the Azure CLI.
-- Previously updated : 02/09/2021---
-# Optional fields. Don't forget to remove # if you need a field.
-#
-#
-#
--
-# Enable a managed identity for routing Azure Digital Twins events (preview): Azure CLI
--
-This article describes how to enable a [system-assigned identity for an Azure Digital Twins instance](concepts-security.md#managed-identity-for-accessing-other-resources-preview) (currently in preview), and use the identity when forwarding events to supported destinations such as [Event Hub](../event-hubs/event-hubs-about.md), [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md) destinations, and [Azure Storage Container](../storage/blobs/storage-blobs-introduction.md).
-
-This article walks you through the process using the [Azure CLI](/cli/azure/what-is-azure-cli).
-
-Here are the steps that are covered in this article:
-
-1. Create an Azure Digital Twins instance with a system-assigned identity or enable system-assigned identity on an existing Azure Digital Twins instance.
-1. Add an appropriate role or roles to the identity. For example, assign the **Azure Event Hub Data Sender** role to the identity if the endpoint is Event Hub, or **Azure Service Bus Data Sender role** if the endpoint is Service Bus.
-1. Create an endpoint in Azure Digital Twins that is able to use system-assigned identities for authentication.
-
-## Enable system-managed identities for an instance
-
-When you enable a system-assigned identity on your Azure Digital Twins instance, Azure automatically creates an identity for it in [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). That identity can then be used to authenticate to Azure Digital Twins endpoints for event forwarding.
-
-You can enable system-managed identities for an Azure Digital Twins instance **as part of the instance's initial setup**, or **enable it later on an instance that already exists**.
-
-Either of these creation methods will give the same configuration options and the same end result for your instance. This section describes how to do both.
-
-### Add a system-managed identity during instance creation
-
-In this section, you'll learn how to enable a system-managed identity on an Azure Digital Twins instance that is currently being created.
-
-This is done by adding an `--assign-identity` parameter to the `az dt create` command that's used to create the instance. (For more information about this command, see its [reference documentation](/cli/azure/dt#az_dt_create) or the [general instructions for setting up an Azure Digital Twins instance](how-to-set-up-instance-cli.md#create-the-azure-digital-twins-instance)).
-
-To create an instance with a system managed identity, add the `--assign-identity` parameter like this:
-
-```azurecli-interactive
-az dt create --dt-name <new-instance-name> --resource-group <resource-group> --assign-identity
-```
-
-### Add a system-managed identity to an existing instance
-
-In this section, you'll add a system-managed identity to an Azure Digital Twins instance that already exists.
-
-This is also done with the `az dt create` command and `--assign-identity` parameter. Instead of providing a new name of an instance to create, you can provide the name of an instance that already exists to update the value of `--assign-identity` for that instance.
-
-The command to **enable** managed identity is the same as the command to create an instance with a system managed identity. All that changes is the value of the instance name parameter:
-
-```azurecli-interactive
-az dt create --dt-name <name-of-existing-instance> --resource-group <resource-group> --assign-identity
-```
-
-To **disable** managed identity on an instance where it's currently enabled, use the following similar command to set `--assign-identity` to `false`.
-
-```azurecli-interactive
-az dt create --dt-name <name-of-existing-instance> --resource-group <resource-group> --assign-identity false
-```
-
-## Assign Azure roles to the identity
-
-Once a system-assigned identity is created for your Azure Digital Twins instance, you'll need to assign it appropriate roles to authenticate with different types of [endpoints](concepts-route-events.md) for forwarding events to supported destinations. This section describes the role options and how to assign them to the system-assigned identity.
-
->[!NOTE]
-> This is an important stepΓÇöwithout it, the identity won't be able to access your endpoints and events won't be delivered.
-
-### Supported destinations and Azure roles
-
-Here are the minimum roles that an identity needs to access an endpoint, depending on the type of destination. Roles with higher permissions (like Data Owner roles) will also work.
-
-| Destination | Azure role |
-| | |
-| Azure Event Hubs | Azure Event Hubs Data Sender |
-| Azure Service Bus | Azure Service Bus Data Sender |
-| Azure storage container | Storage Blob Data Contributor |
-
-For more about endpoints, routes, and the types of destinations supported for routing in Azure Digital Twins, see [Concepts: Event routes](concepts-route-events.md).
-
-### Assign the role
--
-You can add the `--scopes` parameter onto the `az dt create` command in order to assign the identity to one or more scopes with a specified role. This can be used when first creating the instance, or later by passing in the name of an instance that already exists.
-
-Here is an example that creates an instance with a system managed identity, and assigns that identity a custom role called `MyCustomRole` in an event hub.
-
-```azurecli-interactive
-az dt create --dt-name <instance-name> --resource-group <resource-group> --assign-identity --scopes "/subscriptions/<subscription ID>/resourceGroups/<resource-group>/providers/Microsoft.EventHub/namespaces/<Event-Hubs-namespace>/eventhubs/<event-hub-name>" --role MyCustomRole
-```
-
-For more examples of role assignments with this command, see the [az dt create reference documentation](/cli/azure/dt#az_dt_create).
-
-Alternatively, you can also use the [az role assignment](/cli/azure/role/assignment?view=azure-cli-latest&preserve-view=true) command group to create and manage roles. This can be used to support additional scenarios where you don't want to group role assignment with the create command.
-
-## Create an endpoint with identity-based authentication
-
-After setting up a system-managed identity for your Azure Digital Twins instance and assigning it the appropriate role(s), you can create Azure Digital Twins [endpoints](how-to-manage-routes-portal.md#create-an-endpoint-for-azure-digital-twins) that are capable of using the identity for authentication. This option is only available for Event Hub and Service Bus-type endpoints (it's not supported for Event Grid).
-
->[!NOTE]
-> You cannot edit an endpoint that has already been created with key-based identity to change to identity-based authentication. You must choose the authentication type when the endpoint is first created.
-
-This is done by adding a `--auth-type` parameter to the `az dt endpoint create` command that's used to create the endpoint. (For more information about this command, see its [reference documentation](/cli/azure/dt/endpoint/create?view=azure-cli-latest&preserve-view=true) or the [general instructions for setting up an Azure Digital Twins endpoint](how-to-manage-routes-apis-cli.md#create-the-endpoint)).
-
-To create an endpoint that uses identity-based authentication, specify the `IdentityBased` authentication type with the `--auth-type` parameter. The example below illustrates this for an Event Hubs endpoint.
-
-```azurecli-interactive
-az dt endpoint create eventhub --endpoint-name <endpoint-name> --eventhub-resource-group <eventhub-resource-group> --eventhub-namespace <eventhub-namespace> --eventhub <eventhub-name> --auth-type IdentityBased --dt-name <instance-name>
-```
-
-## Considerations for disabling system-managed identities
-
-Because an identity is managed separately from the endpoints that use it, it's important to consider the effects that any changes to the identity or its roles can have on the endpoints in your Azure Digital Twins instance. If the identity is disabled, or a necessary role for an endpoint is removed from it, the endpoint can become inaccessible and the flow of events will be disrupted.
-
-To continue using an endpoint that was set up with a managed identity that's now been disabled, you'll need to delete the endpoint and [re-create it](how-to-manage-routes-apis-cli.md#create-an-endpoint-for-azure-digital-twins) with a different authentication type. It may take up to an hour for events to resume delivery to the endpoint after this change.
-
-## Next steps
-
-Learn more about managed identities in Azure AD:ΓÇ»
-* [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
digital-twins How To Manage Routes Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-portal.md
Once you have created the endpoint resources, you can use them for an Azure Digi
1. Finish creating your endpoint by selecting _Save_. >[!IMPORTANT]
-> In order to successfully use identity-based authentication for your endpoint, you'll need to create a managed identity for your instance by following the steps in [How-to: Enable a managed identity for routing events (preview)](./how-to-enable-managed-identities-portal.md).
+> In order to successfully use identity-based authentication for your endpoint, you'll need to create a managed identity for your instance by following the steps in [How-to: Route events with a managed identity](./how-to-route-with-managed-identity.md).
After creating your endpoint, you can verify that the endpoint was successfully created by checking the notification icon in the top Azure portal bar:
digital-twins How To Route With Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-route-with-managed-identity.md
+
+# Mandatory fields.
+ Title: Route events with a managed identity (preview)
+
+description: See how to enable a system-assigned identity for Azure Digital Twins and use it to forward events, using the Azure portal or CLI.
++ Last updated : 6/15/2021++++
+# Optional fields. Don't forget to remove # if you need a field.
+#
+#
+#
++
+# Enable a managed identity for routing Azure Digital Twins events (preview)
+
+This article describes how to enable a [system-assigned identity for an Azure Digital Twins instance](concepts-security.md#managed-identity-for-accessing-other-resources-preview) (currently in preview), and use the identity when forwarding events to supported routing destinations. Setting up a managed identity is not required for routing, but it can help the instance to easily access other Azure AD-protected resources, such as [Event Hub](../event-hubs/event-hubs-about.md), [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md) destinations, and [Azure Storage Container](../storage/blobs/storage-blobs-introduction.md).
+
+Here are the steps that are covered in this article:
+
+1. Create an Azure Digital Twins instance with a system-assigned identity or enable system-assigned identity on an existing Azure Digital Twins instance.
+1. Add an appropriate role or roles to the identity. For example, assign the **Azure Event Hub Data Sender** role to the identity if the endpoint is Event Hub, or **Azure Service Bus Data Sender role** if the endpoint is Service Bus.
+1. Create an endpoint in Azure Digital Twins that is able to use system-assigned identities for authentication.
+
+## Enable system-managed identity for the instance
+
+When you enable a system-assigned identity on your Azure Digital Twins instance, Azure automatically creates an identity for it in [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). That identity can then be used to authenticate to Azure Digital Twins endpoints for event forwarding.
+
+You can enable system-managed identities for an Azure Digital Twins instance **as part of the instance's initial setup**, or **enable it later on an instance that already exists**.
+
+Either of these creation methods will give the same configuration options and the same end result for your instance. This section describes how to do both.
+
+### Add a system-managed identity during instance creation
+
+In this section, you'll learn how to enable a system-managed identity for an Azure Digital Twins instance while the instance is being created. You can enable the identity whether you are creating the instance with the [Azure portal](https://portal.azure.com) or the [Azure CLI](/cli/azure/what-is-azure-cli). Use the tabs below to select instructions for your preferred experience.
+
+# [Portal](#tab/portal)
+
+To add a managed identity during instance creation in the portal, begin [creating an instance as you normally would](how-to-set-up-instance-portal.md).
+
+The system-managed identity option is located in the **Advanced** tab of instance setup.
+
+In this tab, select the **On** option for **System managed identity** to turn on this feature.
++
+You can then use the bottom navigation buttons to continue with the rest of instance setup.
+
+# [CLI](#tab/cli)
+
+In the CLI, you can add an `--assign-identity` parameter to the `az dt create` command that's used to create the instance. (For more information about this command, see its [reference documentation](/cli/azure/dt#az_dt_create) or the [general instructions for setting up an Azure Digital Twins instance](how-to-set-up-instance-cli.md#create-the-azure-digital-twins-instance)).
+
+To create an instance with a system managed identity, add the `--assign-identity` parameter like this:
+
+```azurecli-interactive
+az dt create --dt-name <new-instance-name> --resource-group <resource-group> --assign-identity
+```
+++
+### Add a system-managed identity to an existing instance
+
+In this section, you'll add a system-managed identity to an Azure Digital Twins instance that already exists. Use the tabs below to select instructions for your preferred experience.
+
+# [Portal](#tab/portal)
+
+Start by opening the [Azure portal](https://portal.azure.com) in a browser.
+
+1. Search for the name of your instance in the portal search bar, and select it to view its details.
+
+1. Select **Identity (preview)** in the left-hand menu.
+
+1. On this page, select the **On** option to turn on this feature.
+
+1. Select the **Save** button, and **Yes** to confirm.
+
+ :::image type="content" source="media/how-to-enable-managed-identities/identity-digital-twins.png" alt-text="Screenshot of the Azure portal showing the Identity (preview) page for an Azure Digital Twins instance.":::
+
+After the change is saved, more fields will appear on this page for the new identity's **Object ID** and **Permissions**.
+
+You can copy the **Object ID** from here if needed, and use the **Permissions** button to view the Azure roles that are assigned to the identity. To set up some roles, continue to the next section.
+
+# [CLI](#tab/cli)
+
+Again, you can add the identity to your instance by using the `az dt create` command and `--assign-identity` parameter. Instead of providing a new name of an instance to create, you can provide the name of an instance that already exists to update the value of `--assign-identity` for that instance.
+
+The command to **enable** managed identity is the same as the command to create an instance with a system managed identity. All that changes is the value of the instance name parameter:
+
+```azurecli-interactive
+az dt create --dt-name <name-of-existing-instance> --resource-group <resource-group> --assign-identity
+```
+
+To **disable** managed identity on an instance where it's currently enabled, use the following similar command to set `--assign-identity` to `false`.
+
+```azurecli-interactive
+az dt create --dt-name <name-of-existing-instance> --resource-group <resource-group> --assign-identity false
+```
+++
+## Assign Azure roles to the identity
+
+Once a system-assigned identity is created for your Azure Digital Twins instance, you'll need to assign it appropriate roles to authenticate with different types of [endpoints](concepts-route-events.md) for forwarding events to supported destinations. This section describes the role options and how to assign them to the system-assigned identity.
+
+>[!NOTE]
+> This is an important stepΓÇöwithout it, the identity won't be able to access your endpoints and events won't be delivered.
+
+### Supported destinations and Azure roles
+
+Here are the minimum roles that an identity needs to access an endpoint, depending on the type of destination. Roles with higher permissions (like Data Owner roles) will also work.
+
+| Destination | Azure role |
+| | |
+| Azure Event Hubs | Azure Event Hubs Data Sender |
+| Azure Service Bus | Azure Service Bus Data Sender |
+| Azure storage container | Storage Blob Data Contributor |
+
+For more about endpoints, routes, and the types of destinations supported for routing in Azure Digital Twins, see [Concepts: Event routes](concepts-route-events.md).
+
+### Assign the role
++
+Use the tabs below to select instructions for your preferred experience.
+
+# [Portal](#tab/portal)
+
+To assign a role to the identity, start by opening the [Azure portal](https://portal.azure.com) in a browser.
+
+1. Navigate to your endpoint resource (your event hub, Service Bus topic, or storage container) by searching for its name in the portal search bar.
+
+1. Select **Access control (IAM)**.
+
+1. Select **Add** > **Add role assignment** to open the Add role assignment page.
+
+1. Assign the desired role to the managed identity of your Azure Digital Twins instance, using the information below. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+
+ | Setting | Value |
+ | | |
+ | Role | Select the desired role from the dropdown menu. |
+ | Assign access to | Under **System assigned managed identity**, select **Digital Twins**. |
+ | Members | Select the managed identity of your Azure Digital Twins instance that's being assigned the role. The name of the managed identity matches the name of the instance, so choose the name of your Azure Digital Twins instance. |
+
+ ![Add role assignment page](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+
+# [CLI](#tab/cli)
+
+You can add the `--scopes` parameter onto the `az dt create` command in order to assign the identity to one or more scopes with a specified role. This can be used when first creating the instance, or later by passing in the name of an instance that already exists.
+
+Here is an example that creates an instance with a system managed identity, and assigns that identity a custom role called `MyCustomRole` in an event hub.
+
+```azurecli-interactive
+az dt create --dt-name <instance-name> --resource-group <resource-group> --assign-identity --scopes "/subscriptions/<subscription ID>/resourceGroups/<resource-group>/providers/Microsoft.EventHub/namespaces/<Event-Hubs-namespace>/eventhubs/<event-hub-name>" --role MyCustomRole
+```
+
+For more examples of role assignments with this command, see the [az dt create reference documentation](/cli/azure/dt#az_dt_create).
+
+Alternatively, you can also use the [az role assignment](/cli/azure/role/assignment?view=azure-cli-latest&preserve-view=true) command group to create and manage roles. This can be used to support additional scenarios where you don't want to group role assignment with the create command.
+++
+## Create an endpoint with identity-based authentication
+
+After setting up a system-managed identity for your Azure Digital Twins instance and assigning it the appropriate role(s), you can create Azure Digital Twins [endpoints](how-to-manage-routes-portal.md#create-an-endpoint-for-azure-digital-twins) that are capable of using the identity for authentication. This option is only available for Event Hub and Service Bus-type endpoints (it's not supported for Event Grid).
+
+>[!NOTE]
+> You cannot edit an endpoint that has already been created with key-based identity to change to identity-based authentication. You must choose the authentication type when the endpoint is first created.
+
+Use the tabs below to select instructions for your preferred experience.
+
+# [Portal](#tab/portal)
+
+Start following the [instructions to create an Azure Digital Twins endpoint](how-to-manage-routes-portal.md#create-an-endpoint-for-azure-digital-twins).
+
+When you get to the step of completing the details required for your endpoint type, make sure to select **Identity-based** for the Authentication type.
+
+ :::column:::
+ :::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-event-hub-authentication.png" alt-text="Screenshot of creating an endpoint of type Event Hub." lightbox="media/how-to-manage-routes-portal/create-endpoint-event-hub-authentication.png":::
+ :::column-end:::
+ :::column:::
+ :::column-end:::
+
+Finish setting up your endpoint and select **Save**.
+
+# [CLI](#tab/cli)
+
+Creating the endpoint with the CLI is done by adding a `--auth-type` parameter to the `az dt endpoint create` command that's used to create the endpoint. (For more information about this command, see its [reference documentation](/cli/azure/dt/endpoint/create?view=azure-cli-latest&preserve-view=true) or the [general instructions for setting up an Azure Digital Twins endpoint](how-to-manage-routes-apis-cli.md#create-the-endpoint)).
+
+To create an endpoint that uses identity-based authentication, specify the `IdentityBased` authentication type with the `--auth-type` parameter. The example below illustrates this for an Event Hubs endpoint.
+
+```azurecli-interactive
+az dt endpoint create eventhub --endpoint-name <endpoint-name> --eventhub-resource-group <eventhub-resource-group> --eventhub-namespace <eventhub-namespace> --eventhub <eventhub-name> --auth-type IdentityBased --dt-name <instance-name>
+```
+++
+## Considerations for disabling system-managed identities
+
+Because an identity is managed separately from the endpoints that use it, it's important to consider the effects that any changes to the identity or its roles can have on the endpoints in your Azure Digital Twins instance. If the identity is disabled, or a necessary role for an endpoint is removed from it, the endpoint can become inaccessible and the flow of events will be disrupted.
+
+To continue using an endpoint that was set up with a managed identity that's now been disabled, you'll need to delete the endpoint and [re-create it](how-to-manage-routes-portal.md#create-an-endpoint-for-azure-digital-twins) with a different authentication type. It may take up to an hour for events to resume delivery to the endpoint after this change.
+
+## Next steps
+
+Learn more about managed identities in Azure AD:ΓÇ»
+* [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
event-grid Event Schema Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-farmbeats.md
+
+ Title: Azure FarmBeats as Event Grid source
+description: Describes the properties and schema provided for Azure FarmBeats events with Azure Event Grid
+ Last updated : 06/06/2021+
+# Azure FarmBeats as Event Grid source
+This article provides the properties and schema for Azure FarmBeats events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md).
+
+## Available event types
+
+|Event Name | Description|
+|--|-|
+|Microsoft.AgFoodPlatform.FarmerChanged|Published when a farmer is created /updated/deleted.
+|Microsoft.AgFoodPlatform.FarmChanged| Published when a farm is created/updated/deleted.
+|Microsoft.AgFoodPlatform.BoundaryChanged|Published when a boundary is created /updated/deleted.
+|Microsoft.AgFoodPlatform.FieldChanged|Published when a field is created /updated/deleted.
+|Microsoft.AgFoodPlatform.SeasonalField Changed|Published when a seasonal field is created /updated/deleted.
+|Microsoft.AgFoodPlatform.SeasonChanged|Published when a season is created /updated/deleted.
+|Microsoft.AgFoodPlatform.CropChanged|Published when a crop is created /updated/deleted.
+|Microsoft.AgFoodPlatform.CropVarietyChanged|Published when a crop variety is created /updated/deleted.
+|Microsoft.AgFoodPlatform.SatelliteDataIngestionJobStatusChange| Published when a satellite data ingestion job's status changes, for example, job is created, has progressed or completed.
+|Microsoft.AgFoodPlatform.WeatherDataIngestionJobStatusChange|Published when a satellite data ingestion job's status changes, for example, job is created, has progressed or completed.
+|Microsoft.AgFoodPlatform.FarmOperationDataIngestionJobStatusChange| Published when a satellite data ingestion job's status changes, for example, job is created, has progressed or completed.
+|Microsoft.AgFoodPlatform.ApplicationDataChanged|Published when application data is created /updated/deleted. This event is associate with farm operations data.
+|Microsoft.AgFoodPlatform.HarvestingDataChanged|Published when harvesting data is created /updated/deleted.This event is associated with farm operations data.
+|Microsoft.AgFoodPlatform.TillageDataChanged|Published when a tillage data is created or updated or deleted. This event is associated with farm operations data.
+|Microsoft.AgFoodPlatform.PlantingDataChanged|Published when planting data is created /updated/deleted.This event is associated with farm operations data.
+
+## Event Properties
+Each FarmBeats event has two parts, one that is common across events and another (a data object) which contains properties specific to each event.
+
+The part common across events is elaborated in the following schema.
+
+### Event Grid event schema
+An event has the following top-level data:
+
+| Property | Type | Description |
+| -- | - | -- |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | App Configuration event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
++
+The tables below elaborate on the properties within data object for each event.
+
+*For FarmerChanged, FarmChanged, SeasonChanged, CropChanged, CropVarietyChanged FarmBeats events, the data object contains following properties:*
+
+|Property | Type| Description|
+|-| -| -|
+id| string| User-defined ID of the resource, such as Farm ID, Farmer ID etc.
+actionType| string| Indicates the change triggered during publishing of the event. Applicable values are Created, Updated, Deleted
+status| string| Contains the user-defined status of the resource.
+properties| object| It contains user-defined key-value pairs
+modifiedDateTime| date-time|Date-time when resource was last modified, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
+eTag| string| Implements optimistic concurrency
+description| string| Textual description of the resource
++
+*BoundaryChanged FarmBeats events have the following data object:*
+
+|Property | Type| Description|
+|-| -| -|
+id| string| User-defined ID of boundary
+actionType| string| Indicates the change that is triggered during publishing of the event. Applicable values are Created, Updated, Deleted.
+parentId| string| ID of the parent boundary belongs to.
+parentType| string| Type of the parent boundary belongs to.
+isPrimary| boolean| Indicates if the boundary is primary.
+farmerId| string| Contains the ID of the farmer associated with boundary.
+properties| object| It contains user-defined key-value pairs.
+modifiedDateTime| date-time|Date-time when resource was last modified, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
+status| string| Contains user-defined status of the resource.
+eTag| string| Implements optimistic concurrency.
+description| string| Textual description of the resource.
+
+*FieldChanged FarmBeats events have the following data object:*
+
+Property| Type| Description
+|-| -| -|
+id| string| User-defined ID of the field
+farmId| string| User-defined ID of the farm that field is associated with
+farmerId| string| User-defined ID of the farmer that field is associated with
+name| string| User-defined name of the field
+actionType| string| Indicates the change that triggered publishing of the event. Applicable values are Created, Updated, Deleted
+properties| object| It contains user-defined key-value pairs
+modifiedDateTime| date-time|Date-time when resource was last modified, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
+status| string| Contains the user-defined status of the resource.
+eTag| string| Implements optimistic concurrency
+description|string| Textual description of the resource
+
+*SeasonalFieldChanged FarmBeats events have the following data object:*
+
+Property| Type| Description
+|-| -| -|
+id| string| User-defined ID of the seasonal field
+farmId| string| User-defined ID of the farm that seasonal field is associated with
+farmerId| string| User-defined ID of the farmer that seasonal field is associated with
+seasonId| string| User-defined ID of the season that seasonal field is associated with
+fieldId| string| User-defined ID of the field that seasonal field is associated with
+name| string| User-defined name of the seasonal field
+actionType| string| Indicates the change that triggered publishing of the event. Applicable values are Created, Updated, Deleted
+properties| object| It contains user-defined key-value pairs
+modifiedDateTime| date-time|Date-time when resource was last modified, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
+status| string| Contains the user-defined status of the resource.
+eTag| string| Implements optimistic concurrency
+description| string| Textual description of the resource
+
+*SatelliteDataIngestionJobChange, WeatherDataIngestionJobChange, and FarmOperationsDataIngestionJobChange FarmBeats events have the following data object:*
+
+Property| Type| Description
+|-|-|-|
+id|String| Unique ID of the job.
+name| string| User-defined name of the job.
+status|string|Various states a job can be in.
+isCancellationRequested| boolean|Flag that gets set when job cancellation is requested.
+description|string| Textual description of the job.
+farmerId|string| ID of the farmer for which job was created.
+message|string| Status message to capture more details of the job.
+lastActionDateTime|date-time|Date-time when last action was taken on the job, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
++
+*FarmBeats farm operations data change events such as ApplicationDataChanged, HarvestingDataChanged, PlantingDataChanged, and TillageDataChanged have the following data object:*
+
+Property| Type| Description
+|-|-|-|
+id| string| User-defined ID of the resource, such as Farm ID, Farmer ID etc.
+status| string| Contains the status of the job.
+actionType|string|
+source| string| Message from FarmBeats giving details about the job.
+modifiedDateTime| date-time|Date-time when resource was last modified, sample format: yyyy-MM-ddTHH:mm:ssZ.
+createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.
+eTag| string| Implements optimistic concurrency
+description|string| Textual description of the resource
++
+## Sample events
+These event samples represent an event notification.
+
+**Event type: Microsoft.AgFoodPlatform.FarmerChanged**
+
+```json
+{
+ "data": {
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T10:53:28Z",
+ "eTag": "860197cc-0000-0700-0000-60420da80000",
+ "id": "UNIQUE-FARMER-ID",
+ "name": "sample farmer",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T10:53:28Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "81fbe1de-4ae4-4284-964f-59da80a6bfe7",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID",
+ "eventType": "Microsoft.AgFoodPlatform.FarmerChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T10:53:28.2783745Z"
+ }
+```
+
+**Event type: Microsoft.AgFoodPlatform.FarmChanged**
+
+```json
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T10:55:57Z",
+ "eTag": "8601e3d5-0000-0700-0000-60420e3d0000",
+ "id": "UNIQUE-FARM-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T10:55:57Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "31a31be7-51fb-48f3-adfd-6fb4400be002",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/farms/UNIQUE-FARM-ID",
+ "eventType": "Microsoft.AgFoodPlatform.FarmChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T10:55:57.6026173Z"
+ }
+```
+**Event type: Microsoft.AgFoodPlatform.BoundaryChanged**
+
+```json
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "parentId": "OPTIONAL-UNIQUE-FIELD-ID",
+ "isPrimary": true,
+ "actionType": "Created",
+ "modifiedDateTime": "2021-03-05T11:15:29Z",
+ "eTag": "860109f7-0000-0700-0000-604212d10000",
+ "id": "UNIQUE-BOUNDARY-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:15:29Z"
+ },
+ "id": "3d3453b2-5a94-45a7-98eb-fc2979a00317",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/boundaries/UNIQUE-BOUNDARY-ID",
+ "eventType": "Microsoft.AgFoodPlatform.BoundaryChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:15:29.4797354Z"
+ }
+ ```
+
+**Event type: Microsoft.AgFoodPlatform.FieldChanged**
+
+```json
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "farmId": "UNIQUE-FARM-ID",
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T10:58:43Z",
+ "eTag": "860124dc-0000-0700-0000-60420ee30000",
+ "id": "UNIQUE-FIELD-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T10:58:43Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "1ad04ed0-ac05-4c4e-aa3d-87facb3cc97c",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/fields/UNIQUE-FIELD-ID",
+ "eventType": "Microsoft.AgFoodPlatform.FieldChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T10:58:43.3222921Z"
+ }
+ ```
+**Event type: Microsoft.AgFoodPlatform.SeasonalFieldChanged**
+```json
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "seasonId": "UNIQUE-SEASON-ID",
+ "fieldId": "UNIQUE-FIELD-ID",
+ "farmId": "UNIQUE-FARM-ID",
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T11:24:56Z",
+ "eTag": "8701300b-0000-0700-0000-604215080000",
+ "id": "UNIQUE-SEASONAL-FIELD-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:24:56Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "ff59a0a3-6226-42c0-9e70-01da55efa797",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/seasonalFields/UNIQUE-SEASONAL-FIELD-ID",
+ "eventType": "Microsoft.AgFoodPlatform.SeasonalFieldChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:24:56.4210287Z"
+ }
+```
+**Event type: Microsoft.AgFoodPlatform.SeasonChanged**
+```json
+ {
+ "data": {
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T11:18:38Z",
+ "eTag": "86019afd-0000-0700-0000-6042138e0000",
+ "id": "UNIQUE-SEASON-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:18:38Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "63989475-397b-4b92-8160-8743bf8e5804",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/seasons/UNIQUE-SEASON-ID",
+ "eventType": "Microsoft.AgFoodPlatform.SeasonChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:18:38.5804699Z"
+ }
+ ```
+
+ **Event type: Microsoft.AgFoodPlatform.CropChanged**
+
+```json
+ {
+ "data": {
+ "actionType": "Created",
+ "status": "Sample status",
+ "modifiedDateTime": "2021-03-05T11:03:48Z",
+ "eTag": "8601c4e5-0000-0700-0000-604210150000",
+ "id": "UNIQUE-CROP-ID",
+ "name": "Display name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:03:48Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "4c59a797-b76d-48ec-8915-ceff58628f35",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/crops/UNIQUE-CROP-ID",
+ "eventType": "Microsoft.AgFoodPlatform.CropChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:03:49.0590658Z"
+ }
+ ```
+
+**Event type: Microsoft.AgFoodPlatform.CropVarietyChanged**
+
+```json
+ {
+ "data": {
+ "cropId": "UNIQUE-CROP-ID",
+ "actionType": "Created",
+ "status": "string",
+ "modifiedDateTime": "2021-03-05T11:10:21Z",
+ "eTag": "860130ef-0000-0700-0000-6042119d0000",
+ "id": "UNIQUE-CROP-VARIETY-ID",
+ "name": "Sample status",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:10:21Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "29aefdb9-d648-442c-81f8-694f3f47583c",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/cropVarieties/UNIQUE-CROP-VARIETY-ID",
+ "eventType": "Microsoft.AgFoodPlatform.CropVarietyChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:10:21.4572495Z"
+ }
+```
+**Event type: Microsoft.AgFoodPlatform.SatelliteDataIngestionJobStatusChange**
+```json
+[
+ {
+ "data": {
+ "farmerId": "UNIQUE - FARMER - ID",
+ "message": "Created job 'job1' to fetch satellite data for boundary 'boundary1' from startDate '06/01/2021' to endDate '06/01/2021' (both inclusive).",
+ "status": "Waiting",
+ "lastActionDateTime": "2021-06-01T11:25:37.8634096Z",
+ "isCancellationRequested": false,
+ "id": "UNIQUE - JOB - ID",
+ "name": "samplejob",
+ "description": "Sample for testing events",
+ "createdDateTime": "2021-06-01T11:25:32.3421173Z",
+ "properties": {
+ "key1": "testvalue1",
+ "key2": 123.45
+ }
+ },
+ "id": "925c6be2-6561-4572-b7dd-0f3084a54567",
+ "topic": "/subscriptions/{Subscription -ID}/resourceGroups/{RESOURCE - GROUP - NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/{UNIQUE-FARMER-ID}/satelliteDataIngestionJobs/{UNIQUE-JOB-ID}",
+ "eventType": "Microsoft.AgFoodPlatform.SatelliteDataIngestionJobStatusChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-06-01T11:25:37.8634764Z"
+ }
+]
+```
+**Event type: Microsoft.AgFoodPlatform.WeatherDataIngestionJobStatusChange**
+```json
+[
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "message": "Created job to fetch weather data for job name 'job2', farmer id 'farmer2' and boundary id 'boundary2'.",
+ "status": "Running",
+ "lastActionDateTime": "2021-06-01T11:22:27.9031003Z",
+ "isCancellationRequested": false,
+ "id": "UNIQUE-JOB-ID",
+ "createdDateTime": "2021-06-01T07:13:54.8843617Z"
+ },
+ "id": "ec30313a-ff2f-4b50-882b-31188113c15b",
+ "topic": "/subscriptions/{Subscription -ID}/resourceGroups/{RESOURCE - GROUP - NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/weatherDataIngestionJobs/UNIQUE-JOB-ID",
+ "eventType": "Microsoft.AgFoodPlatform.WeatherDataIngestionJobStatusChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-06-01T11:22:27.9031302Z"
+ }
+]
+
+```
+**Event type: Microsoft.AgFoodPlatform.FarmOperationDataIngestionJobStatusChange**
+```json
+[
+ {
+ "data": {
+ "farmerId": "UNIQUE-FARMER-ID",
+ "message": "Job completed successfully. Data statistics:{ Processed operations count = 6, Organizations count = 1, Processed organizations count = 1, Processed fields count = 2, Operations count = 6, ShapefileAttachmentsCount = 0, Fields count = 2 }",
+ "status": "Succeeded",
+ "lastActionDateTime": "2021-06-01T11:30:54.733625Z",
+ "isCancellationRequested": false,
+ "id": "UNIQUE-JOB-ID",
+ "name": "sample-job",
+ "description": "sample description",
+ "createdDateTime": "2021-06-01T11:30:39.0905288Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "ebdbb7a1-ad28-4af7-b3a2-a4a3a2dd1b4f",
+ "topic": "/subscriptions/{Subscription -ID}/resourceGroups/{RESOURCE - GROUP - NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/farmOperationDataIngestionJobs/UNIQUE-JOB-ID",
+ "eventType": "Microsoft.AgFoodPlatform.FarmOperationDataIngestionJobStatusChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-06-01T11:30:54.733671Z"
+ }
+]
+
+```
+**Event type: Microsoft.AgFoodPlatform.ApplicationDataChanged**
+
+```json
+ {
+ "data": {
+ "actionType": "Updated",
+ "farmerId": "UNIQUE-FARMER-ID",
+ "source": "Sample source",
+ "modifiedDateTime": "2021-03-05T11:27:24Z",
+ "eTag": "87011311-0000-0700-0000-6042159c0000",
+ "id": "UNIQUE-APPLICATION-DATA-ID",
+ "status": "Sample status",
+ "name": "sample name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:27:24Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "e499f6c4-63ba-4217-8261-0c6cb0e398d2",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/applicationData/UNIQUE-APPLICATION-DATA-ID",
+ "eventType": "Microsoft.AgFoodPlatform.ApplicationDataChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:27:24.164612Z"
+ }
+```
+
+**Event type: Microsoft.AgFoodPlatform.HarvestDataChanged**
+```json
+ {
+ "data": {
+ "actionType": "Created",
+ "farmerId": "UNIQUE-FARMER-ID",
+ "source": "Sample source",
+ "modifiedDateTime": "2021-03-05T11:33:41Z",
+ "eTag": "8701141b-0000-0700-0000-604217150000",
+ "id": "UNIQUE-HARVEST-DATA-ID",
+ "status": "Sample status",
+ "name": "sample name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:33:41Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "dc3837c0-1eed-4bfa-88b6-d018cf6af4db",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/harvestData/UNIQUE-HARVEST-DATA-ID",
+ "eventType": "Microsoft.AgFoodPlatform.HarvestDataChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:33:41.3434992Z"
+ }
+```
+**Event type: Microsoft.AgFoodPlatform.TillageDataChanged**
+```json
+ {
+ "data": {
+ "actionType": "Updated",
+ "farmerId": "UNIQUE-FARMER-ID",
+ "source": "sample source",
+ "modifiedDateTime": "2021-06-15T10:31:07Z",
+ "eTag": "6405f027-0000-0100-0000-60c8816b0000",
+ "id": "c9858c3f-fb94-474a-a6de-103b453df976",
+ "createdDateTime": "2021-06-15T10:31:07Z",
+ "name": "sample name",
+ "description":"sample description"
+ "properties": {
+ "_orgId": "498221",
+ "_fieldId": "e61b83f4-3a12-431e-8010-596f2466dc27",
+ "_cropSeason": "2010"
+ }
+ },
+ "id": "f06f6686-1fa8-41fd-be99-46f40f495cce",
+ "topic": "/subscriptions/da9091ec-d18f-456c-9c21-5783ee7f4645/resourceGroups/internal-farmbeats-resources/providers/Microsoft.AgFoodPlatform/farmBeats/internal-eus",
+ "subject": "/farmers/10e3d7bf-c559-48be-af31-4e00df83bfcd/tillageData/c9858c3f-fb94-474a-a6de-103b453df976",
+ "eventType": "Microsoft.AgFoodPlatform.TillageDataChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-06-15T10:31:07.6778047Z"
+ }
+```
+
+**Event type: Microsoft.AgFoodPlatform.PlantingDataChanged**
+```json
+ {
+ "data": {
+ "actionType": "Created",
+ "farmerId": "UNIQUE-FARMER-ID",
+ "source": "Sample source",
+ "modifiedDateTime": "2021-03-05T11:41:18Z",
+ "eTag": "8701242a-0000-0700-0000-604218de0000",
+ "id": "UNIQUE-PLANTING-DATA-ID",
+ "status": "Sample status",
+ "name": "sample name",
+ "description": "Sample description",
+ "createdDateTime": "2021-03-05T11:41:18Z",
+ "properties": {
+ "key1": "value1",
+ "key2": 123.45
+ }
+ },
+ "id": "42589c7f-4e16-4a4d-9314-d611c822f7ac",
+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{FARMBEATS-RESOURCE-NAME}",
+ "subject": "/farmers/UNIQUE-FARMER-ID/plantingData/UNIQUE-PLANTING-DATA-ID",
+ "eventType": "Microsoft.AgFoodPlatform.PlantingDataChanged",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2021-03-05T11:41:18.1744322Z"
+ }
+```
+++
+## Next steps
+* For an introduction to Azure Event Grid, see [What is Event Grid?](overview.md)
event-grid System Topics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/system-topics.md
Here is the current list of Azure services that support creation of system topic
- [Azure Communication Services](event-schema-communication-services.md) - [Azure Container Registry](event-schema-container-registry.md) - [Azure Event Hubs](event-schema-event-hubs.md)
+- [Azure FarmBeats](event-schema-farmbeats.md)
- [Azure IoT Hub](event-schema-iot-hub.md) - [Azure Key Vault](event-schema-key-vault.md) - [Azure Machine Learning](event-schema-machine-learning.md)
event-hubs Authenticate Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/authenticate-application.md
Title: Authenticate an application to access Azure Event Hubs resources description: This article provides information about authenticating an application with Azure Active Directory to access Azure Event Hubs resources Previously updated : 05/10/2021 Last updated : 06/14/2021+ # Authenticate an application with Azure Active Directory to access Event Hubs resources
The application needs a client secret to prove its identity when requesting a to
## Assign Azure roles using the Azure portal
-After you register the application, you assign the application's service principal to an Event Hubs Azure AD role described in the [Built-in roles for Azure Event Hubs](#built-in-roles-for-azure-event-hubs) section.
+Assign one of the [Event Hubs roles](#built-in-roles-for-azure-event-hubs) to the application's service principal at the desired scope (Event Hubs namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
-1. In the [Azure portal](https://portal.azure.com/), navigate to your Event Hubs namespace.
-2. On the **Overview** page, select the event hub for which you want to assign a role.
-
- ![Select your event hub](./media/authenticate-application/select-event-hub.png)
-1. Select **Access Control (IAM)** to display access control settings for the event hub.
-1. Select the **Role assignments** tab to see the list of role assignments. Select the **Add** button on the toolbar and then select **Add role assignment**.
-
- ![Add button on the toolbar](./media/authenticate-application/role-assignments-add-button.png)
-1. On the **Add role assignment** page, do the following steps:
- 1. Select the **Event Hubs role** that you want to assign.
- 1. Search to locate the **security principal** (user, group, service principal) to which you want to assign the role. Select the **registered application** from the list.
- 1. Select **Save** to save the role assignment.
-
- ![Assign role to a user](./media/authenticate-application/assign-role-to-user.png)
- 4. Switch to the **Role assignments** tab and confirm the role assignment. For example, the following image shows that **mywebapp** is in the **Azure Event Hubs Data Sender** role.
-
- ![User in the list](./media/authenticate-application/user-in-list.png)
-
-You can follow similar steps to assign a role scoped to Event Hubs namespace, resource group, or subscription. Once you define the role and its scope, you can test this behavior with samples [in this GitHub location](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac). To learn more on managing access to Azure resources using Azure RBAC and the Azure portal, see [this article](..//role-based-access-control/role-assignments-portal.md).
+Once you define the role and its scope, you can test this behavior with samples [in this GitHub location](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac). To learn more on managing access to Azure resources using Azure RBAC and the Azure portal, see [this article](..//role-based-access-control/role-assignments-portal.md).
### Client libraries for token acquisition
event-hubs Authenticate Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/authenticate-managed-identity.md
Title: Authentication a managed identity with Azure Active Directory description: This article provides information about authenticating a managed identity with Azure Active Directory to access Azure Event Hubs resources Previously updated : 01/25/2021- Last updated : 06/14/2021+ # Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources Azure Event Hubs supports Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
Once the application is created, follow these steps:
Now, assign this service identity to a role in the required scope in your Event Hubs resources. ### To Assign Azure roles using the Azure portal
-To assign a role to Event Hubs resources, navigate to that resource in the Azure portal. Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:
+Assign one of the [Event Hubs roles](authorize-access-azure-active-directory.md#azure-built-in-roles-for-azure-event-hubs) to the managed identity at the desired scope (Event Hubs namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
> [!NOTE]
-> The following steps assigns a service identity role to your Event Hubs namespaces. You can follow the same steps to assign a role scoped to any Event Hubs resource.
-
-1. In the Azure portal, navigate to your Event Hubs namespace and display the **Overview** for the namespace.
-1. Select **Access Control (IAM)** on the left menu to display access control settings for the event hub.
-1. Select the **Role assignments** tab to see the list of role assignments.
-3. Select **Add**, and then select **Add role assignment***.
-4. On the **Add role assignment** page, follow these steps:
- 1. For **Role**, select the Event Hubs role that you want to assign. In this example, it's **Azure Event Hubs Data Owner**.
- 1. For the **Assign access to** field, select **App Service** under **System assigned managed identity**.
- 1. Select the **subscription** in which the managed identity for the web app was created.
- 1. Select the **managed identity** for the web app you created. The default name for the identity is same as the name of the web app.
- 1. Then, select **Save**.
-
- ![Add role assignment page](./media/authenticate-managed-identity/add-role-assignment-page.png)
-
- Once you've assigned the role, the web application will have access to the Event Hubs resources under the defined scope.
-
- > [!NOTE]
- > For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
+> For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
### Test the web application 1. Create an Event Hubs namespace and an event hub.
expressroute Expressroute Locations Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations-providers.md
The following table shows connectivity locations and the service providers for e
| **Berlin** | [NTT GDC](https://www.e-shelter.de/en/location/berlin-1-data-center) | 1 | Germany North | 10G | Colt, Equinix, NTT Global DataCenters EMEA| | **Bogota** | [Equinix BG1](https://www.equinix.com/locations/americas-colocation/colombia-colocation/bogota-data-centers/bg1/) | 4 | n/a | 10G | Equinix | | **Busan** | [LG CNS](https://www.lgcns.com/En/Service/DataCenter) | 2 | Korea South | n/a | LG CNS |
+| **Campinas** | [Ascenty](https://www.ascenty.com/en/data-centers-en/campinas/) | 3 | Brazil South | 10G, 100G | |
| **Canberra** | [CDC](https://cdcdatacentres.com.au/about-us/) | 1 | Australia Central | 10G, 100G | CDC | | **Canberra2** | [CDC](https://cdcdatacentres.com.au/about-us/) | 1 | Australia Central 2| 10G, 100G | CDC, Equinix | | **Cape Town** | [Teraco CT1](https://www.teraco.co.za/data-centre-locations/cape-town/) | 3 | South Africa West | 10G | BCX, Internet Solutions - Cloud Connect, Liquid Telecom, Teraco |
The following table shows connectivity locations and the service providers for e
| **Dublin** | [Equinix DB3](https://www.equinix.com/locations/europe-colocation/ireland-colocation/dublin-data-centers/db3/) | 1 | North Europe | 10G, 100G | CenturyLink Cloud Connect, Colt, eir, Equinix, GEANT, euNetworks, Interxion, Megaport | | **Frankfurt** | [Interxion FRA11](https://www.interxion.com/Locations/frankfurt/) | 1 | Germany West Central | 10G, 100G | AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Colt, DE-CIX, Equinix, euNetworks, GEANT, InterCloud, Interxion, Megaport, Orange, Telia Carrier, T-Systems | | **Frankfurt2** | [Equinix FR7](https://www.equinix.com/locations/europe-colocation/germany-colocation/frankfurt-data-centers/fr7/) | 1 | Germany West Central | 10G, 100G | Deutsche Telekom AG, Equinix |
-| **Geneva** | [Equinix GV2](https://www.equinix.com/locations/europe-colocation/switzerland-colocation/geneva-data-centers/gv2/) | 1 | Switzerland West | 10G, 100G | Equinix, Megaport, Swisscom |
+| **Geneva** | [Equinix GV2](https://www.equinix.com/locations/europe-colocation/switzerland-colocation/geneva-data-centers/gv2/) | 1 | Switzerland West | 10G, 100G | Colt, Equinix, Megaport, Swisscom |
| **Hong Kong** | [Equinix HK1](https://www.equinix.com/data-centers/asia-pacific-colocation/hong-kong-colocation/hong-kong-data-centers/hk1) | 2 | East Asia | 10G | Aryaka Networks, British Telecom, CenturyLink Cloud Connect, Chief Telecom, China Telecom Global, China Unicom, Colt, Equinix, InterCloud, Megaport, NTT Communications, Orange, PCCW Global Limited, Tata Communications, Telia Carrier, Verizon | | **Hong Kong2** | [iAdvantage MEGA-i](https://www.iadvantage.net/index.php/locations/mega-i) | 2 | East Asia | 10G | China Mobile International, China Telecom Global, iAdvantage, Megaport, PCCW Global Limited, SingTel | | **Jakarta** | Telin, Telkom Indonesia | 4 | n/a | 10G | Telin |
The following table shows connectivity locations and the service providers for e
| **Montreal** | [Cologix MTL3](https://www.cologix.com/data-centers/montreal/mtl3/) | 1 | n/a | 10G, 100G | Bell Canada, Cologix, Fibrenoire, Megaport, Telus, Zayo | | **Mumbai** | Tata Communications | 2 | West India | 10G | BSNL, DE-CIX, Global CloudXchange (GCX), Reliance Jio, Sify, Tata Communications, Verizon | | **Mumbai2** | Airtel | 2 | West India | 10G | Airtel, Sify, Vodafone Idea |
-| **Munich** | [EdgeConneX](https://www.edgeconnex.com/locations/europe/munich/) | 1 | n/a | 10G | DE-CIX |
+| **Munich** | [EdgeConneX](https://www.edgeconnex.com/locations/europe/munich/) | 1 | n/a | 10G | DE-CIX, Megaport |
| **New York** | [Equinix NY9](https://www.equinix.com/locations/americas-colocation/united-states-colocation/new-york-data-centers/ny9/) | 1 | n/a | 10G, 100G | CenturyLink Cloud Connect, Colt, Coresite, DE-CIX, Equinix, InterCloud, Megaport, Packet, Zayo | | **Newport(Wales)** | [Next Generation Data](https://www.nextgenerationdata.co.uk) | 1 | UK West | n/a | British Telecom, Colt, Jisc, Level 3 Communications, Next Generation Data | | **Osaka** | [Equinix OS1](https://www.equinix.com/locations/asia-colocation/japan-colocation/osaka-data-centers/os1/) | 2 | Japan West | 10G, 100G | AT TOKYO, BBIX, Colt, Equinix, Internet Initiative Japan Inc. - IIJ, Megaport, NTT Communications, NTT SmartConnect, Softbank, Tokai Communications | | **Oslo** | [DigiPlex Ulven](https://www.digiplex.com/locations/oslo-datacentre) | 1 | Norway East | 10G, 100G | GlobalConnect, Megaport, Telenor, Telia Carrier | | **Paris** | [Interxion PAR5](https://www.interxion.com/Locations/paris/) | 1 | France Central | 10G, 100G | British Telecom, CenturyLink Cloud Connect, Colt, Equinix, Intercloud, Interxion, Jaguar Network, Megaport, Orange, Telia Carrier, Zayo | | **Perth** | [NextDC P1](https://www.nextdc.com/data-centres/p1-perth-data-centre) | 2 | n/a | 10G | Megaport, NextDC |
-| **Phoenix** | [EdgeConneX PHX01](https://www.edgeconnex.com/locations/north-america/phoenix-az/) | 1 | n/a | 10G, 100G | |
+| **Phoenix** | [EdgeConneX PHX01](https://www.edgeconnex.com/locations/north-america/phoenix-az/) | 1 | n/a | 10G, 100G | Megaport |
| **Quebec City** | [Vantage](https://vantage-dc.com/data_centers/quebec-city-data-center-campus/) | 1 | Canada East | 10G, 100G | Bell Canada, Megaport, Telus | | **Queretaro (Mexico)** | [KIO Networks QR01](https://www.kionetworks.com/es-mx/) | 4 | n/a | 10G | Transtelco| | **Quincy** | [Sabey Datacenter - Building A](https://sabeydatacenters.com/data-center-locations/central-washington-data-centers/quincy-data-center) | 1 | West US 2 | 10G, 100G | |
The following table shows connectivity locations and the service providers for e
| **San Antonio** | [CyrusOne SA1](https://cyrusone.com/locations/texas/san-antonio-texas/) | 1 | South Central US | 10G, 100G | CenturyLink Cloud Connect, Megaport | | **Sao Paulo** | [Equinix SP2](https://www.equinix.com/locations/americas-colocation/brazil-colocation/sao-paulo-data-centers/sp2/) | 3 | Brazil South | 10G, 100G | Aryaka Networks, Ascenty Data Centers, British Telecom, Equinix, Level 3 Communications, Neutrona Networks, Orange, Tata Communications, Telefonica, UOLDIVEO | | **Seattle** | [Equinix SE2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/seattle-data-centers/se2/) | 1 | West US 2 | 10G, 100G | Aryaka Networks, Equinix, Level 3 Communications, Megaport, Telus, Zayo |
-| **Seoul** | [KINX Gasan IDC](https://www.kinx.net/?lang=en) | 2 | Korea Central | 10G, 100G | KINX, KT, LG CNS, Equinix, Sejong Telecom, SK Telecom |
+| **Seoul** | [KINX Gasan IDC](https://www.kinx.net/?lang=en) | 2 | Korea Central | 10G, 100G | KINX, KT, LG CNS, LGUplus, Equinix, Sejong Telecom, SK Telecom |
| **Silicon Valley** | [Equinix SV1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/silicon-valley-data-centers/sv1/) | 1 | West US | 10G, 100G | Aryaka Networks, AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Colt, Comcast, Coresite, Equinix, InterCloud, Internet2, IX Reach, Packet, PacketFabric, Level 3 Communications, Megaport, Orange, Sprint, Tata Communications, Telia Carrier, Verizon, Zayo | | **Silicon Valley2** | [Coresite SV7](https://www.coresite.com/data-centers/locations/silicon-valley/sv7) | 1 | West US | 10G, 100G | Colt, Coresite | | **Singapore** | [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) | 2 | Southeast Asia | 10G, 100G | Aryaka Networks, AT&T NetBond, British Telecom, China Mobile International, Epsilon Global Communications, Equinix, InterCloud, Level 3 Communications, Megaport, NTT Communications, Orange, SingTel, Tata Communications, Telstra Corporation, Verizon, Vodafone |
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations.md
The following table shows locations by service provider. If you want to view ava
| **[Chunghwa Telecom](https://www.cht.com.tw/en/home/cht/about-cht/products-and-services/International/Cloud-Service)** |Supported |Supported |Taipei | | **[Claro](https://www.usclaro.com/enterprise-mnc/connectivity/mpls/)** |Supported |Supported |Miami | | **[Cologix](https://www.cologix.com/hyperscale/microsoft-azure/)** |Supported |Supported |Chicago, Dallas, Minneapolis, Montreal, Toronto, Vancouver, Washington DC |
-| **[Colt](https://www.colt.net/direct-connect/azure/)** |Supported |Supported |Amsterdam, Amsterdam2, Berlin, Chicago, Dublin, Frankfurt, Hong Kong, London, London2, Marseille, Milan, Newport, New York, Osaka, Paris, Silicon Valley, Silicon Valley2, Singapore2, Tokyo, Washington DC, Zurich |
+| **[Colt](https://www.colt.net/direct-connect/azure/)** |Supported |Supported |Amsterdam, Amsterdam2, Berlin, Chicago, Dublin, Frankfurt, Geneva, Hong Kong, London, London2, Marseille, Milan, Newport, New York, Osaka, Paris, Silicon Valley, Silicon Valley2, Singapore2, Tokyo, Washington DC, Zurich |
| **[Comcast](https://business.comcast.com/landingpage/microsoft-azure)** |Supported |Supported |Chicago, Silicon Valley, Washington DC | | **[CoreSite](https://www.coresite.com/solutions/cloud-services/public-cloud-providers/microsoft-azure-expressroute)** |Supported |Supported |Chicago, Denver, Los Angeles, New York, Silicon Valley, Silicon Valley2, Washington DC, Washington DC2 | | **[DE-CIX](https://www.de-cix.net/en/de-cix-service-world/cloud-exchange/find-a-cloud-service/detail/microsoft-azure)** | Supported |Supported |Amsterdam2, Dubai2, Frankfurt, Marseille, Mumbai, Munich, New York |
The following table shows locations by service provider. If you want to view ava
| **[Level 3 Communications](https://www.lumen.com/en-us/hybrid-it-cloud/cloud-connect.html)** |Supported |Supported |Amsterdam, Chicago, Dallas, London, Newport (Wales), Sao Paulo, Seattle, Silicon Valley, Singapore, Washington DC | | **LG CNS** |Supported |Supported |Busan, Seoul | | **[Liquid Telecom](https://www.liquidtelecom.com/products-and-services/cloud.html)** |Supported |Supported |Cape Town, Johannesburg |
-| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** |Supported |Supported |Amsterdam, Atlanta, Auckland, Chennai, Chicago, Dallas, Denver, Dubai2, Dublin, Frankfurt, Geneva, Hong Kong, Hong Kong2, Las Vegas, London, London2, Los Angeles, Madrid, Melbourne, Miami, Minneapolis, Montreal, New York, Osaka, Oslo, Paris, Perth, Quebec City, San Antonio, Seattle, Silicon Valley, Singapore, Singapore2, Stavanger, Stockholm, Sydney, Sydney2, Tokyo, Tokyo2 Toronto, Vancouver, Washington DC, Washington DC2, Zurich |
+| **[LGUplus](http://www.uplus.co.kr/)** |Supported |Supported |Seoul |
+| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** |Supported |Supported |Amsterdam, Atlanta, Auckland, Chennai, Chicago, Dallas, Denver, Dubai2, Dublin, Frankfurt, Geneva, Hong Kong, Hong Kong2, Las Vegas, London, London2, Los Angeles, Madrid, Melbourne, Miami, Minneapolis, Montreal, Munich, New York, Osaka, Oslo, Paris, Perth, Phoenix, Quebec City, San Antonio, Seattle, Silicon Valley, Singapore, Singapore2, Stavanger, Stockholm, Sydney, Sydney2, Tokyo, Tokyo2 Toronto, Vancouver, Washington DC, Washington DC2, Zurich |
| **[MTN](https://www.mtnbusiness.co.za/en/Cloud-Solutions/Pages/microsoft-express-route.aspx)** |Supported |Supported |London | | **[National Telecom](https://www.nc.ntplc.co.th/cat/category/264/855/CAT+Direct+Cloud+Connect+for+Microsoft+ExpressRoute?lang=en_EN)** |Supported |Supported |Bangkok | | **[Neutrona Networks](https://www.neutrona.com/index.php/azure-expressroute/)** |Supported |Supported |Dallas, Los Angeles, Miami, Sao Paulo, Washington DC |
If you are remote and don't have fiber connectivity or you want to explore other
| **[BroadBand Tower, Inc.](https://www.bbtower.co.jp/product-service/data-center/network/dcconnect-for-azure/)** | Equinix | Tokyo | | **[C3ntro Telecom](https://www.c3ntro.com/)** | Equinix, Megaport | Dallas | | **[Chief](https://www.chief.com.tw/)** | Equinix | Hong Kong SAR |
-| **[Cinia](https://www.cinia.fi/en/services/connectivity-services/direct-public-cloud-connection.html)** | Equinix, Megaport | Frankfurt, Hamburg |
+| **[Cinia](https://www.cinia.fi/palvelutiedotteet)** | Equinix, Megaport | Frankfurt, Hamburg |
| **[CloudXpress](https://www2.telenet.be/fr/business/produits-services/internet/cloudxpress/)** | Equinix | Amsterdam | | **[CMC Telecom](https://cmctelecom.vn/san-pham/value-added-service-and-it/cmc-telecom-cloud-express-en/)** | Equinix | Singapore | | **[CoreAzure](https://www.coreazure.com/)**| Equinix | London |
governance Policy For Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/concepts/policy-for-kubernetes.md
cluster service principal.
|Domain |Port | |||
- |`gov-prod-policy-data.trafficmanager.net` |`443` |
- |`raw.githubusercontent.com` |`443` |
+ |`data.policy.core.windows.net` |`443` |
+ |`store.policy.core.windows.net` |`443` |
|`login.windows.net` |`443` | |`dc.services.visualstudio.com` |`443` |
governance Guest Configuration Create Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/how-to/guest-configuration-create-linux.md
Before creating custom policies, read the overview information at
To learn about creating Guest Configuration policies for Windows, see the page [How to create Guest Configuration policies for Windows](./guest-configuration-create.md)
-When auditing Linux, Guest Configuration uses [Chef InSpec](https://www.inspec.io/). The InSpec
+When auditing Linux, Guest Configuration uses [Chef InSpec](https://community.chef.io/tools/chef-inspec). The InSpec
profile defines the condition that the machine should be in. If the evaluation of the configuration fails, the policy effect **auditIfNotExists** is triggered and the machine is considered **non-compliant**.
uncompressed.
### Custom Guest Configuration configuration on Linux Guest Configuration on Linux uses the `ChefInSpecResource` resource to provide the engine with the
-name of the [InSpec profile](https://www.inspec.io/docs/reference/profiles/). **Name** is the only
+name of the [InSpec profile](https://docs.chef.io/inspec/profiles/). **Name** is the only
required resource property. Create a YAML file and a Ruby script file, as detailed below. First, create the YAML file used by InSpec. The file provides basic information about the
hpc-cache Az Cli Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/az-cli-prerequisites.md
Follow these steps to prepare your environment before using Azure CLI to create
## Set default resource group (optional)
-Most of the hpc-cache commands require you to pass the cache's resource group. You can set the default resource group by using [az configure](/cli/azure/reference-index#az_configure).
+Most of the hpc-cache commands require you to pass the cache's resource group. You can set the default resource group by using [az config](/cli/azure/reference-index#az_config).
## Next steps
iot-develop Quickstart Devkit Microchip Atsame54 Xpro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-microchip-atsame54-xpro.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md) for additional steps.
+ > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md) for additional steps.
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
Select **About** tab from the device page.
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Quickstart Devkit Mxchip Az3166 Iot Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-mxchip-az3166-iot-hub.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md) for additional steps.
+ > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](troubleshoot-embedded-device-quickstarts.md) for additional steps.
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
To use Azure CLI to call a method:
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Quickstart Devkit Mxchip Az3166 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-mxchip-az3166.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md) for additional steps.
+ > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](troubleshoot-embedded-device-quickstarts.md) for additional steps.
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
Select **About** tab from the device page.
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Quickstart Devkit Nxp Mimxrt1050 Evkb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-nxp-mimxrt1050-evkb.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+ > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
Select **About** tab from the device page.
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Quickstart Devkit Nxp Mimxrt1060 Evk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-nxp-mimxrt1060-evk.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+ > If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
Select **About** tab from the device page.
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Quickstart Devkit Renesas Rx65n 2Mb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-renesas-rx65n-2mb.md
To connect the Renesas RX65N to Azure, you'll modify a configuration file for Wi
You can use the **Termite** app to monitor communication and confirm that your device is set up correctly. > [!TIP]
-> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
1. Start **Termite**. 1. Select **Settings**.
Select **About** tab from the device page.
## Troubleshoot
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
## Clean up resources
iot-develop Quickstart Devkit Renesas Rx65n Cloud Kit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-renesas-rx65n-cloud-kit.md
To connect the Renesas RX65N to Azure, you'll modify a configuration file for Wi
You can use the **Termite** app to monitor communication and confirm that your device is set up correctly. > [!TIP]
-> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
1. Start **Termite**. 1. Select **Settings**.
Select **About** tab from the device page.
## Troubleshoot
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
## Clean up resources
iot-develop Quickstart Devkit Stm B L475e https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-stm-b-l475e.md
You can use the **Termite** app to monitor communication and confirm that your d
1. Start **Termite**. > [!TIP]
- > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md) for additional steps.
+ > If you are unable to connect Termite to your devkit, install the [ST-LINK driver](https://my.st.com/content/ccc/resource/technical/software/driver/files/stsw-link009.zip) and try again. See [Troubleshooting](troubleshoot-embedded-device-quickstarts.md) for additional steps.
1. Select **Settings**. 1. In the **Serial port settings** dialog, check the following settings and update if needed: * **Baud rate**: 115,200
Select **About** tab from the device page.
## Troubleshoot and debug
-If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](troubleshoot-embedded-device-quickstarts.md).
For debugging the application, see [Debugging with Visual Studio Code](https://github.com/azure-rtos/getting-started/blob/master/docs/debugging.md).
iot-develop Troubleshoot Embedded Device Quickstarts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/troubleshoot-embedded-device-quickstarts.md
+
+ Title: Troubleshooting the Azure RTOS embedded device quickstarts
+description: Steps to help you troubleshoot common issues when using the Azure RTOS embedded device quickstarts
++++ Last updated : 06/10/2021++
+# Troubleshooting the Azure RTOS embedded device quickstarts
+
+As you follow the [Embedded device development quickstarts](quickstart-devkit-mxchip-az3166.md), you might experience some common issues. In general, issues can occur in any of the following sources:
+
+* **Your environment**. Your machine, software, or network setup and connection.
+* **Your Azure IoT resources**. The IoT hub and device that you created to connect to Azure IoT.
+* **Your device**. The physical board and its configuration.
+
+This article provides suggested resolutions for the most common issues that can occur as you complete the quickstarts.
+
+## Prerequisites
+
+All the troubleshooting steps require that you've completed the following prerequisites for the quickstart you're working in:
+
+* You installed or acquired all prerequisites and software tools for the quickstart.
+* You created an Azure IoT hub or Azure IoT Central application, and registered a device, as directed in the quickstart.
+* You built an image for the device, as directed in the quickstart.
+
+## Issue: The source directory doesn't contain CMakeLists.txt file
+### Description
+This issue can occur when you attempt to build the project. It's the result of the project being incorrectly cloned from GitHub. The project contains multiple submodules that won't be cloned by default unless the **--recursive** flag is used.
+
+### Resolution
+* When you clone the repository using Git, confirm that the **--recursive** option is present.
+
+## Issue: The build fails
+
+### Description
+
+The issue can occur because the path to an object file exceeds the default maximum path length in Windows. Examine the build output for a message similar to the following:
+
+```output
+-- Configuring done
+CMake Warning in C:/embedded quickstarts/areallyreallyreallylongpath/getting-started/core/lib/netxduo/addons/azure_iot/azure_iot_security_module/iot-security-module-core/CMakeLists.txt:
+ The object file directory
+
+ C:/embedded quickstarts/areallyreallyreallylongpath/getting-started/NXP/MIMXRT1060-EVK/build/lib/netxduo/addons/azure_iot/azure_iot_security_module/iot-security-module-core/CMakeFiles/asc_security_core.dir/./
+
+ has 208 characters. The maximum full path to an object file is 250
+ characters (see CMAKE_OBJECT_PATH_MAX). Object file
+
+ src/serializer/extensions/custom_builder_allocator.c.obj
+
+ cannot be safely placed under this directory. The build may not work
+ correctly.
++
+-- Generating done
+```
+
+### Resolution
+
+You can try one of the following options to resolve this error:
+* Clone the repository into a directory with a shorter path and try again.
+* Follow the instructions in [Maximum Path Length Limitation](/windows/win32/fileio/maximum-file-path-limitation) to enable long paths in Windows 10, version 1607 and later.
+
+## Issue: Device can't connect to Iot hub
+
+### Description
+
+The issue can occur after you've created Azure resources, and flashed your device. When you try to connect your newly flashed device to Azure IoT, you see a console message like the following:
+
+```output
+Unable to resolve DNS for MQTT Server
+```
+
+### Resolution
+
+* Check the spelling and case of the configuration values you entered for your IoT configuration in the file *azure_config.h*. The values for some IoT resource attributes, such as `deviceID` and `primaryKey`, are case-sensitive.
+
+## Issue: Wi-Fi is unable to connect
+
+### Description
+
+After you flash a device that uses a Wi-Fi connection and try to connect to your Wi-Fi network, you get an error message that Wi-Fi is unable to connect.
+
+### Resolution
+
+* Check your Wi-Fi network frequency and settings. The devices used in the embedded device quickstarts all use 2.4 GHz. Confirm that your Wi-Fi router is configured to support a 2.4-GHz network.
+* Check the Wi-Fi mode. Confirm what setting you used for the WIFI_MODE constant in the *azure_config.h* file. Check your Wi-Fi network security or authentication settings to confirm that the Wi-Fi security mode matches what you have in the configuration file.
+
+## Issue: Flashing the board fails
+
+### Description
+
+You can't complete the process of flashing your device. You'll know this if you experience any of the following symptoms:
+
+* The **.bin* image file that you built doesn't copy to the device.
+* The utility that you're using to flash the device gives a warning or error.
+* The utility that you're using to flash the device doesn't say that programming completed successfully.
+
+### Resolution
+
+* Make sure you're connected to the correct USB port on the device. Some devices have more than one port.
+* Try using a different Micro USB cable. Some devices and cables are incompatible.
+* Try connecting to a different USB port on your computer. A USB port might be disconnected internally, disabled in software, or temporarily in an unusable state.
+* Restart your computer.
+
+## Issue: Device fails to connect to port
+
+### Description
+
+After you flash your device and connect it to your computer, you get a message like the following in your terminal software:
+
+```output
+Failed to initialize the port.
+Please verify the COM port settings.
+```
+
+### Resolution
+
+* In the settings for your terminal software, check the **Port** setting to confirm that the correct port is selected. If there are multiple ports displayed, you can open Windows Device Manager and select the **Ports** node to find the correct port for your connected device.
+
+## Issue: Terminal output shows garbled text
+
+### Description
+
+After you flash your device successfully and connect it to your computer, you see garbled text output in your terminal software.
+
+### Resolution
+
+* In the settings for your terminal software, confirm that the **Baud rate** setting is *115,200*.
+
+## Issue: Terminal output shows no text
+
+### Description
+
+After you flash your device successfully and connect it to your computer, you see no output in your terminal software.
+
+### Resolution
+
+* Confirm that the settings in your terminal software match the settings in the quickstart.
+* Restart your terminal software.
+* Press the **Reset** button on your device.
+* Confirm that your USB cable is properly connected.
+
+## Issue: Communication between device and IoT Hub fails
+
+### Description
+
+After you flash your device and connect it to your computer, you get a repeated message like the following in your terminal window:
+
+```output
+Failed to publish temperature
+```
+
+### Resolution
+
+* Confirm that the *Pricing and scale tier* is one of *Free* or *Standard*. **Basic is not supported** as it doesn't support cloud-to-device and device twin communication.
+
+## Next steps
+
+If after reviewing the issues in this article, you still can't monitor your device in a terminal or connect to Azure IoT, there might be an issue with your device's hardware or physical configuration. See the manufacturer's page for your device to find documentation and support options.
+
+* [STMicroelectronics B-L475E-IOT01](https://www.st.com/content/st_com/en/products/evaluation-tools/product-evaluation-tools/mcu-mpu-eval-tools/stm32-mcu-mpu-eval-tools/stm32-discovery-kits/b-l475e-iot01a.html)
+* [NXP MIMXRT1060-EVK](https://www.nxp.com/design/development-boards/i-mx-evaluation-and-development-boards/mimxrt1060-evk-i-mx-rt1060-evaluation-kit:MIMXRT1060-EVK)
+* [Microchip ATSAME54-XPro](https://www.microchip.com/developmenttools/productdetails/atsame54-xpro)
iot-hub Iot Hub Raspberry Pi Kit C Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-raspberry-pi-kit-c-get-started.md
ms.devlang: c Previously updated : 02/14/2019 Last updated : 06/14/2021
[!INCLUDE [iot-hub-get-started-device-selector](../../includes/iot-hub-get-started-device-selector.md)]
-In this tutorial, you begin by learning the basics of working with Raspberry Pi that's running Raspbian. You then learn how to seamlessly connect your devices to the cloud by using [Azure IoT Hub](about-iot-hub.md). For Windows 10 IoT Core samples, go to the [Windows Dev Center](https://www.windowsondevices.com/).
+In this tutorial, you begin by learning the basics of working with Raspberry Pi that's running Raspberry Pi OS. You then learn how to seamlessly connect your devices to the cloud by using [Azure IoT Hub](about-iot-hub.md). For Windows 10 IoT Core samples, go to the [Windows Dev Center](https://www.windowsondevices.com/).
Don't have a kit yet? Try [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md). Or buy a new kit [here](https://azure.microsoft.com/develop/iot/starter-kits).
The following items are optional:
Now set up the Raspberry Pi.
-### Install the Raspbian operating system for Pi
+### Install the Raspberry Pi OS
-Prepare the microSD card for installation of the Raspbian image.
+Prepare the microSD card for installation of the Raspberry Pi OS image.
-1. Download Raspbian.
+1. Download Raspberry Pi OS.
- 1. [Download Raspbian Stretch with Desktop](https://www.raspberrypi.org/software/) (the .zip file).
+ 1. [Download Raspberry Pi OS with Desktop](https://www.raspberrypi.org/software/) (the .zip file).
- 2. Extract the Raspbian image to a folder on your computer.
+ 2. Extract the image to a folder on your computer.
-2. Install Raspbian to the microSD card.
+2. Install Raspberry Pi OS to the microSD card.
1. [Download and install the Etcher SD card burner utility](https://etcher.io/).
- 2. Run Etcher and select the Raspbian image that you extracted in step 1.
+ 2. Run Etcher and select the Raspberry Pi OS image that you extracted in step 1.
3. Select the microSD card drive. Note that Etcher may have already selected the correct drive.
- 4. Click Flash to install Raspbian to the microSD card.
+ 4. Click Flash to install Raspberry Pi OS to the microSD card.
5. Remove the microSD card from your computer when installation is complete. It's safe to remove the microSD card directly because Etcher automatically ejects or unmounts the microSD card upon completion.
Prepare the microSD card for installation of the Raspbian image.
### Enable SSH and SPI
-1. Connect Pi to the monitor, keyboard and mouse, start Pi and then sign in to Raspbian by using `pi` as the user name and `raspberry` as the password.
+1. Connect Pi to the monitor, keyboard and mouse, start Pi and then sign in to Raspberry Pi OS by using `pi` as the user name and `raspberry` as the password.
2. Click the Raspberry icon > **Preferences** > **Raspberry Pi Configuration**.
- ![The Raspbian Preferences menu](./media/iot-hub-raspberry-pi-kit-c-get-started/1-raspbian-preferences-menu.png)
+ ![The Raspberry Pi OS Preferences menu](./media/iot-hub-raspberry-pi-kit-c-get-started/1-raspbian-preferences-menu.png)
3. On the **Interfaces** tab, set **SPI** and **SSH** to **Enable**, and then click **OK**. If you don't have physical sensors and want to use simulated sensor data, this step is optional.
Turn on Pi by using the micro USB cable and the power supply. Use the Ethernet c
1. Clone the sample application by running the following command: ```bash
- sudo apt-get install git-core
git clone https://github.com/Azure-Samples/iot-hub-c-raspberrypi-client-app.git ```
-2. Run setup script:
+2. A setup script is provided with the sample to prepare the development environment, and build the sample. Run setup script:
```bash cd ./iot-hub-c-raspberrypi-client-app
Turn on Pi by using the micro USB cable and the power supply. Use the Ethernet c
### Build and run the sample application
-1. Build the sample application by running the following command:
+1. The setup script should have already built the sample. However, if you make changes and need to rebuild the sample application, run the following command:
```bash cmake . && make
iot-hub Iot Hub Raspberry Pi Web Simulator Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-raspberry-pi-web-simulator-get-started.md
ms.devlang: nodejs Previously updated : 04/11/2018 Last updated : 05/27/2021
key-vault Import Cert Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/certificates/import-cert-faqs.md
- Title: Frequently asked questions - Azure Key Vault certificate import
-description: Get answers to frequently asked questions about importing Azure Key Vault certificates.
--
-tags: azure-resource-manager
---- Previously updated : 07/20/2020---
-# Importing Azure Key Vault certificates FAQ
-
-This article answers frequently asked questions about importing Azure Key Vault certificates.
-
-## Frequently asked questions
-
-### How can I import a certificate in Azure Key Vault?
-
-For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key. For more information, see [Import a certificate to Key Vault](./tutorial-import-certificate.md#import-a-certificate-to-key-vault).
-
-### After I import a password-protected certificate to Key Vault and then download it, why can't I see the password that's associated with it?
-
-After a certificate is imported and protected in Key Vault, its associated password isn't saved. The password is required only once during the import operation. This is by design, but you can always get the certificate as a secret and convert it from Base64 to PFX by adding the password through [Azure PowerShell](https://social.technet.microsoft.com/wiki/contents/articles/37431.exporting-azure-app-service-certificates.aspx).
-
-### How can I resolve a "Bad parameter" error? What are the supported certificate formats for importing to Key Vault?
-
-When you import a certificate, you need to ensure that the key is included in the file. If you have a private key stored separately in a different format, you need to combine the key with the certificate. Some certificate authorities (CAs) provide certificates in other formats. Therefore, before you import the certificate, make sure that it's in either PEM or PFX file format and that the key uses either RivestΓÇôShamirΓÇôAdleman (RSA) or elliptic-curve cryptography (ECC) encryption.
-
-For more information, see [certificate requirements](./certificate-scenarios.md#formats-of-import-we-support) and [certificate key requirements](../keys/about-keys.md).
-
-### Can I import a certificate by using an ARM template?
-
-No, it isn't possible to perform certificate operations by using an Azure Resource Manager (ARM) template. A recommended workaround would be to use the certificate import methods in the Azure API, the Azure CLI, or PowerShell. If you have an existing certificate, you can import it as a secret.
-
-### When I import a certificate via the Azure portal, I get a "Something went wrong" error. How can I investigate further?
-
-To view a more descriptive error, import the certificate file by using [the Azure CLI](/cli/azure/keyvault/certificate#az_keyvault_certificate_import) or [PowerShell](/powershell/module/azurerm.keyvault/import-azurekeyvaultcertificate).
-
-### How can I resolve "Error type: Access denied or user is unauthorized to import certificate"?
-
-The import operation requires that you grant the user permissions to import the certificate under the access policies. To do so, go to your key vault, select **Access policies** > **Add Access Policy** > **Select Certificate Permissions** > **Principal**, search for the user, and then add the user's email address.
-
-For more information about certificate-related access policies, see [About Azure Key Vault certificates](./about-certificates.md#certificate-access-control).
--
-### How can I resolve "Error type: Conflict when creating a certificate"?
-
-Each certificate name must be unique. A certificate with the same name might be in a soft-deleted state. Also, according to the [composition of a certificate](./about-certificates.md#composition-of-a-certificate), when new certificate is created, it creates an addressable secret with the same name so if there's another key or secret in the key vault with the same name as the one you're trying to specify for your certificate, the certificate creation will fail and you'll need to either remove that key or secret or use a different name for your certificate.
-
-For more information, see [Get Deleted Certificate operation](/rest/api/keyvault/getdeletedcertificate/getdeletedcertificate).
-
-### Why am I getting "Error type: char length is too long"?
-This error could be caused by either of two reasons:
-* The certificate subject name is limited to 200 characters.
-* The certificate password is limited to 200 characters.
--
-### Error "The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format."
-Please verify that the content in the PEM file is uses UNIX-style line separators `(\n)`
-
-### Can I import an expired certificate to Azure Key Vault?
-
-No, expired PFX certificates can't be imported to Key Vault.
-
-### How can I convert my certificate to the proper format?
-
-You can ask your CA to provide the certificate in the required format. There are also third-party tools that can help you convert the certificate to the proper format.
-
-### Can I import certificates from non-partner CAs?
-Yes, you can import certificates from any CA, but your key vault won't be able to renew them automatically. You can set reminders to be notified about the certificate expiration.
-
-### If I import a certificate from a partner CA, will the autorenewal feature still work?
-Yes. After you've uploaded the certificate, be sure to specify the autorotation in the certificate's issuance policy. Your settings will remain in effect until the next cycle or certificate version is released.
-
-### Why can't I see the App Service certificate that I imported to Key Vault?
-If you've imported the certificate successfully, you should be able to confirm it by going to the **Secrets** pane.
--
-## Next steps
--- [Azure Key Vault certificates](./about-certificates.md)
key-vault Key Vault Recovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/key-vault-recovery.md
For more information about Key Vault, see
|Microsoft.KeyVault/locations/deletedVaults/read|View the properties of a soft deleted key vault| |Microsoft.KeyVault/locations/deletedVaults/purge/action|Purge a soft deleted key vault| |Microsoft.KeyVault/locations/operationResults/read| To check purging state of vault|
- |[Key Vault Contributor](../../role-based-access-control/built-in-roles.md#key-vault-contributor)|To recover soft-deleted vault|
+ |[Key Vault Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#key-vault-contributor)|To recover soft-deleted vault|
## What are soft-delete and purge protection
For more information about soft-delete, see [Azure Key Vault soft-delete overvie
- [Azure Key Vault backup](backup.md) - [How to enable Key Vault logging](howto-logging.md) - [Azure Key Vault security features](security-features.md)-- [Azure Key Vault developer's guide](developers-guide.md)
+- [Azure Key Vault developer's guide](developers-guide.md)
lab-services How To Attach External Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lab-services/how-to-attach-external-storage.md
If you're using a private endpoint to the Azure Files share, it's important to r
- This approach requires the file share virtual network to be peered to the lab account. The virtual network for the Azure Storage account must be peered to the virtual network for the lab account before the lab is created. > [!NOTE]
-> File shares larger than 5 TB are only available for [locally-redundant storage accounts](../storage/files/storage-files-how-to-create-large-file-share.md#restrictions).
+> By default, standard file shares can span up to 5 TiB. See [Create an Azure file share](../storage/files/storage-how-to-create-file-share.md) for information on how to create file shares than span up to 100 TiB.
-Follow these steps to create a VM connected to an Azure Files share.
+Follow these steps to create a VM connected to an Azure file share.
1. Create an [Azure Storage account](../storage/files/storage-how-to-create-file-share.md). On the **Connectivity method** page, choose **public endpoint** or **private endpoint**. 2. If you've chosen the private method, create a [private endpoint](../private-link/tutorial-private-endpoint-storage-portal.md) in order for the file shares to be accessible from the virtual network. Create a [private DNS zone](../dns/private-dns-privatednszone.md), or use an existing one. Private Azure DNS zones provide name resolution within a virtual network.
lighthouse Create Eligible Authorizations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/create-eligible-authorizations.md
Title: Create eligible authorizations description: When onboarding customers to Azure Lighthouse, you can let users in your managing tenant elevate their role on a just-in-time basis. Previously updated : 06/11/2021 Last updated : 06/15/2021
Each of your eligible authorizations must be defined in the `eligibleAuthorizati
} ```
-Within the `eligibleAuthorizations` parameter, the `principalId` specifies the ID for the Azure AD user or group to which this eligible authorization will apply. Don't use an ID of a service principal account, since there's currently no way for a service principal account to elevate its access and use an eligible role.
+Each entry within the `eligibleAuthorizations` parameter contains three elements that define an eligible authorization: `principalId`, `roleDefinitionId`, and `justInTimeAccessPolicy`.
+
+`principalId` specifies the ID for the Azure AD user or group to which this eligible authorization will apply. Don't use an ID of a service principal account, since there's currently no way for a service principal account to elevate its access and use an eligible role.
> [!IMPORTANT] > Be sure to include the same `principalId` in the `authorizations` section of your template with a different role from the eligible authorization, such as Reader (or another Azure built-in role that includes Reader access). If you don't, the user won't be able to elevate their role in the Azure portal.
-The `roleDefinitionId` contains the role definition ID for an [Azure built-in role](../../role-based-access-control/built-in-roles.md) that the user will be eligible to use on a just-in-time basis.
+`roleDefinitionId` contains the role definition ID for an [Azure built-in role](../../role-based-access-control/built-in-roles.md) that the user will be eligible to use on a just-in-time basis. If you include multiple eligible authorizations that use the same `roleDefinitionId`, each of these must have identical settings for `justInTimeAccessPolicy`.
-The `justInTimeAccessPolicy` specifies two elements:
+`justInTimeAccessPolicy` specifies two elements:
- `multiFactorAuthProvider` can either be set to **Azure**, which will require authentication using Azure multi-factor authorization (MFA), or to **None** if no multi-factor authentication will be required. - `maximumActivationDuration` sets the total length of time for which the user will have the eligible role. This value must use the ISO 8601 duration format. The minimum value is PT30M (30 minutes) and the maximum value is PT8H (8 hours).
load-balancer Load Balancer Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/load-balancer/load-balancer-faqs.md
Having outbound connectivity via the scenarios above is not necessary to connect
## Does Azure Load Balancer support TLS/SSL termination? No, Azure Load Balancer doesn't currently support termination as it is a pass through network load balancer. Application Gateway could be a potential solution if your application requires this.
+## How do I configure my Load Balancer with an Azure Firewall?
+Follow these [instructions](https://docs.microsoft.com/azure/firewall/integrate-lb) to configure your Load Balancer with an Azure Firewall.
+ ## What are best practices with respect to outbound connectivity? Standard Load Balancer and Standard Public IP introduces abilities and different behaviors to outbound connectivity. They are not the same as Basic SKUs. If you want outbound connectivity when working with Standard SKUs, you must explicitly define it either with Standard Public IP addresses or Standard public Load Balancer. This includes creating outbound connectivity when using an internal Standard Load Balancer. We recommend you always use outbound rules on a Standard public Load Balancer. That means when an internal Standard Load Balancer is used, you need to take steps to create outbound connectivity for the VMs in the backend pool if outbound connectivity is desired. In the context of outbound connectivity,a single standalone VM, all the VM's in an Availability Set, all the instances in a virtual machine scale set behave as a group. This means, if a single VM in an Availability Set is associated with a Standard SKU, all VM instances within this Availability Set now behave by the same rules as if they are associated with Standard SKU, even if an individual instance is not directly associated with it. This behavior is also observed in the case of a standalone VM with multiple network interface cards attached to a load balancer. If one NIC is added as a standalone, it will have the same behavior. Carefully review this entire document to understand the overall concepts, review [Standard Load Balancer](./load-balancer-overview.md) for differences between SKUs, and review [outbound rules](load-balancer-outbound-connections.md#outboundrules). Using outbound rules allows you fine grained control over all aspects of outbound connectivity.
load-balancer Load Balancer Outbound Connections https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/load-balancer/load-balancer-outbound-connections.md
The following <a name="snatporttable"></a>table shows the SNAT port preallocatio
* A UDP SNAT port is needed whether the destination port is unique or not. For every UDP connection to a destination IP, one UDP SNAT port is used. * A TCP SNAT port can be used for multiple connections to the same destination IP provided the destination ports are different. * SNAT exhaustion occurs when a backend instance runs out of given SNAT Ports. A load balancer can still have unused SNAT ports. If a backend instanceΓÇÖs used SNAT ports exceed its given SNAT ports, it will be unable to establish new outbound connections.
+* Fragmented packets will be dropped unless outbound is through an instance level public IP on the VM's NIC.
## Next steps
logic-apps Create Single Tenant Workflows Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/create-single-tenant-workflows-azure-portal.md
Title: Create workflows in single-tenant Azure Logic Apps using the Azure portal
-description: Create automated workflows that integrate apps, data, services, and systems using single-tenant Azure Logic Apps and the Azure portal.
+ Title: Create workflows with single-tenant Azure Logic Apps (Standard) in the Azure portal
+description: Create automated workflows to integrate apps, data, services, and systems with single-tenant Azure Logic Apps (Standard) in the Azure portal.
ms.suite: integration
Last updated 05/25/2021
-# Create an integration workflow using single-tenant Azure Logic Apps and the Azure portal
+# Create an integration workflow with single-tenant Azure Logic Apps (Standard) in the Azure portal
-This article shows how to create an example automated integration workflow that runs in the *single-tenant Azure Logic Apps environment* by using the **Logic App (Standard)** resource type. If you're new to the new single-tenant model and logic app resource type, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).
+This article shows how to create an example automated integration workflow that runs in the *single-tenant* Azure Logic Apps environment by using the **Logic App (Standard)** resource type and the Azure portal. This resource type can host multiple [stateful and stateless workflows](single-tenant-overview-compare.md#stateful-stateless). Also, workflows in the same logic app and tenant run in the same process as the redesigned Azure Logic Apps runtime, so they share the same resources and provide better performance. For more information about the single-tenant Azure Logic Apps offering, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).
While this example workflow is cloud-based and has only two steps, you can create workflows from hundreds of operations that can connect a wide range of apps, data, services, and systems across cloud, on premises, and hybrid environments. The example workflow starts with the built-in Request trigger and follows with an Office 365 Outlook action. The trigger creates a callable endpoint for the workflow and waits for an inbound HTTPS request from any caller. When the trigger receives a request and fires, the next action runs by sending email to the specified email address along with selected outputs from the trigger. > [!TIP]
-> If you don't have an Office 365 account, you can use any other available action that can send
-> messages from your email account, for example, Outlook.com.
->
-> To create this example workflow using Visual Studio Code instead, follow the steps in
-> [Create integration workflows using single tenant Azure Logic Apps and Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md).
+> If you don't have an Office 365 account, you can use any other available action
+> that can send messages from your email account, for example, Outlook.com.
+>
+> To create this example workflow in Visual Studio Code instead, follow the steps in
+> [Create integration workflows using single-tenant Azure Logic Apps and Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md).
> Both options provide the capability to develop, run, and deploy logic app workflows in the same kinds of environments. > However, with Visual Studio Code, you can *locally* develop, test, and run workflows in your development environment.
Before you can add a trigger to a blank workflow, make sure that the workflow de
> If the **Add an action** pane shows the error message, `The access token expiry UTC time '{token-expiration-date-time}' is earlier than current UTC time '{current-date-time}'`, > save your workflow, reload the page, reopen your workflow, and try adding the action again.
- This example uses the Office 365 Outlook action named **Send an email (V2)**.
+ This example uses the Office 365 Outlook action that's named **Send an email (V2)**.
![Screenshot that shows the designer and the **Add an action** pane with the Office 365 Outlook "Send an email" action selected.](./media/create-single-tenant-workflows-azure-portal/find-send-email-action.png)
To find the fully qualified domain names (FQDNs) for connections, follow these s
![Screenshot that shows the Azure portal and API Connection pane with "JSON View" selected.](./media/create-single-tenant-workflows-azure-portal/logic-app-connection-view-json.png)
-1. Find, copy, and save the `connectionRuntimeUrl` property value somewhere safe so that you can set up your firewall with this information.
+1. Copy and save the `connectionRuntimeUrl` property value somewhere safe so that you can set up your firewall with this information.
![Screenshot that shows the "connectionRuntimeUrl" property value selected.](./media/create-single-tenant-workflows-azure-portal/logic-app-connection-runtime-url.png)
In this example, the workflow runs when the Request trigger receives an inbound
1. Under **All Collections**, provide a name for the collection to create for organizing your requests, press Enter, and select **Save to <*collection-name*>**. This example uses `Logic Apps requests` as the collection name.
- Postman's request pane opens so that you can send a request to the endpoint URL for the Request trigger.
+ In the Postman app, the request pane opens so that you can send a request to the endpoint URL for the Request trigger.
![Screenshot that shows Postman with the opened request pane](./media/create-single-tenant-workflows-azure-portal/postman-request-pane.png)
After Application Insights opens, you can review various metrics for your logic
To debug a stateless workflow more easily, you can enable the run history for that workflow, and then disable the run history when you're done. Follow these steps for the Azure portal, or if you're working in Visual Studio Code, see [Create stateful and stateless workflows in Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md#enable-run-history-stateless).
-1. In the [Azure portal](https://portal.azure.com), find and open your **Logic App (Standard)** resource.
+1. In the [Azure portal](https://portal.azure.com), open your **Logic App (Standard)** resource.
1. On the logic app's menu, under **Settings**, select **Configuration**.
Stopping a logic app affects workflow instances in the following ways:
To stop each workflow from triggering on unprocessed items since the last run, clear the trigger state before you restart the logic app by following these steps:
- 1. In the Azure portal, find and open your logic app.
+ 1. In the Azure portal, open your logic app.
1. On the logic app menu, under **Workflows**, select **Workflows**. 1. Open a workflow, and edit any part of that workflow's trigger. 1. Save your changes. This step resets the trigger's current state.
Stopping a logic app affects workflow instances in the following ways:
### Restart, stop, or start a single logic app
-1. In the Azure portal, find and open your logic app.
+1. In the Azure portal, open your logic app.
1. On the logic app menu, select **Overview**.
Deleting a workflow affects workflow instances in the following ways:
* Azure Logic Apps doesn't create or run new workflow instances.
-* If you delete a workflow and then recreate the same workflow, the recreated workflow won't have the same metadata as the deleted workflow. You have to resave any workflow that called the deleted workflow. That way, the caller gets the correct information for the recreated workflow. Otherwise, calls to the recreated workflow fail with an `Unauthorized` error. This behavior also applies to workflows that use artifacts in integration accounts and workflows that call Azure functions.
+* If you delete a workflow and then recreate the same workflow, the recreated workflow won't have the same metadata as the deleted workflow. To refresh the metadata, you have to resave any workflow that called the deleted workflow. That way, the caller gets the correct information for the recreated workflow. Otherwise, calls to the recreated workflow fail with an `Unauthorized` error. This behavior also applies to workflows that use artifacts in integration accounts and workflows that call Azure functions.
-1. In the Azure portal, find and open your logic app.
+1. In the Azure portal, open your logic app.
1. On the logic app menu, under **Workflows**, select **Workflows**. In the checkbox column, select a single or multiple workflows to delete.
logic-apps Create Single Tenant Workflows Visual Studio Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/create-single-tenant-workflows-visual-studio-code.md
Title: Create workflows in single-tenant Azure Logic Apps using Visual Studio Code
-description: Create automated workflows that integrate apps, data, services, and systems using single-tenant Azure Logic Apps and Visual Studio Code.
+ Title: Create workflows with single-tenant Azure Logic Apps (Standard) in Visual Studio Code
+description: Create automated workflows to integrate apps, data, services, and systems with single-tenant Azure Logic Apps (Standard) in Visual Studio Code.
ms.suite: integration
Last updated 05/25/2021
-# Create an integration workflow using single-tenant Azure Logic Apps and Visual Studio Code
+# Create an integration workflow with single-tenant Azure Logic Apps (Standard) in Visual Studio Code
-This article shows how to create an example automated integration workflow by using the **Logic App (Standard)** resource type, Visual Studio Code, and the **Azure Logic Apps (Standard)** extension. When you create this logic app workflow in Visual Studio Code, you can run and test the workflow in your *local* development environment.
+This article shows how to create an example automated integration workflow that runs in the *single-tenant* Azure Logic Apps environment by using Visual Studio Code with the **Azure Logic Apps (Standard)** extension. The logic app that you create with this extension is based on the **Logic App (Standard)** resource type, which provides the following capabilities:
-When you're ready, you can deploy to the *single-tenant Azure Logic Apps environment* or anywhere that Azure Functions can run, due to the redesigned Azure Logic Apps containerized runtime. Compared to the multi-tenant **Azure Logic Apps (Consumption)** extension, which works for the multi-tenant Azure Logic Apps environment, the single-tenant **Azure Logic Apps (Standard)** extension provides the capability for you to create logic apps with the following attributes:
+* You can locally run and test logic app workflows in the Visual Studio Code development environment.
-* The **Logic App (Standard)** resource type can host multiple [stateful and stateless workflows](single-tenant-overview-compare.md#stateful-stateless) that run locally in your development environment, in the single-tenant Azure Logic Apps environment, or anywhere that Azure Functions can run, such as containers. This attribute provides flexibility and portability for your workflows.
+* Your logic app can include multiple [stateful and stateless workflows](single-tenant-overview-compare.md#stateful-stateless).
-* In a **Logic App (Standard)** resource, workflows in the same logic app and tenant run in the same process as the redesigned Azure Logic Apps runtime, so they share the same resources and provide better performance.
+* Workflows in the same logic app and tenant run in the same process as the redesigned Azure Logic Apps runtime, so they share the same resources and provide better performance.
-* You can deploy a **Logic App (Standard)** resource directly to Azure or anywhere that Azure Functions can run, including containers.
+* You can deploy the **Logic App (Standard)** resource type directly to the single-tenant Azure Logic Apps environment or anywhere that Azure Functions can run, including containers, due to the redesigned Azure Logic Apps containerized runtime.
-For more information about the **Logic App (Standard)** resource type and single-tenant model, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).
+For more information about the single-tenant Azure Logic Apps offering, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).
While the example workflow is cloud-based and has only two steps, you can create workflows from hundreds of operations that can connect a wide range of apps, data, services, and systems across cloud, on premises, and hybrid environments. The example workflow starts with the built-in Request trigger and follows with an Office 365 Outlook action. The trigger creates a callable endpoint for the workflow and waits for an inbound HTTPS request from any caller. When the trigger receives a request and fires, the next action runs by sending email to the specified email address along with selected outputs from the trigger. > [!TIP]
-> If you don't have an Office 365 account, you can use any other available action that can send
-> messages from your email account, for example, Outlook.com.
->
+> If you don't have an Office 365 account, you can use any other available action
+> that can send messages from your email account, for example, Outlook.com.
+>
> To create this example workflow using the Azure portal instead, follow the steps in > [Create integration workflows using single tenant Azure Logic Apps and the Azure portal](create-single-tenant-workflows-azure-portal.md). > Both options provide the capability to develop, run, and deploy logic app workflows in the same kinds of environments.
For more information, review the [Azurite documentation](https://github.com/Azur
* To locally run webhook-based triggers and actions, such as the [built-in HTTP Webhook trigger](../connectors/connectors-native-webhook.md), in Visual Studio Code, you need to [set up forwarding for the callback URL](#webhook-setup).
-* To test the example workflow in this article, you need a tool that can send calls to the endpoint created by the Request trigger. If you don't have such a tool, you can download, install, and use [Postman](https://www.postman.com/downloads/).
+* To test the example workflow in this article, you need a tool that can send calls to the endpoint created by the Request trigger. If you don't have such a tool, you can download, install, and use the [Postman](https://www.postman.com/downloads/) app.
* If you create your logic app resources with settings that support using [Application Insights](../azure-monitor/app/app-insights-overview.md), you can optionally enable diagnostics logging and tracing for your logic app. You can do so either when you create your logic app or after deployment. You need to have an Application Insights instance, but you can create this resource either [in advance](../azure-monitor/app/create-workspace-resource.md), when you create your logic app, or after deployment.
To locally run webhook-based triggers and actions in Visual Studio Code, you nee
> file's shortcut menu, and select **Configure Webhook Redirect Endpoint**. The prompt now > appears so you can provide the forwarding URL.
- Visual Studio Code adds the forwarding URL to the **local.settings.json** file in your project's root folder. In the `Values` object, the property named `Workflows.WebhookRedirectHostUri` now appears and is set to the forwarding URL, for example:
+ Visual Studio Code adds the forwarding URL to the **local.settings.json** file in your project's root folder. In the `Values` object, the property that's named `Workflows.WebhookRedirectHostUri` now appears and is set to the forwarding URL, for example:
```json {
To test your logic app, follow these steps to start a debugging session, and fin
1. Under **All Collections**, provide a name for the collection to create for organizing your requests, press Enter, and select **Save to <*collection-name*>**. This example uses `Logic Apps requests` as the collection name.
- Postman's request pane opens so that you can send a request to the callback URL for the Request trigger.
+ In Postman, the request pane opens so that you can send a request to the callback URL for the Request trigger.
![Screenshot that shows Postman with the opened request pane](./media/create-single-tenant-workflows-visual-studio-code/postman-request-pane.png)
After you make updates to your logic app, you can run another test by rerunning
<a name="firewall-setup"></a>
-## Find domain names for firewall access
+## Find domain names for firewall access
Before you deploy and run your logic app workflow in the Azure portal, if your environment has strict network requirements or firewalls that limit traffic, you have to set up permissions for any trigger or action connections that exist in your workflow.
To find the fully qualified domain names (FQDNs) for these connections, follow t
1. In your logic app project, open the **connections.json** file, which is created after you add the first connection-based trigger or action to your workflow, and find the `managedApiConnections` object.
-1. For each connection that you created, find, copy, and save the `connectionRuntimeUrl` property value somewhere safe so that you can set up your firewall with this information.
+1. For each connection that you created, copy and save the `connectionRuntimeUrl` property value somewhere safe so that you can set up your firewall with this information.
This example **connections.json** file contains two connections, an AS2 connection and an Office 365 connection with these `connectionRuntimeUrl` values:
Deployment for the **Logic App (Standard)** resource type requires a hosting pla
![Screenshot that shows the "Azure: Logic Apps (Standard)" pane and a prompt to "Create new App Service Plan" or select an existing App Service plan.](./media/create-single-tenant-workflows-visual-studio-code/create-app-service-plan.png)
- 1. Provide a name for your hosting plan plan, and then select a pricing tier for your selected plan.
+ 1. Provide a name for your hosting plan, and then select a pricing tier for your selected plan.
For more information, review [Hosting plans and pricing tiers](logic-apps-pricing.md#standard-pricing).
In Visual Studio Code, you can view all the deployed logic apps in your Azure su
![Screenshot that shows Visual Studio Code with the opened "Azure Logic Apps (Standard)" extension pane and the deployed workflow.](./media/create-single-tenant-workflows-visual-studio-code/find-deployed-workflow-visual-studio-code.png)
-1. To view all the workflows in the logic app, expand your logic app, and then expand the **Workflows** node.
+1. To view all the workflows in the logic app, expand your logic app, and then expand the node that's named **Workflows**.
1. To view a specific workflow, open the workflow's shortcut menu, and select **Open in Designer**, which opens the workflow in read-only mode.
In Visual Studio Code, you can view all the deployed logic apps in your Azure su
* In Visual Studio Code, open your project's **workflow.json** file in the workflow designer, make your edits, and redeploy your logic app to Azure.
- * In the Azure portal, [find and open your logic app](#manage-deployed-apps-portal). Find, edit, and save the workflow.
+ * In the Azure portal, [open your logic app](#manage-deployed-apps-portal). You can then open, edit, and save your workflow.
1. To open the deployed logic app in the Azure portal, open the logic app's shortcut menu, and select **Open in Portal**.
Stopping a logic app affects workflow instances in the following ways:
1. In Visual Studio Code, on the left toolbar, select the Azure icon. 1. In the **Azure: Logic Apps (Standard)** pane, expand your subscription, which shows all the deployed logic apps for that subscription.
- 1. Expand your logic app, and then expand the **Workflows** node.
+ 1. Expand your logic app, and then expand the node that's named **Workflows**.
1. Open a workflow, and edit any part of that workflow's trigger. 1. Save your changes. This step resets the trigger's current state. 1. Repeat for each workflow.
Deleting a logic app affects workflow instances in the following ways:
* The Logic Apps service doesn't create or run new workflow instances.
-* If you delete a workflow and then recreate the same workflow, the recreated workflow won't have the same metadata as the deleted workflow. You have to resave any workflow that called the deleted workflow. That way, the caller gets the correct information for the recreated workflow. Otherwise, calls to the recreated workflow fail with an `Unauthorized` error. This behavior also applies to workflows that use artifacts in integration accounts and workflows that call Azure functions.
+* If you delete a workflow and then recreate the same workflow, the recreated workflow won't have the same metadata as the deleted workflow. To refresh the metadata, you have to resave any workflow that called the deleted workflow. That way, the caller gets the correct information for the recreated workflow. Otherwise, calls to the recreated workflow fail with an `Unauthorized` error. This behavior also applies to workflows that use artifacts in integration accounts and workflows that call Azure functions.
<a name="manage-deployed-apps-portal"></a>
Through the Azure portal, you can add blank workflows to a **Logic App (Standard
To debug a stateless workflow more easily, you can enable the run history for that workflow, and then disable the run history when you're done. Follow these steps for Visual Studio Code, or if you're working in the Azure portal, see [Create single-tenant based workflows in the Azure portal](create-single-tenant-workflows-azure-portal.md#enable-run-history-stateless).
-1. In your Visual Studio Code project, expand the **workflow-designtime** folder, and open the **local.settings.json** file.
+1. In your Visual Studio Code project, expand the folder that's named **workflow-designtime**, and open the **local.settings.json** file.
1. Add the `Workflows.{yourWorkflowName}.operationOptions` property and set the value to `WithStatelessRunHistory`, for example:
To resolve this problem and adjust for the longer URI, edit the `UrlSegmentMaxCo
When you try to start a debugging session, you get the error, **"Error exists after running preLaunchTask 'generateDebugSymbols'"**. To resolve this problem, edit the **tasks.json** file in your project to skip symbol generation.
-1. In your project, expand the **.vscode** folder, and open the **tasks.json** file.
+1. In your project, expand the folder that's named **.vscode**, and open the **tasks.json** file.
1. In the following task, delete the line, `"dependsOn: "generateDebugSymbols"`, along with the comma that ends the preceding line, for example:
machine-learning Concept Designer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-designer.md
Title: Build ML models with the designer
+ Title: What is the Azure Machine Learning designer?
-description: Learn about the terms, concepts, and workflow that makes up the designer for Azure Machine Learning.
+description: Learn about the concepts that make up the drag-and-drop Azure Machine Learning designer.
Previously updated : 06/28/2020- Last updated : 06/11/2021+ # What is Azure Machine Learning designer?
+Azure Machine Learning designer is a drag-and-drop interface used to train and deploy models in Azure Machine Learning.
-Azure Machine Learning designer lets you visually connect [datasets](#datasets) and [modules](#module) on an interactive canvas to create machine learning models. To learn how to get started with the designer, see [Tutorial: Predict automobile price with the designer](tutorial-designer-automobile-price-train-score.md)
+To get started with the designer, see [Tutorial: Train a no-code regression model](tutorial-designer-automobile-price-train-score.md)
![Azure Machine Learning designer example](./media/concept-designer/designer-drag-and-drop.gif)
The designer gives you a visual canvas to build, test, and deploy machine learni
+ [Publish](#publish) your pipelines to a REST **pipeline endpoint** to submit a new pipeline that runs with different parameters and datasets. + Publish a **training pipeline** to reuse a single pipeline to train multiple models while changing parameters and datasets. + Publish a **batch inference pipeline** to make predictions on new data by using a previously trained model.
-+ [Deploy](#deploy) a **real-time inference pipeline** to a real-time endpoint to make predictions on new data in real-time.
++ [Deploy](#deploy) a **real-time inference pipeline** to a real-time endpoint to make predictions on new data in real time. ![Workflow diagram for training, batch inference, and real-time inference in the designer](./media/concept-designer/designer-workflow-diagram.png) ## Pipeline
-A [pipeline](concept-azure-machine-learning-architecture.md#ml-pipelines) consists of datasets and analytical modules, which you connect. Pipelines have many uses: you can make a pipeline that trains a single model, or one that trains multiple models. You can create a pipeline that makes predictions in real-time or in batch, or make a pipeline that only cleans data. Pipelines let you reuse your work and organize your projects.
+A [pipeline](concept-azure-machine-learning-architecture.md#ml-pipelines) consists of datasets and analytical modules, which you connect. Pipelines have many uses: you can make a pipeline that trains a single model, or one that trains multiple models. You can create a pipeline that makes predictions in real time or in batch, or make a pipeline that only cleans data. Pipelines let you reuse your work and organize your projects.
### Pipeline draft
A module may have a set of parameters that you can use to configure the module's
:::image type="content" source="./media/concept-designer/properties.png" alt-text="Module properties":::
-For some help navigating through the library of machine learning algorithms available, see [Algorithm & module reference overview](algorithm-module-reference/module-reference.md). For help choosing an algorithm, see the [Azure Machine Learning Algorithm Cheat Sheet](algorithm-cheat-sheet.md).
+For some help navigating through the library of machine learning algorithms available, see [Algorithm & module reference overview](algorithm-module-reference/module-reference.md). For help with choosing an algorithm, see the [Azure Machine Learning Algorithm Cheat Sheet](algorithm-cheat-sheet.md).
## <a name="compute"></a> Compute resources
Compute targets are attached to your [Azure Machine Learning workspace](concept-
## Deploy
-To perform real-time inferencing, you must deploy a pipeline as a **real-time endpoint**. The real-time endpoint creates an interface between an external application and your scoring model. A call to a real-time endpoint returns prediction results to the application in real-time. To make a call to a real-time endpoint, you pass the API key that was created when you deployed the endpoint. The endpoint is based on REST, a popular architecture choice for web programming projects.
+To perform real-time inferencing, you must deplo