Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | Title: "What's new in Azure Active Directory business-to-customer (B2C)" description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)." Previously updated : 05/03/2023 Last updated : 06/05/2023 +## May 2023 ++### New articles ++- [How to secure your Azure Active Directory B2C identity solution](security-architecture.md) ++### Updated articles ++- [Configure Azure Active Directory B2C with Akamai Web Application Protector](partner-akamai.md) +- [Configure Asignio with Azure Active Directory B2C for multifactor authentication](partner-asignio.md) +- [Configure xID with Azure Active Directory B2C for passwordless authentication](partner-xid.md) +- [Configure WhoIAM Rampart with Azure Active Directory B2C](partner-whoiam-rampart.md) +- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md) +- [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md) + ## April 2023 ### Updated articles Welcome to what's new in Azure Active Directory B2C documentation. This article - [Azure Active Directory B2C code samples](integrate-with-app-code-samples.md) - [JSON claims transformations](json-transformations.md) - [Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C](identity-provider-azure-ad-single-tenant.md)-- [Page layout versions](page-layout.md)--## January 2023 --### New articles --- [Migrate applications using header-based authentication to Azure Active Directory B2C with Grit's app proxy](partner-grit-app-proxy.md)-- [Configure Grit's biometric authentication with Azure Active Directory B2C](partner-grit-authentication.md)-- [Create and run your own custom policies in Azure Active Directory B2C](custom-policies-series-overview.md)-- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)-- [Collect and manipulate user inputs by using Azure AD B2C custom policy](custom-policies-series-collect-user-input.md)-- [Validate user inputs by using Azure Active Directory B2C custom policy](custom-policies-series-validate-user-input.md)-- [Create branching in user journey by using Azure Active Directory B2C custom policy](custom-policies-series-branch-user-journey.md)-- [Validate custom policy files by using TrustFrameworkPolicy schema](custom-policies-series-install-xml-extensions.md)-- [Call a REST API by using Azure Active Directory B2C custom policy](custom-policies-series-call-rest-api.md)-- [Create and read a user account by using Azure Active Directory B2C custom policy](custom-policies-series-store-user.md)-- [Set up a sign-up and sign-in flow by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in.md)-- [Set up a sign-up and sign-in flow with a social account by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in-federation.md)-- [Manage administrator accounts in Azure Active Directory B2C](tenant-management-manage-administrator.md)-- [Manage emergency access accounts in Azure Active Directory B2C](tenant-management-emergency-access-account.md)-- [Review tenant creation permission in Azure Active Directory B2C](tenant-management-check-tenant-creation-permission.md)-- [Find tenant name and tenant ID in Azure Active Directory B2C](tenant-management-read-tenant-name.md)--### Updated articles --- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md)-- [Set up sign-up and sign-in with a Twitter account using Azure Active Directory B2C](identity-provider-twitter.md)-- [Tutorial: Configure Azure Active Directory B2C with Datawiza to provide secure hybrid access](partner-datawiza.md)-- [Tutorial: Configure Ping Identity with Azure Active Directory B2C for secure hybrid access](partner-ping-identity.md)-- [Sign-in options in Azure AD B2C](sign-in-options.md)-- [Quickstart: Set up sign in for an ASP.NET application using Azure Active Directory B2C](quickstart-web-app-dotnet.md)-- [Enrich tokens with claims from external sources using API connectors](add-api-connector-token-enrichment.md)-- [Identity verification and proofing partners](identity-verification-proofing.md)-- [Configure complexity requirements for passwords in Azure Active Directory B2C](password-complexity.md)-- [User profile attributes](user-profile-attributes.md)-- [Azure Active Directory B2C: What's new](whats-new-docs.md)-- [Tutorial: Configure Azure Active Directory B2C with the Arkose Labs platform](partner-arkose-labs.md)-- [Tutorial: Configure Zscaler Private Access with Azure Active Directory B2C](partner-zscaler.md)-- [Tutorial to configure Azure Active Directory B2C with WhoIAM](partner-whoiam.md)-- [Tutorial to configure Azure Active Directory B2C with Strata](partner-strata.md)-- [Tutorial for configuring Onfido with Azure Active Directory B2C](partner-onfido.md)-- [Tutorial to configure Nevis with Azure Active Directory B2C for passwordless authentication](partner-nevis.md)-- [Tutorial for configuring LexisNexis with Azure Active Directory B2C](partner-lexisnexis.md)-- [Tutorial for configuring Jumio with Azure Active Directory B2C](partner-jumio.md)-- [Tutorial for configuring HYPR with Azure Active Directory B2C](partner-hypr.md)-- [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-operations.md)-- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)-- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)--## December 2022 --### New articles --- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)-- [Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration](azure-ad-b2c-global-identity-proof-of-concept-funnel.md)-- [Azure Active Directory B2C global identity framework proof of concept for region-based configuration](azure-ad-b2c-global-identity-proof-of-concept-regional.md)-- [Build a global identity solution with region-based approach](azure-ad-b2c-global-identity-region-based-design.md)-- [Azure Active Directory B2C global identity framework](azure-ad-b2c-global-identity-solutions.md)--### Updated articles --- [Set up a resource owner password credentials flow in Azure Active Directory B2C](add-ropc-policy.md)-- [Use API connectors to customize and extend sign-up user flows and custom policies with external identity data sources](api-connectors-overview.md)-- [Azure Active Directory B2C: Region availability & data residency](data-residency.md)-- [Tutorial: Configure Experian with Azure Active Directory B2C](partner-experian.md)-- [Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C](partner-dynamics-365-fraud-protection.md)-- [Tutorial: Configure Azure Active Directory B2C with Datawiza to provide secure hybrid access](partner-datawiza.md)-- [Configure TheAccessHub Admin Tool with Azure Active Directory B2C](partner-n8identity.md)-- [Tutorial: Configure Cloudflare Web Application Firewall with Azure Active Directory B2C](partner-cloudflare.md)-- [Set up a password reset flow in Azure Active Directory B2C](add-password-reset-policy.md)-- [What is Azure Active Directory B2C?](overview.md)-- [Technical and feature overview of Azure Active Directory B2C](technical-overview.md)+- [Page layout versions](page-layout.md) |
active-directory-domain-services | Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/synchronization.md | The synchronization process is one-way by design. There's no reverse synchroniza ## Scoped synchronization and group filter -You can scope synchronization to only user accounts that originated in the cloud. Within that synchronization scope, you can filter for specific groups os users. You can choose between cloud only groups, on-premises groups, or both. For more information about how to configure scoped synchronization, see [Configure scoped synchronization](scoped-synchronization.md). +You can scope synchronization to only user accounts that originated in the cloud. Within that synchronization scope, you can filter for specific groups or users. You can choose between cloud only groups, on-premises groups, or both. For more information about how to configure scoped synchronization, see [Configure scoped synchronization](scoped-synchronization.md). :::image type="content" border="true" source="./media/scoped-synchronization/filter.png" alt-text="Screenshot of group filter option."::: |
active-directory | On Premises Custom Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-custom-connector.md | Azure AD supports preintegrated connectors for applications that support the fol > - [REST](on-premises-ldap-connector-configure.md) > - [SOAP](on-premises-ldap-connector-configure.md) -For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed. \ +For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed. ## Exporting and importing a MIM connector-If you've got a customer connector in MIM, you can export it by following the instructions [here](on-premises-migrate-microsoft-identity-manager.md#export-a-connector-configuration-from-mim-sync). You need to save the XML file, the DLL, and related software for your connector. +If you have a custom ECMA 2.0 connector in MIM, you can export it by following the instructions [here](on-premises-migrate-microsoft-identity-manager.md#export-a-connector-configuration-from-mim-sync). You need to save the XML file, the DLL, and related software for your connector. To import your connector, you can use the instructions [here](on-premises-migrate-microsoft-identity-manager.md#import-a-connector-configuration). You will need to copy the DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory. After the xml has been imported, continue through the wizard and ensure that all the required fields are populated. |
active-directory | Concept Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md | If the user hasn't registered for any methods that satisfy the authentication st If the authentication strength doesn't include a method that the user can register and use, the user is blocked from sign-in to the resource. -### Registering authentication methods +### Register passwordless authentication methods -The following authentication methods can't be registered as part of combined registration interrupt mode: -* [Microsoft Authenticator (phone sign-in)](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c) - Can be registered from the Authenticator app. -* [FIDO2](howto-authentication-passwordless-security-key.md) - can be registered using [combined registration managed mode](concept-registration-mfa-sspr-combined.md#manage-mode). -* [Certificate-based authentication](concept-certificate-based-authentication.md) - Require administrator setup, cannot be registered by the user. -* [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use) - Can be registered in the Windows Out of Box Experience (OOBE) or the Windows Settings menu. +The following authentication methods can't be registered as part of combined registration interrupt mode. Make sure users are registered for these methods before you apply a Conditional Access policy that can require them to be used for sign-in. If a user isn't registered for these methods, they can't access the resource until the required method is registered. ++| Method | Registration requirements | +|--|| +|[Microsoft Authenticator (phone sign-in)](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c) | Can be registered from the Authenticator app.| +|[FIDO2 security key](howto-authentication-passwordless-security-key.md) | Can be registered using [combined registration managed mode](concept-registration-mfa-sspr-combined.md#manage-mode). | +|[Certificate-based authentication](concept-certificate-based-authentication.md) | Requires administrator setup; can't be registered by the user. | +|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use) | Can be registered in the Windows Out of Box Experience (OOBE) or the Windows Settings menu.| -If a user isn't registered for these methods, they can't access the resource until the required method is registered. For the best user experience, make sure users complete combined registered in advance for the different methods they may need to use. ### Federated user experience For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa). |
active-directory | Concept Certificate Based Authentication Mobile Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile-android.md | Security keys with certificates: ### Azure AD CBA on Android mobile -Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Azure AD CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest MSAL +Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Azure AD CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest Microsoft Authentication Library (MSAL). ### Azure AD CBA on Android mobile with YubiKey -Since Azure AD CBA with YubiKey on Android mobile is enabled via the latest MSAL, YubiKey Authenticator app is not a requirement for Android support. +Because Azure AD CBA with YubiKey on Android mobile is enabled by using the latest MSAL, YubiKey Authenticator app isn't required for Android support. Steps to test YubiKey on Microsoft apps on Android: This issue happens because of certificate caching. We are working to add a fix t |:-|::|::|::|::|::|::| | Android | ✅ | ❌|N/A | N/A | ❌ | ❌| +>[!NOTE] +>Although Edge as a browser is not supported, Edge as a profile (for account login) is an MSAL app that supports CBA on Android. + ### Security key providers |Provider | Android | |
active-directory | Concept System Preferred Multifactor Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md | description: Learn how to use system-preferred multifactor authentication Previously updated : 04/30/2023 Last updated : 06/02/2023 Content-Type: application/json [FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) on mobile devices and [registration for certificate-based authentication (CBA)](concept-certificate-based-authentication.md) aren't supported due to an issue that might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices or registering for CBA. To disable system-preferred MFA for these users, you can either add them to an excluded group or remove them from an included group. -## Common questions +## FAQ ### How does system-preferred MFA determine the most secure method? When a user signs in, the authentication process checks which authentication met ### How does system-preferred MFA affect AD FS or NPS extension? -System-preferred MFA doesn't affect users who sign in by using Active Directory Federation Services (AD FS) or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience. +System-preferred MFA doesn't affect users who sign in by using federation, such as Active Directory Federation Services (AD FS) or third-party providers, or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience. ### What happens for users who aren't specified in the Authentication methods policy but enabled in the legacy MFA tenant-wide policy? |
active-directory | Howto Authentication Passwordless Security Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md | This document focuses on enabling security key based passwordless authentication - WebAuthN requires Windows 10 version 1903 or higher To use security keys for logging in to web apps and services, you must have a browser that supports the WebAuthN protocol. -These include Microsoft Edge, Chrome, Firefox, and Safari. +These include Microsoft Edge, Chrome, Firefox, and Safari. For more information about, see [Browser support of FIDO2 passwordless authentication](fido2-compatibility.md). ## Prepare devices |
active-directory | Howto Password Ban Bad On Premises Agent Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-ban-bad-on-premises-agent-versions.md | +To download the most recent version, see [Azure AD Password Protection for Windows Server Active Directory](https://www.microsoft.com/download/details.aspx?id=57071). + ## 1.2.177.1 Release date: March 28, 2022 |
active-directory | Howto Registration Mfa Sspr Combined | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md | Complete the following steps to create a policy that applies to all selected use 1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select **+ New policy**. 1. Enter a name for this policy, such as *Combined Security Info Registration on Trusted Networks*.-1. Under **Assignments**, select **Users or workload identities**.. Choose the users and groups you want this policy to apply to, then select **Done**. +1. Under **Assignments**, select **Users**. Choose the users and groups you want this policy to apply to. > [!WARNING] > Users must be enabled for combined registration. Complete the following steps to create a policy that applies to all selected use 1. Configure **Yes**. 1. Include **Any location**. 1. Exclude **All trusted locations**.-1. Select **Done** on the *Locations* window, then select **Done** on the *Conditions* window. 1. Under **Access controls** > **Grant**, choose **Block access**, then **Select**. 1. Set **Enable policy** to **On**. 1. To finalize the policy, select **Create**. |
active-directory | Troubleshoot Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-authentication-strengths.md | An Authentication Policy Administrator can restrict access to specific security ## A user can't register a new method during sign-in -Some methods can't be registered during sign-in, or they need more setup beyond the combined registration. For more information, see [Registering authentication methods](concept-authentication-strengths.md#registering-authentication-methods). +Some methods can't be registered during sign-in, or they need more setup beyond the combined registration. For more information, see [Register passwordless authentication methods](concept-authentication-strengths.md#register-passwordless-authentication-methods). :::image type="content" border="true" source="./media/troubleshoot-authentication-strengths/register.png" alt-text="Screenshot of a sign-in error when they are unable to register the method."::: |
active-directory | Tutorial Enable Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md | Azure AD Connect lets you synchronize users, groups, and credential between an o To correctly work with SSPR writeback, the account specified in Azure AD Connect must have the appropriate permissions and options set. If you're not sure which account is currently in use, open Azure AD Connect and select the **View current configuration** option. The account that you need to add permissions to is listed under **Synchronized Directories**. The following permissions and options must be set on the account: * **Reset password**+* **Change password** * **Write permissions** on `lockoutTime` * **Write permissions** on `pwdLastSet` * **Extended rights** for "Unexpire Password" on the root object of *each domain* in that forest, if not already set. |
active-directory | Onboard Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md | There are several moving parts across AWS and Azure, which are required to be co * An Azure AD OIDC App * An AWS OIDC account-* An (optional) AWS Master account +* An (optional) AWS Management account * An (optional) AWS Central logging account * An AWS OIDC role * An AWS Cross Account role assumed by OIDC role There are several moving parts across AWS and Azure, which are required to be co 1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS OIDC Account Setup** page, select **Next**. -### 3. Set up the AWS master account connection (Optional) +### 3. Set up the AWS Management account connection (Optional) -1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the master account connection in the **Permissions Management Onboarding - AWS Master Account Details** page. +1. If your organization has Service Control Policies (SCPs) that govern some or all of the member accounts, set up the Management account connection in the **Permissions Management Onboarding - AWS Management Account Details** page. - Setting up the master account connection allows Permissions Management to auto-detect and onboard any AWS member accounts that have the correct Permissions Management role. + Setting up the Management account connection allows Permissions Management to auto-detect and onboard any AWS member accounts that have the correct Permissions Management role. -1. In the **Permissions Management Onboarding - AWS Master Account Details** page, enter the **Master Account ID** and **Master Account Role**. +1. In the **Permissions Management Onboarding - AWS Management Account Details** page, enter the **Management Account ID** and **Management Account Role**. -1. Open another browser window and sign in to the AWS console for your master account. +1. Open another browser window and sign in to the AWS console for your Management account. -1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Master Account Details** page, select **Launch Template**. +1. Return to Permissions Management, and in the **Permissions Management Onboarding - AWS Management Account Details** page, select **Launch Template**. The **AWS CloudFormation create stack** page opens, displaying the template. There are several moving parts across AWS and Azure, which are required to be co 1. In the **Capabilities** box, select **I acknowledge that AWS CloudFormation might create IAM resources with custom names**. Then select **Create stack**. - This AWS CloudFormation stack creates a role in the master account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization. + This AWS CloudFormation stack creates a role in the Management account with the necessary permissions (policies) to collect SCPs and list all the accounts in your organization. A trust policy is set on this role to allow the OIDC role created in your AWS OIDC account to access it. These entities are listed in the **Resources** tab of your CloudFormation stack. -1. Return to Permissions Management, and in **Permissions Management Onboarding - AWS Master Account Details**, select **Next**. +1. Return to Permissions Management, and in **Permissions Management Onboarding - AWS Management Account Details**, select **Next**. ### 4. Set up the AWS Central logging account connection (Optional but recommended) Choose from three options to manage AWS accounts. Choose this option to automatically detect and add to the monitored account list, without extra configuration. Steps to detect list of accounts and onboard for collection: -- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. +- Deploy Management account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. - If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. - Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. These actions create a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. To view status of onboarding after saving the configuration: #### Option 2: Enter authorization systems 1. In the **Permissions Management Onboarding - AWS Member Account Details** page, enter the **Member Account Role** and the **Member Account IDs**. - You can enter up to 10 account IDs. Click the plus icon next to the text box to add more account IDs. + You can enter up to 100 account IDs. Click the plus icon next to the text box to add more account IDs. > [!NOTE] > Perform the next 6 steps for each account ID you add. To view status of onboarding after saving the configuration: This option detects all AWS accounts that are accessible through OIDC role access created earlier. -- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. +- Deploy Management account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. - If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. - Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. These actions create a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. - Click Verify and Save. |
active-directory | Onboard Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md | To view status of onboarding after saving the configuration: #### Option 2: Enter authorization systems -You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 10 per collector). Follow the steps below to configure these subscriptions to be monitored: +You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 100 per collector). Follow the steps below to configure these subscriptions to be monitored: 1. For each subscription you wish to manage, ensure that the ΓÇÿReaderΓÇÖ role has been granted to Cloud Infrastructure Entitlement Management application for the subscription. 1. In the EPM portal, click the cog on the top right-hand side. |
active-directory | Onboard Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md | There are several moving parts across GCP and Azure, which are required to be co > 1. Return to the Permissions Management window, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**. ### 2. Set up a GCP OIDC project.--Choose from 3 options to manage GCP projects. --#### Option 1: Automatically manage --The automatically manage option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection: --Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope. --Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programmatically with the gcloud CLI. --Once everything has been configured, click next, then 'Verify Now & Save'. --Any current or future projects found get onboarded automatically. --To view status of onboarding after saving the configuration: --- Navigate to data collectors tab-- Click on the status of the data collector-- View projects on the In Progress page --#### Option 2: Enter authorization systems - 1. In the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements. > [!NOTE] To view status of onboarding after saving the configuration: Optionally, specify **G-Suite IDP Secret Name** and **G-Suite IDP User Email** to enable G-Suite integration. - You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described [later in this article](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). + You can either download and run the script at this point or you can do it in the Google Cloud Shell. 1. Select **Next**. -#### Option 3: Select authorization systems --This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application. --- Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope-- Once done, the steps are listed in the screen to do configure manually in the GPC console, or programmatically with the gcloud CLI-- Click Next-- Click 'Verify Now & Save' -- Navigate to newly create Data Collector row under GCP data collectors-- Click on Status column when the row has ΓÇ£PendingΓÇ¥ status -- To onboard and start collection, choose specific ones from the detected list and consent for collection+Choose from 3 options to manage GCP projects. -### 3. Set up GCP member projects. +#### Option 1: Automatically manage -1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**. +The automatically manage option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection: - You can enter up to 10 GCP project IDs. Select the plus icon next to the text box to insert more project IDs. +1. Firstly, grant **Viewer** and **Security Reviewer** role to service account created in previous step at organization, folder or project scope. -1. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell, as described in the [next step](onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed). +To enable controller mode 'On' for any projects, add following roles to the specific projects: +- Role Administrators +- Security Admin -### 4. Run scripts in Cloud Shell. (Optional if not already executed) +2. Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programmatically with the gCloud CLI. -1. In the **Permissions Management Onboarding - GCP Project Ids** page, select **Launch SSH**. -1. To copy all your scripts into your current directory, in **Open in Cloud Shell**, select **Trust repo**, and then select **Confirm**. +3. Select **Next**. - The Cloud Shell provisions the Cloud Shell machine and makes a connection to your Cloud Shell instance. +#### Option 2: Enter authorization systems +You have the ability to specify only certain GCP member projects to manage and monitor with MEPM (up to 100 per collector). Follow the steps below to configure these GCP member projects to be monitored: +1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**. - > [!NOTE] - > Follow the instructions in the browser as they may be different from the ones given here. + You can enter up to comma separated 100 GCP project IDs. - The **Welcome to Permissions Management GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project. +2. You can choose to download and run the script at this point, or you can do it via Google Cloud Shell. + + To enable controller mode 'On' for any projects, add following roles to the specific projects: + - Role Administrators + - Security Admin -### 5. Paste the environmental variables from the Permissions Management portal. +3. Select **Next**. -1. Return to Permissions Management and select **Copy export variables**. -1. In the GCP Onboarding shell editor, paste the variables you copied, and then press **Enter**. -1. Execute the **gcloud auth login**. -1. Follow instructions displayed on the screen to authorize access to your Google account. -1. Execute the **sh mciem-workload-identity-pool.sh** to create the workload identity pool, provider, and service account. -1. Execute the **sh mciem-member-projects.sh** to give Permissions Management permissions to access each of the member projects. +#### Option 3: Select authorization systems - - If you want to manage permissions through Permissions Management, select **Y** to **Enable controller**. +This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application. - - If you want to onboard your projects in read-only mode, select **N** to **Disable controller**. +1. Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope -1. Optionally, execute **mciem-enable-gcp-api.sh** to enable all recommended GCP APIs. + To enable controller mode 'On' for any projects, add following roles to the specific projects: + - Role Administrators + - Security Admin +2. Once done, the steps are listed in the screen to do configure manually in the GPC console, or programmatically with the gCloud CLI +3. Select **Next**. -1. Return to **Permissions Management Onboarding - GCP Project Ids**, and then select **Next**. -### 6. Review and save. +### 3. Review and save. -1. In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. +- In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** This option detects all projects that are accessible by the Cloud Infrastructure You have now completed onboarding GCP, and Permissions Management has started collecting and processing your data. -### 7. View the data. +### 4. View the data. - To view the data, select the **Authorization Systems** tab. |
active-directory | Concept Token Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-token-protection.md | description: Learn how to use token protection in Conditional Access policies. Previously updated : 03/24/2023 Last updated : 06/05/2023 -Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). This connection means that any issued sign-in token is tied to the device significantly reducing the chance of theft and replay attacks. +Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means is that a policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource. > [!IMPORTANT] > Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The steps that follow help create a Conditional Access policy to require token p 1. Select **Done**. 1. Under **Client apps**: 1. Set **Configure** to **Yes**.+ > [!WARNING] + > Not configuring the Client Apps condition, or leaving **Browser** selected may cause applications that use MSAL.js, such as Teams Web to be blocked. 1. Under Modern authentication clients, only select **Mobile apps and desktop clients**. Leave other items unchecked. 1. Select **Done**. 1. Under **Access controls** > **Session**, select **Require token protection for sign-in sessions** and select **Select**. Use Azure AD sign-in log to verify the outcome of a token protection enforcement You can also use [Log Analytics](../reports-monitoring/tutorial-log-analytics-wizard.md) to query the sign-in logs (interactive and non-interactive) for blocked requests due to token protection enforcement failure. -Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. +Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. These queries are only samples and are subject to change. ```kusto //Per Apps query AADNonInteractiveUserSignInLogs //Add userPrinicpalName if you want to filter // | where UserPrincipalName =="<user_principal_Name>" | mv-expand todynamic(ConditionalAccessPolicies) -| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Protection"]' +| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" | extend SessionNotSatisfyResult = ConditionalAccessPolicies["sessionControlsNotSatisfied"] -| extend Result = case (SessionNotSatisfyResult contains 'Protection', 'Block','Allow') +| extend Result = case (SessionNotSatisfyResult contains 'Binding', 'Block','Allow') | summarize by Id,UserPrincipalName, AppDisplayName, Result | summarize Requests = count(), Users = dcount(UserPrincipalName), Block = countif(Result == "Block"), Allow = countif(Result == "Allow"), BlockedUsers = dcountif(UserPrincipalName, Result == "Block") by AppDisplayName | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) AADNonInteractiveUserSignInLogs //Add userPrincipalName if you want to filter // | where UserPrincipalName =="<user_principal_Name>" | mv-expand todynamic(ConditionalAccessPolicies) -| where ConditionalAccessPolicies.enforcedSessionControls contains '["Protection"]' +| where ConditionalAccessPolicies.enforcedSessionControls contains '["Binding"]' | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" | extend SessionNotSatisfyResult = ConditionalAccessPolicies.sessionControlsNotSatisfied -| extend Result = case (SessionNotSatisfyResult contains 'Protection', 'Block','Allow') +| extend Result = case (SessionNotSatisfyResult contains 'Binding', 'Block','Allow') | summarize by Id, UserPrincipalName, AppDisplayName, ResourceDisplayName,Result | summarize Requests = count(),Block = countif(Result == "Block"), Allow = countif(Result == "Allow") by UserPrincipalName, AppDisplayName,ResourceDisplayName | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) |
active-directory | Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/controls.md | Custom controls are a preview capability of the Azure Active Directory. When usi ## Creating custom controls > [!IMPORTANT]-> Custom controls cannot be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, or when joining devices to Azure AD. +> Custom controls can't be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, for cross-tenant trusts, or when joining devices to Azure AD. -Custom Controls works with a limited set of approved authentication providers. To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. At that point, the provider will provide you with a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider. +Custom Controls works with a limited set of approved authentication providers. To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. At that point, the provider gives you a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider. Copy the JSON data and then paste it into the related textbox. Don't make any changes to the JSON unless you explicitly understand the change you're making. Making any change could break the connection between the provider and Microsoft and potentially lock you and your users out of your accounts. To edit a custom control, you must delete the current control and create a new c ## Known limitations -Custom controls can't be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, or when joining devices to Azure AD. +Custom controls can't be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, for cross-tenant trusts, or when joining devices to Azure AD. ## Next steps |
active-directory | Reference Breaking Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-breaking-changes.md | Check this article regularly to learn about: > [!TIP] > To be notified of updates to this page, add this URL to your RSS feed reader:<br/>`https://learn.microsoft.com/api/search/rss?search=%22Azure+Active+Directory+breaking+changes+reference%22&locale=en-us` +## June 2023 ++### Omission of email claims with an unverified domain owner ++**Effective date**: June 2023 ++**Endpoints impacted**: v2.0 and v1.0 ++**Change** ++For **multi-tenant applications**, emails that aren't domain-owner verified are omitted by default when the optional `email` claim is requested in a token payload. ++An email is considered to be domain-owner verified if: ++1. The domain belongs to the tenant where the user account resides, and the tenant admin has done verification of the domain. +1. The email is from a Microsoft Account (MSA). +1. The email is from a Google account. +1. The email was used for authentication using the one-time passcode (OTP) flow. ++It should also be noted that Facebook and SAML/WS-Fed accounts do not have verified domains. + ## May 2023 ### The Power BI administrator role will be renamed to Fabric Administrator. |
active-directory | Refresh Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/refresh-tokens.md | Title: Microsoft identity platform refresh tokens -description: Learn about refresh tokens emitted by the Azure AD. + Title: Refresh tokens in the Microsoft identity platform +description: Learn about refresh tokens that are used in the Microsoft identity platform. -+ - Previously updated : 05/23/2023--- Last updated : 06/02/2023+++ -# Microsoft identity platform refresh tokens --When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. As such, a client can use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them. --## Prerequisites +# Refresh tokens in the Microsoft identity platform -Before reading through this article, it's recommended that you go through the following articles: +When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access and refresh token pairs when the current access token expires. -- [ID tokens](id-tokens.md) in the Microsoft identity platform.-- [Access tokens](access-tokens.md) in the Microsoft identity platform.+Refresh tokens are also used to acquire extra access tokens for other resources. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant. A client can use a refresh token to acquire access tokens across any combination of resource and tenant where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them. -## Refresh token lifetime +## Token lifetime -Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. +Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. > [!IMPORTANT]-> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md). +> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md). -## Refresh token expiration +## Token expiration -Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle rejections by the sign-in service gracefully when this occurs. This is done by sending the user to an interactive sign-in prompt to sign in again. +Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle revocations by the sign-in service gracefully by sending the user to an interactive sign-in prompt to sign in again. ### Token timeouts -You can't configure the lifetime of a refresh token. You can't reduce or lengthen their lifetime. Configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. Learn more about [Configuring authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). +You can't configure the lifetime of a refresh token. You can't reduce or lengthen their lifetime. Configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. For more information, see [Configuring authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). ++Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in single page apps are always fixed to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them. ++### Token revocation ++The server can revoke refresh tokens because of a change in credentials, user action, or admin action. Refresh tokens fall into two classes: tokens issued to confidential clients (the rightmost column) and tokens issued to public clients (all other columns). -Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in [single page apps](reference-third-party-cookies-spas.md) are always fixed to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them. +| Change | Password-based cookie | Password-based token | Non-password-based cookie | Non-password-based token | Confidential client token | +| | | -- | - | | - | +| Password expires | Stays alive | Stays alive | Stays alive | Stays alive | Stays alive | +| Password changed by user | Revoked | Revoked | Stays alive | Stays alive | Stays alive | +| User does SSPR | Revoked | Revoked | Stays alive | Stays alive | Stays alive | +| Admin resets password | Revoked | Revoked | Stays alive | Stays alive | Stays alive | +| User revokes their refresh tokens | Revoked | Revoked | Revoked | Revoked | Revoked | +| Admin revokes all refresh tokens for a user | Revoked | Revoked | Revoked | Revoked | Revoked | +| Single sign-out | Revoked | Stays alive | Revoked | Stays alive | Stays alive | -### Revocation +## See also -Refresh tokens can be revoked by the server because of a change in credentials, user action, or admin action. Refresh tokens fall into two classes: tokens issued to confidential clients (the rightmost column) and tokens issued to public clients (all other columns). -| Change | Password-based cookie | Password-based token | Non-password-based cookie | Non-password-based token | Confidential client token | -| -- | | -- | - | | - | -| Password expires | Stays alive | Stays alive | Stays alive | Stays alive | Stays alive | -| Password changed by user | Revoked | Revoked | Stays alive | Stays alive | Stays alive | -| User does SSPR | Revoked | Revoked | Stays alive | Stays alive | Stays alive | -| Admin resets password | Revoked | Revoked | Stays alive | Stays alive | Stays alive | -| User revokes their refresh tokens [via PowerShell](/powershell/module/microsoft.graph.users.actions/invoke-mginvalidateuserrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked | -| Admin revokes all refresh tokens for a user [via PowerShell](/powershell/module/microsoft.graph.users.actions/invoke-mginvalidateuserrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked | -| Single sign-out [on web](v2-protocols-oidc.md#single-sign-out) | Revoked | Stays alive | Revoked | Stays alive | Stays alive | +- [Access tokens in the Microsoft identity platform](access-tokens.md) +- [ID tokens in the Microsoft identity platform](id-tokens.md) +- [Invalidate refresh token](/powershell/module/microsoft.graph.users.actions/invoke-mginvalidateuserrefreshtoken) +- [Single sign-out](v2-protocols-oidc.md#single-sign-out) ## Next steps - Learn about [configurable token lifetimes](configurable-token-lifetimes.md)-- Check out [Primary Refresh Tokens](../devices/concept-primary-refresh-token.md) for more details on primary refresh tokens. |
active-directory | Howto Vm Sign In Azure Ad Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md | There are two ways to configure role assignments for a VM: - Azure Cloud Shell experience > [!NOTE]-> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#limits) per subscription. +> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshoot-limits.md) per subscription. ### Azure AD portal If you get a message that says the token couldn't be retrieved from the local ca ### Access denied: Azure role not assigned -If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#limits). +If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md). ### Problems deleting the old (AADLoginForLinux) extension |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | You're now logged in to the Windows Server 2019 Azure virtual machine with the r ## Enforce Conditional Access policies -You can enforce Conditional Access policies, such as "phishing resistant MFA" using require authentication strength (preview) grant contorl or multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the **Azure Windows VM Sign-In** app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or "phishing resistant MFA" using require authentication strength (preview) grant contorl or require MFA as a control for granting access. +You can enforce Conditional Access policies, such as "phishing resistant MFA" using require authentication strength (preview) grant control or multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the **Azure Windows VM Sign-In** app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or "phishing resistant MFA" using require authentication strength (preview) grant control or require MFA as a control for granting access. > [!NOTE] > If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. This can be achieved using passwordless authentication method for RDP that satisfies the conditional access polices, however if you are using limited passwordless method for RDP then the only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809. Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model. You might get the following error message when you initiate a remote desktop con Verify that you've [configured Azure RBAC policies](#configure-role-assignments-for-the-vm) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role. > [!NOTE]-> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#limits). +> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md). ### Unauthorized client or password change required |
active-directory | Licensing Service Plan Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md | When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic - **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID >[!NOTE]->This information last updated on June 1st, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv). +>This information last updated on June 5th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv). ><br/> | Product name | String ID | GUID | Service plans included | Service plans included (friendly names) | When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic | Microsoft Teams Phone Resource Account for GCC | PHONESYSTEM_VIRTUALUSER_GOV | 2cf22bcb-0c9e-4bc6-8daf-7e7654c0f285 | MCOEV_VIRTUALUSER_GOV (0628a73f-3b4a-4989-bd7b-0f8823144313) | Microsoft 365 Phone Standard Resource Account for Government (0628a73f-3b4a-4989-bd7b-0f8823144313) | | Microsoft Teams Premium Introductory Pricing | Microsoft_Teams_Premium | 36a0f3b3-adb5-49ea-bf66-762134cf063a | MICROSOFT_ECDN (85704d55-2e73-47ee-93b4-4b8ea14db92b)<br/>TEAMSPRO_MGMT (0504111f-feb8-4a3c-992a-70280f9a2869)<br/>TEAMSPRO_CUST (cc8c0802-a325-43df-8cba-995d0c6cb373)<br/>TEAMSPRO_PROTECTION (f8b44f54-18bb-46a3-9658-44ab58712968)<br/>TEAMSPRO_VIRTUALAPPT (9104f592-f2a7-4f77-904c-ca5a5715883f)<br/>MCO_VIRTUAL_APPT (711413d0-b36e-4cd4-93db-0a50a4ab7ea3)<br/>TEAMSPRO_WEBINAR (78b58230-ec7e-4309-913c-93a45cc4735b) | Microsoft eCDN (85704d55-2e73-47ee-93b4-4b8ea14db92b)<br/>Microsoft Teams Premium Intelligent (0504111f-feb8-4a3c-992a-70280f9a2869)<br/>Microsoft Teams Premium Personalized (cc8c0802-a325-43df-8cba-995d0c6cb373)<br/>Microsoft Teams Premium Secure (f8b44f54-18bb-46a3-9658-44ab58712968)<br/>Microsoft Teams Premium Virtual Appointment (9104f592-f2a7-4f77-904c-ca5a5715883f)<br/>Microsoft Teams Premium Virtual Appointments (711413d0-b36e-4cd4-93db-0a50a4ab7ea3)<br/>Microsoft Teams Premium Webinar (78b58230-ec7e-4309-913c-93a45cc4735b) | | Microsoft Teams Rooms Basic | Microsoft_Teams_Rooms_Basic | 6af4b3d6-14bb-4a2a-960c-6c902aad34f3 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) |+| Microsoft Teams Rooms Basic for EDU | Microsoft_Teams_Rooms_Basic_FAC | a4e376bd-c61e-4618-9901-3fc0cb1b88bb | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Teams_Room_Basic (8081ca9c-188c-4b49-a8e5-c23b5e9463a8)<br/>Teams_Room_Pro (ec17f317-f4bc-451e-b2da-0167e5c260f9)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Teams Room Basic (8081ca9c-188c-4b49-a8e5-c23b5e9463a8)<br/>Teams Room Pro (ec17f317-f4bc-451e-b2da-0167e5c260f9)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | | Microsoft Teams Rooms Basic without Audio Conferencing | Microsoft_Teams_Rooms_Basic_without_Audio_Conferencing | 50509a35-f0bd-4c5e-89ac-22f0e16a00f8 | TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | | Microsoft Teams Rooms Pro | Microsoft_Teams_Rooms_Pro | 4cde982a-ede4-4409-9ae6-b003453c8ea6 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | | Microsoft Teams Rooms Pro without Audio Conferencing | Microsoft_Teams_Rooms_Pro_without_Audio_Conferencing | 21943e3a-2429-4f83-84c1-02735cd49e78 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic | Power BI Premium P1 | PBI_PREMIUM_P1_ADDON | 7b26f5ab-a763-4c00-a1ac-f6c4b5506945 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>PBI_PREMIUM_P1_ADDON (9da49a6d-707a-48a1-b44a-53dcde5267f8) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Premium P1 (9da49a6d-707a-48a1-b44a-53dcde5267f8 | | Power BI Premium Per User | PBI_PREMIUM_PER_USER | c1d032e0-5619-4761-9b5c-75b6831e1711 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P3 (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Premium Per User (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) | | Power BI Premium Per User Add-On | PBI_PREMIUM_PER_USER_ADDON | de376a03-6e5b-42ec-855f-093fb50b8ca5 | BI_AZURE_P3 (0bf3c642-7bb5-4ccc-884e-59d09df0266c) | Power BI Premium Per User (0bf3c642-7bb5-4ccc-884e-59d09df0266c) |+| Power BI Premium Per User for Faculty | PBI_PREMIUM_PER_USER_FACULTY | 060d8061-f606-4e69-a4e7-e8fff75ea1f5 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P3 (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Premium Per User (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) | | Power BI Premium Per User Dept | PBI_PREMIUM_PER_USER_DEPT | f168a3fb-7bcf-4a27-98c3-c235ea4b78b4 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P3 (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Premium Per User (0bf3c642-7bb5-4ccc-884e-59d09df0266c)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) | | Power BI Pro | POWER_BI_PRO | f8a1db68-be16-40ed-86d5-cb42ce701560 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) | | Power BI Pro CE | POWER_BI_PRO_CE | 420af87e-8177-4146-a780-3786adaffbca | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) | |
active-directory | Authentication Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/authentication-conditional-access.md | The following diagram illustrates the flow when email one-time passcode authenti ## Conditional Access for external users -Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that theyΓÇÖre enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Azure AD organizations. This section describes important considerations for applying Conditional Access to users outside of your organization. +Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that theyΓÇÖre enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Azure AD organizations. This section describes important considerations for applying Conditional Access to users outside of your organization. ++> [!NOTE] +> Custom Controls with Conditional Access are not support for cross-tenant trusts. ### Assigning Conditional Access policies to external user types |
active-directory | Backup Authentication System Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/backup-authentication-system-apps.md | + + Title: Application requirements for the backup authentication system +description: How to configure your application to allow for backup authentication system support. +++++ Last updated : 06/02/2023+++++++++# Application requirements for the backup authentication system ++The Azure AD backup authentication system provides resilience to applications that use supported protocols and flows. For more information about the backup authentication system, see the article [Azure AD's backup authentication system](backup-authentication-system.md). ++## Application requirements for protection ++Applications must communicate with a supported hostname for the given Azure environment and use protocols currently supported by the backup authentication system. Use of authentication libraries, such as the [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md), ensures that you're using authentication protocols supported by the backup authentication system. ++### Hostnames supported by the backup authentication system + +| Azure environment | Supported hostname | +| | | +| Azure Commercial | login.microsoftonline.com | +| Azure Government | login.microsoftonline.us | ++### Authentication protocols supported by the backup authentication system ++#### OAuth 2.0 and OpenID Connect (OIDC) ++##### Common guidance ++All applications using the OAuth 2.0 and/or OIDC protocols should adhere to the following practices to ensure resilience: ++- Your application uses MSAL or strictly adheres to the OpenID Connect & OAuth2 specifications. Microsoft recommends using MSAL libraries appropriate to your platform and use case. Using these libraries ensures the use of APIs and call patterns are supportable by the backup authentication system. +- Your application uses a fixed set of scopes instead of [dynamic consent](../develop/scopes-oidc.md) when acquiring access tokens. +- Your application doesn't use the [Resource Owner Password Credentials Grant](../develop/v2-oauth-ropc.md). **This grant type won't be supported** by the backup authentication system for any client type. Microsoft strongly recommends switching to alternative grant flows for better security and resilience. +- Your application doesn't rely upon the [UserInfo endpoint](../develop/userinfo.md). Switching to using an ID token instead reduces latency by eliminating up to two network requests, and use existing support for ID token resilience within the backup authentication system. ++##### Native applications ++Native applications are public client applications that run directly on desktop or mobile devices and not in a web browser. They're registered as public clients in their application registration on the Microsoft Entra or Azure portal. ++Native applications are protected by the backup authentication system when all the following are true: ++1. Your application persists the token cache for at least three days. Applications should use the deviceΓÇÖs token cache location or the [token cache serialization API](../develop/msal-net-token-cache-serialization.md) to persist the token cache even when the user closes the application. +1. Your application makes use of the MSAL [AcquireTokenSilent API](../develop/msal-net-acquire-token-silently.md) to retrieve tokens using cached Refresh Tokens. The use of the [AcquireTokenInteractive API](../develop/scenario-desktop-acquire-token-interactive.md) may fail to acquire a token from the backup authentication system if user interaction is required. ++The backup authentication system doesn't currently support the [device authorization grant](../develop/v2-oauth2-device-code.md). ++##### Single-page web applications ++Single-page web applications (SPAs) have limited support in the backup authentication system. SPAs that use the [implicit grant flow](../develop/v2-oauth2-implicit-grant-flow.md) and request only OpenID Connect ID tokens are protected. Only apps that either use MSAL.js 1.x or implement the implicit grant flow directly can use this protection, as MSAL.js 2.x doesn't support the implicit flow. ++The backup authentication system doesn't currently support the [authorization code flow with Proof Key for Code Exchange](../develop/v2-oauth2-auth-code-flow.md). ++##### Web applications & services ++The backup authentication system doesn't currently support web applications and services that are configured as confidential clients. Protection for the [authorization code grant flow](../develop/v2-oauth2-auth-code-flow.md) and subsequent token acquisition using refresh tokens and client secrets or [certificate credentials](../develop/active-directory-certificate-credentials.md) isn't currently supported. The OAuth 2.0 [on-behalf-of flow](../develop/v2-oauth2-on-behalf-of-flow.md) isn't currently supported. ++#### SAML 2.0 single sign-on (SSO) ++The backup authentication system partially supports the SAML 2.0 SSO protocol. Flows that use the SAML 2.0 Identity Provider (IdP) Initiated flow are protected by the backup authentication system. Applications that use the [Service Provider (SP) Initiated flow](../develop/single-sign-on-saml-protocol.md), aren't currently protected by the backup authentication system. ++### Workload identity authentication protocols supported by the backup authentication system ++#### OAuth 2.0 ++##### Managed identity ++Applications that use Managed Identities to acquire Azure Active Directory access tokens are protected. Microsoft recommends the use of user-assigned managed identities in most scenarios, however this protection applies to both [user and system-assigned managed identities](../managed-identities-azure-resources/overview.md). ++##### Service principal ++The backup authentication system doesn't currently support service principal-based Workload identity authentication using the [client credentials grant flow](../develop/v2-oauth2-client-creds-grant-flow.md). Microsoft recommends using the version of MSAL appropriate to your platform so your application is protected by the backup authentication system when the protection becomes available. ++## Next steps ++- [Azure AD's backup authentication system](backup-authentication-system.md) +- [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) +- [Introduction to the backup authentication system](https://azure.microsoft.com/blog/advancing-service-resilience-in-azure-active-directory-with-its-backup-authentication-service/) +- [Resilience Defaults for Conditional Access](../conditional-access/resilience-defaults.md) |
active-directory | Backup Authentication System | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/backup-authentication-system.md | + + Title: Azure AD's backup authentication system +description: Increasing the resilience of the authentication plane with the backup authentication system. +++++ Last updated : 06/02/2023+++++++++# Azure AD's backup authentication system ++Users and organizations around the world depend on the high availability of Azure Active Directory (Azure AD) authentication of users and services 24 hours a day, seven days a week. We promise a 99.99% Service Level availability for authentication, and we continuously seek to improve it by enhancing the resilience of our authentication service. To further improve resilience during outages, we implemented a backup system in 2021. ++The Azure AD backup authentication system is made up of multiple backup services that work together to increase authentication resilience if there's an outage. This system transparently and automatically handles authentications for supported applications and services if the primary Azure AD service is unavailable or degraded. It adds an extra layer of resilience on top of the multiple levels of existing redundancy. This resilience is described in the blog post [Advancing service resilience in Azure Active Directory with its backup authentication service](https://azure.microsoft.com/blog/advancing-service-resilience-in-azure-active-directory-with-its-backup-authentication-service/). This system syncs authentication metadata when the system is healthy and uses that to enable users to continue to access applications during outages of the primary service while still enforcing policy controls. ++During an outage of the primary service, users are able to continue working with their applications, as long as they accessed them in the last three days from the same device, and no blocking policies exist that would curtail their access: ++In addition to Microsoft applications, we support: ++- Native email clients on iOS and Android. +- SaaS applications available in the app gallery, like ADP, Atlassian, AWS, GoToMeeting, Kronos, Marketo, SAP, Trello, Workday, and more. +- Selected line of business applications, based on their authentication patterns. ++Service to service authentication that relies on Azure AD managed identities or are built on Azure services, like virtual machines, cloud storage, Cognitive Services, and App Services, receives increased resilience from the back up authentication system. ++Microsoft is continuously expanding the number of supported scenarios. ++## Which non-Microsoft workloads are supported? ++The backup authentication system automatically provides incremental resilience to tens of thousands of supported non-Microsoft applications based on their authentication patterns. Seethe appendix for a list of the most [common non-Microsoft applications and their coverage status](#appendix). For an in depth explanation of which authentication patterns are supported, see the article [Understanding Application Support for the backup authentication system](backup-authentication-system-apps.md) article. ++- Native applications using the OAuth 2.0 protocol to access resource applications, such as popular non-Microsoft e-mail and IM clients like: Apple Mail, Aqua Mail, Gmail, Samsung Email, Spark, and Thunderbird +- Line of business web applications configured to authenticate with OpenID Connect using only ID tokens. +- Web applications authenticating with the SAML protocol, when configured for IDP-Initiated Single Sign On (SSO) like: ADP, Atlassian Cloud, AWS, GoToMeeting, Kronos, Marketo, Palo Alto Networks, SAP Cloud Identity Trello, Workday, and Zscaler. ++### Non-Microsoft application types that aren't protected ++The following auth patterns aren't currently supported: ++- Web applications that authenticate using Open ID Connect and request access tokens +- Web applications that use the SAML protocol for authentication, when configured as SP-Initiated SSO ++## What makes a user supportable by the backup authentication system? ++During an outage, a user can authenticate using the backup authentication system if the following conditions are met: ++1. The user has successfully authenticated using the same app and device in the last three days. +1. The user isn't required to authenticate interactively +1. The user is accessing a resource as a member of their home tenant, rather than exercising a B2B or B2C scenario. +1. The user isn't subject to Conditional Access policies that limit the backup authentication system, like disabling [resilience defaults](../conditional-access/resilience-defaults.md). +1. The user hasn't been subject to a revocation event, such as a credential change since their last successful authentication. ++### How does interactive authentication and user activity affect resilience? ++The backup authentication system relies on metadata from a prior authentication to reauthenticate the user during an outage. For this reason, a user must have authenticated in the last three days using the same app on the same device for the backup service to be effective. Users who are inactive or haven't yet authenticated to a given app can't use the backup authentication system for that application. ++### How do Conditional Access policies affect resilience? ++Certain policies can't be evaluated in real-time by the backup authentication system and must rely on prior evaluations of these policies. Under outage conditions, the service uses a prior evaluation by default to maximize resilience. For example, access that is conditioned on a user having a particular role (like Application Administrator) continues during an outage based on the role the user had during that latest authentication. If the outage-only use of a previous evaluation needs to be restricted, tenant administrators can choose a strict evaluation of all Conditional Access policies, even under outage conditions, by disabling resilience defaults. This decision should be taken with care because disabling [resilience defaults](../conditional-access/resilience-defaults.md) for a given policy disables those users from using backup authentication. Resilience defaults must be re-enabled before an outage occurs for the backup system to provide resilience. ++Certain other types of policies don't support use of the backup authentication system. Use of the following policies reduce resilience: ++- Use of the [sign-in frequency control](../conditional-access/concept-conditional-access-session.md#sign-in-frequency) as part of a Conditional Access policy. +- Use of the [authentication methods policy](../conditional-access/concept-conditional-access-grant.md#require-authentication-strength). +- Use of [classic Conditional Access policies](../conditional-access/policy-migration.md). ++## Workload identity resilience in the backup authentication system ++In addition to user authentication, the backup authentication system provides resilience for [managed identities](../managed-identities-azure-resources/overview.md) and other key Azure infrastructure by offering a regionally isolated authentication service that is redundantly layered with the primary authentication service. This system enables the infrastructure authentication within an Azure region to be resilient to issues that may occur in another region or within the larger Azure Active Directory service. This system complements AzureΓÇÖs cross-region architecture. Building your own applications using MI and following AzureΓÇÖs [best practices for resilience and availability]() ensures your applications are highly resilient. In addition to MI, this regionally resilient backup system protects key Azure infrastructure and services that keep the cloud functional. ++### Summary of infrastructure authentication support ++- Your services built-on the Azure Infrastructure using managed identities are protected by the backup authentication system. +- Azure services authenticating with each other are protected by the backup authentication system. +- Your services built on or off Azure when the identities are registered as Service Principals and not ΓÇ£managed identitiesΓÇ¥ **aren't protected** by the backup authentication system. ++## Cloud environments that support the backup authentication system ++The backup authentication system is supported in all cloud environments except Azure China 21vianet. The types of identities supported vary by cloud, as described in the following table. ++| Azure environment | Identities protected | +| | | +| Azure Commercial | Users, managed identities | +| Azure Government | Users, managed identities | +| Azure Government Secret | managed identities | +| Azure Government Top Secret | managed identities | +| Azure China | Not available | ++## Appendix ++### Popular non-Microsoft native client apps and app gallery applications ++| App Name | Protected | Why Not protected? | +| | | | +| ABBYY FlexiCapture 12 | No | SAML SP-initiated | +| Adobe Experience Manager | No | SAML SP-initiated | +| Adobe Identity Management (OIDC) | No | OIDC with Access Token | +| ADP | Yes | Protected | +| Apple Business Manager | No | SAML SP-initiated | +| Apple Internet Accounts | Yes | Protected | +| Apple School Manager | No | OIDC with Access Token | +| Aqua Mail | Yes | Protected | +| Atlassian Cloud | Yes \* | Protected | +| Blackboard Learn | No | SAML SP-initiated | +| Box | No | SAML SP-initiated | +| Brightspace by Desire2Leam | No | SAML SP-initiated | +| Canvas | No | SAML SP-initiated | +| Ceridian Dayforce HCM | No | SAML SP-initiated | +| Cisco AnyConnect | No | SAML SP-initiated | +| Cisco Webex | No | SAML SP-initiated | +| Citrix ADC SAML Connector forAzure AD | No | SAML SP-initiated | +| Clever | No | SAML SP-initiated | +| Cloud Drive Mapper | Yes | Protected | +| Cornerstone Single Sign-on | No | SAML SP-initiated | +| Docusign | No | SAML SP-initiated | +| Druva | No | SAML SP-initiated | +| F5 BIG-IP ARM Azure AD integration | No | SAML SP-initiated | +| FortiGate SSL VPN | No | SAML SP-initiated | +| Freshworks | No | SAML SP-initiated | +| Gmail | Yes | Protected | +| Google Cloud / G Suite Connector by Microsoft | No | SAML SP-initiated | +| HubSpot Sales | No | SAML SP-initiated | +| Kronos | Yes \* | Protected | +| Madrasati App | No | SAML SP-initiated | +| OpenAthens | No | SAML SP-initiated | +| Oracle Fusion ERP | No | SAML SP-initiated | +| Palo Alto Networks - GlobalProtect | No | SAML SP-initiated | +| Polycom - Skype for Business Certified Phone | Yes | Protected | +| Salesforce | No | SAML SP-initiated | +| Samsung Email | Yes | Protected | +| SAP Cloud Platform Identity Authentication | No | SAML SP-initiated | +| SAP Concur | Yes \* | SAML SP-initiated | +| SAP Concur Travel and Expense | Yes \* | Protected | +| SAP Fiori | No | SAML SP-initiated | +| SAP NetWeaver | No | SAML SP-initiated | +| SAP SuccessFactors | No | SAML SP-initiated | +| Service Now | No | SAML SP-initiated | +| Slack | No | SAML SP-initiated | +| Smartsheet | No | SAML SP-initiated | +| Spark | Yes | Protected | +| Thunderbird | Yes | Protected | +| UKG pro | Yes \* | Protected | +| VMware Boxer | Yes | Protected | +| walkMe | No | SAML SP-initiated | +| Workday | No | SAML SP-initiated | +| Workplace from Facebook | No | SAML SP-initiated | +| Zoom | No | SAML SP-initiated | +| Zscaler | Yes \* | Protected | +| Zscaler Private Access (ZPA) | No | SAML SP-initiated | +| Zscaler ZSCloud | No | SAML SP-initiated | ++> [!NOTE] +> \* Apps configured to authenticate with the SAML protocol are protected when using IDP-Initiated authentication. Service Provider (SP) initiated SAML configurations aren't supported ++### Azure resources and their status ++| resource | Azure resource name | Status | +| | | | +| microsoft.apimanagement | API Management service in Azure Government and China regions | Protected | +| microsoft.app | App Service | Protected | +| microsoft.appconfiguration | Azure App Configuration | Protected | +| microsoft.appplatform | Azure App Service | Protected | +| microsoft.authorization | Azure Active Directory | Protected | +| microsoft.automation | Automation Service | Protected | +| microsoft.avs | Azure VMware Solution | Protected | +| microsoft.batch | Azure Batch | Protected | +| microsoft.cache | Azure Cache for Redis | Protected | +| microsoft.cdn | Azure Content Delivery Network (CDN) | Not protected | +| microsoft.chaos | Azure Chaos Engineering | Protected | +| microsoft.cognitiveservices | Cognitive Services APIs and Containers | Protected | +| microsoft.communication | Azure Communication Services | Not protected | +| microsoft.compute | Azure Virtual Machines | Protected | +| microsoft.containerinstance | Azure Container Instances | Protected | +| microsoft.containerregistry | Azure Container Registry | Protected | +| microsoft.containerservice | Azure Container Service (deprecated) | Protected | +| microsoft.dashboard | Azure Dashboards | Protected | +| microsoft.databasewatcher | Azure SQL Database Automatic Tuning | Protected | +| microsoft.databox | Azure Data Box | Protected | +| microsoft.databricks | Azure Databricks | Not protected | +| microsoft.datacollaboration | Azure Data Share | Protected | +| microsoft.datadog | Datadog | Protected | +| microsoft.datafactory | Azure Data Factory | Protected | +| microsoft.datalakestore | Azure Data Lake Storage Gen1 and Gen2 | Not protected | +| microsoft.dataprotection | Microsoft Cloud App Security Data Protection API | Protected | +| microsoft.dbformysql | Azure Database for MySQL | Protected | +| microsoft.dbforpostgresql | Azure Database for PostgreSQL | Protected | +| microsoft.delegatednetwork | Delegated Network Management service | Protected | +| microsoft.devcenter | Microsoft Store for Business and Education | Protected | +| microsoft.devices | Azure IoT Hub and IoT Central | Not protected | +| microsoft.deviceupdate | Windows 10 IoT Core Services Device Update | Protected | +| microsoft.devtestlab | Azure DevTest Labs | Protected | +| microsoft.digitaltwins | Azure Digital Twins | Protected | +| microsoft.documentdb | Azure Cosmos DB | Protected | +| microsoft.eventgrid | Azure Event Grid | Protected | +| microsoft.eventhub | Azure Event Hubs | Protected | +| microsoft.healthbot | Health Bot Service | Protected | +| microsoft.healthcareapis | FHIR API for Azure API for FHIR and Microsoft Cloud for Healthcare solutions | Protected | +| microsoft.hybridcontainerservice | Azure Arc enabled Kubernetes | Protected | +| microsoft.hybridnetwork | Azure Virtual WAN | Protected | +| microsoft.insights | Application Insights and Log Analytics | Not protected | +| microsoft.iotcentral | IoT Central | Protected | +| microsoft.kubernetes | Azure Kubernetes Service (AKS) | Protected | +| microsoft.kusto | Azure Data Explorer (Kusto) | Protected | +| microsoft.loadtestservice | Visual Studio Load Testing Service | Protected | +| microsoft.logic | Azure Logic Apps | Protected | +| microsoft.machinelearningservices | Machine Learning Services on Azure | Protected | +| microsoft.managedidentity | Managed identities for Microsoft Resources | Protected | +| microsoft.maps | Azure Maps | Protected | +| microsoft.media | Azure Media Services | Protected | +| microsoft.migrate | Azure Migrate | Protected | +| microsoft.mixedreality | Mixed Reality services including Remote Rendering, Spatial Anchors, and Object Anchors | Not protected | +| microsoft.netapp | Azure NetApp Files | Protected | +| microsoft.network | Azure Virtual Network | Protected | +| microsoft.openenergyplatform | Open Energy Platform (OEP) on Azure | Protected | +| microsoft.operationalinsights | Azure Monitor Logs | Protected | +| microsoft.powerplatform | Microsoft Power Platform | Protected | +| microsoft.purview | Azure Purview (formerly Azure Data Catalog) | Protected | +| microsoft.quantum | Microsoft Quantum Development Kit | Protected | +| microsoft.recommendationsservice | Azure Cognitive Services Recommendations API | Protected | +| microsoft.recoveryservices | Azure Site Recovery | Protected | +| microsoft.resourceconnector | Azure Resource Connector | Protected | +| microsoft.scom | System Center Operations Manager (SCOM) | Protected | +| microsoft.search | Azure Cognitive Search | Not protected | +| microsoft.security | Azure Security Center | Not protected | +| microsoft.securitydetonation | Microsoft Defender for Endpoint Detonation Service | Protected | +| microsoft.servicebus | Service Bus messaging service and Event Grid Domain Topics | Protected | +| microsoft.servicefabric | Azure Service Fabric | Protected | +| microsoft.signalrservice | Azure SignalR Service | Protected | +| microsoft.solutions | Azure Solutions | Protected | +| microsoft.sql | SQL Server on Virtual Machines and SQL Managed Instance on Azure | Protected | +| microsoft.storage | Azure Storage | Protected | +| microsoft.storagecache | Azure Storage Cache | Protected | +| microsoft.storagesync | Azure File Sync | Protected | +| microsoft.streamanalytics | Azure Stream Analytics | Not protected | +| microsoft.synapse | Synapse Analytics (formerly SQL DW) and Synapse Studio (formerly SQL DW Studio) | Protected | +| microsoft.usagebilling | Azure Usage and Billing Portal | Not protected | +| microsoft.videoindexer | Video Indexer | Protected | +| microsoft.voiceservices | Azure Communication Services - Voice APIs | Not protected | +| microsoft.web | Web Apps | Protected | ++## Next steps ++- [Application requirements for the backup authentication system](backup-authentication-system-apps.md) +- [Introduction to the backup authentication system](https://azure.microsoft.com/blog/advancing-service-resilience-in-azure-active-directory-with-its-backup-authentication-service/) +- [Resilience Defaults for Conditional Access](../conditional-access/resilience-defaults.md) +- [Azure Active Directory SLA performance reporting](../reports-monitoring/reference-azure-ad-sla-performance.md) |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/govern-service-accounts.md | Learn more: > [!NOTE] > We do not recommend user accounts as service accounts because they are less secure. This includes on-premises service accounts synced to Azure AD, because they aren't converted to service principals. Instead, we recommend managed identities, or service principals, and the use of Conditional Access. -Lear more: [What is Conditional Access?](../conditional-access/overview.md) +Learn more: [What is Conditional Access?](../conditional-access/overview.md) ## Plan your service account |
active-directory | Ops Guide Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/ops-guide-auth.md | -This section of the [Azure AD operations reference guide](active-directory-ops-guide-intro.md) describes the checks and actions you should take to secure and manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture. +This section of the [Azure AD operations reference guide](ops-guide-intro.md) describes the checks and actions you should take to secure and manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture. > [!NOTE] > These recommendations are current as of the date of publishing but can change over time. Organizations should continuously evaluate their identity practices as Microsoft products and services evolve over time. |
active-directory | Ops Guide Govern | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/ops-guide-govern.md | -This section of the [Azure AD operations reference guide](active-directory-ops-guide-intro.md) describes the checks and actions you should take to assess and attest the access granted nonprivileged and privileged identities, audit, and control changes to the environment. +This section of the [Azure AD operations reference guide](ops-guide-intro.md) describes the checks and actions you should take to assess and attest the access granted nonprivileged and privileged identities, audit, and control changes to the environment. > [!NOTE] > These recommendations are current as of the date of publishing but can change over time. Organizations should continuously evaluate their governance practices as Microsoft products and services evolve over time. There are eight aspects to a secure Identity governance. This list will help you ## Next steps -Get started with the [Azure AD operational checks and actions](active-directory-ops-guide-ops.md). +Get started with the [Azure AD operational checks and actions](ops-guide-ops.md). |
active-directory | Ops Guide Iam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/ops-guide-iam.md | + + Title: Azure Active Directory Identity and access management operations reference guide +description: This operations reference guide describes the checks and actions you should take to secure identity and access management operations ++++tags: azuread ++++ Last updated : 08/17/2022++++# Azure Active Directory Identity and access management operations reference guide ++This section of the [Azure AD operations reference guide](ops-guide-intro.md) describes the checks and actions you should consider to secure and manage the lifecycle of identities and their assignments. ++> [!NOTE] +> These recommendations are current as of the date of publishing but can change over time. Organizations should continuously evaluate their identity practices as Microsoft products and services evolve over time. ++## Key operational processes ++### Assign owners to key tasks ++Managing Azure Active Directory requires the continuous execution of key operational tasks and processes that may not be part of a rollout project. It's still important you set up these tasks to maintain your environment. The key tasks and their recommended owners include: ++| Task | Owner | +| :- | :- | +| Define the process how to create Azure subscriptions | Varies by organization | +| Decide who gets Enterprise Mobility + Security licenses | IAM Operations Team | +| Decide who gets Microsoft 365 licenses | Productivity Team | +| Decide who gets other licenses, for example, Dynamics, Visual Studio Codespaces | Application Owner | +| Assign licenses | IAM Operations Team | +| Troubleshoot and remediate license assignment errors | IAM Operations Team | +| Provision identities to applications in Azure AD | IAM Operations Team | ++As you review your list, you may find you need to either assign an owner for tasks that are missing an owner or adjust ownership for tasks with owners that aren't aligned with the recommendations above. ++#### Assigning owners recommended reading ++- [Assigning administrator roles in Azure Active Directory](../roles/permissions-reference.md) ++## On-premises identity synchronization ++### Identify and resolve synchronization issues ++Microsoft recommends you have a good baseline and understanding of the issues in your on-premises environment that can result in synchronization issues to the cloud. Since automated tools such as [IdFix](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) and [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md#why-use-azure-ad-connect-health) can generate a high volume of false positives, we recommend you identify synchronization errors that have been left unaddressed for more than 100 days by cleaning up those objects in error. Long term unresolved synchronization errors can generate support incidents. [Troubleshooting errors during synchronization](../hybrid/tshoot-connect-sync-errors.md) provides an overview of different types of sync errors, some of the possible scenarios that cause those errors and potential ways to fix the errors. ++### Azure AD Connect Sync configuration ++To enable all hybrid experiences, device-based security posture, and integration with Azure AD, it's required that you synchronize user accounts that your employees use to login to their desktops. ++If you don't synchronize the forest users log into, then you should change the synchronization to come from the proper forest. ++#### Synchronization scope and object filtering ++Removing known buckets of objects that aren't required to be synchronized has the following operational benefits: ++- Fewer sources of sync errors +- Faster sync cycles +- Less "garbage" to carry forward from on-premises, for example, pollution of the global address list for on-premises service accounts that aren't relevant in the cloud ++> [!NOTE] +> If you find you are importing many objects that aren't being exported to the cloud, you should filter by OU or specific attributes. ++Examples of objects to exclude are: ++- Service Accounts that aren't used for cloud applications +- Groups that aren't meant to be used in cloud scenarios such as those used to grant access to resources +- Users or contacts that are external identities that are meant to be represented with Azure AD B2B Collaboration +- Computer Accounts where employees aren't meant to access cloud applications from, for example, servers ++> [!NOTE] +> If a single human identity has multiple accounts provisioned from something such as a legacy domain migration, merger, or acquisition, you should only synchronize the account used by the user on a day-to-day basis, for example, what they use to log in to their computer. ++Ideally, you'll want to reach a balance between reducing the number of objects to synchronize and the complexity in the rules. Generally, a combination between OU/container [filtering](../hybrid/how-to-connect-sync-configure-filtering.md) plus a simple attribute mapping to the cloudFiltered attribute is an effective filtering combination. ++> [!IMPORTANT] +> If you use group filtering in production, you should transition to another filtering approach. ++#### Sync failover or disaster recovery ++Azure AD Connect plays a key role in the provisioning process. If the Sync Server goes offline for any reason, changes to on-premises can't be updated in the cloud and can result in access issues for users. Therefore, it's important to define a failover strategy that allows administrators to quickly resume synchronization after the sync server goes offline. Such strategies may fall into the following categories: ++- **Deploy Azure AD Connect Server(s) in Staging Mode** - allows an administrator to "promote" the staging server to production by a simple configuration switch. +- **Use Virtualization** - If the Azure AD connect is deployed in a virtual machine (VM), admins can leverage their virtualization stack to live migrate or quickly redeploy the VM and therefore resume synchronization. ++If your organization is lacking a disaster recovery and failover strategy for Sync, you shouldn't hesitate to deploy Azure AD Connect in Staging Mode. Likewise, if there's a mismatch between your production and staging configuration, you should re-baseline Azure AD Connect staging mode to match the production configuration, including software versions and configurations. ++![A screenshot of Azure AD Connect staging mode configuration](./media/ops-guide-auth/ops-img1.png) ++#### Stay current ++Microsoft updates Azure AD Connect regularly. Stay current to take advantage of the performance improvements, bug fixes, and new capabilities that each new version provides. ++If your Azure AD Connect version is more than six months behind, you should upgrade to the most recent version. ++#### Source anchor ++Using **ms-DS-consistencyguid** as the [source anchor](../hybrid/plan-connect-design-concepts.md) allows an easier migration of objects across forests and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures. ++If you're currently using **ObjectGuid** as the source anchor, we recommend you switch to using **ms-DS-ConsistencyGuid**. ++#### Custom rules ++Azure AD Connect custom rules provide the ability to control the flow of attributes between on-premises objects and cloud objects. However, overusing or misusing custom rules can introduce the following risks: ++- Troubleshooting complexity +- Degradation of performance when performing complex operations across objects +- Higher probability of divergence of configuration between the production server and staging server +- Additional overhead when upgrading Azure AD Connect if custom rules are created within the precedence greater than 100 (used by built-in rules) ++If you're using overly complex rules, you should investigate the reasons for the complexity and find opportunities for simplification. Likewise, if you have created custom rules with precedence value over 100, you should fix the rules so they aren't at risk or conflict with the default set. ++Examples of misusing custom rules include: ++- **Compensate for dirty data in the directory** - In this case, it's recommended to work with the owners of the AD team and clean up the data in the directory as a remediation task, and adjust processes to avoid reintroduction of bad data. +- **One-off remediation of individual users** - It's common to find rules that special case outliers, usually because of an issue with a specific user. +- **Overcomplicated "CloudFiltering"** - While reducing the number of objects is a good practice, there's a risk of creating and overcomplicated sync scope using many sync rules. If there's complex logic to include/exclude objects beyond the OU filtering, it's recommended to deal with this logic outside of sync and label the objects with a simple "cloudFiltered" attribute that can flow with a simple Sync Rule. ++#### Azure AD Connect configuration documenter ++The [Azure AD Connect Configuration Documenter](https://github.com/Microsoft/AADConnectConfigDocumenter) is a tool you can use to generate documentation of an Azure AD Connect installation to enable a better understanding of the sync configuration, build confidence in getting things right, and to know what was changed when you applied a new build or configuration of Azure AD Connect or added or updated custom sync rules. The current capabilities of the tool include: ++- Documentation of the complete configuration of Azure AD Connect sync. +- Documentation of any changes in the configuration of two Azure AD Connect sync servers or changes from a given configuration baseline. +- Generation of a PowerShell deployment script to migrate the sync rule differences or customizations from one server to another. ++## Assignment to apps and resources ++### Group-based licensing for Microsoft cloud services ++Azure Active Directory streamlines the management of licenses through [group-based licensing](./active-directory-licensing-whatis-azure-portal.md) for Microsoft cloud services. This way, IAM provides the group infrastructure and delegated management of those groups to the proper teams in the organizations. There are multiple ways to set up the membership of groups in Azure AD, including: ++- **Synchronized from on-premises** - Groups can come from on-premises directories, which could be a good fit for organizations that have established group management processes that can be extended to assign licenses in Microsoft 365. ++- **Attribute-based / dynamic** - Groups can be created in the cloud based on an expression based on user attributes, for example, Department equals "sales". Azure AD maintains the members of the group, keeping it consistent with the expression defined. Using this kind of group for license assignment enables an attribute-based license assignment, which is a good fit for organizations that have high data quality in their directory. ++- **Delegated ownership** - Groups can be created in the cloud and can be designated owners. This way, you can empower business owners, for example, Collaboration team or BI team, to define who should have access. ++If you're currently using a manual process to assign licenses and components to users, we recommend you implement group-based licensing. If your current process doesn't monitor licensing errors or what is Assigned versus Available, you should define improvements to the process to address licensing errors and monitor licensing assignment. ++Another aspect of license management is the definition of service plans (components of the license) that should be enabled based on job functions in the organization. Granting access to service plans that aren't necessary, can result in users seeing tools in the Office portal that they haven't been trained for or shouldn't be using. It can drive additional help desk volume, unnecessary provisioning, and put your compliance and governance at risk, for example, when provisioning OneDrive for Business to individuals that might not be allowed to share content. ++Use the following guidelines to define service plans to users: ++- Administrators should define "bundles" of service plans to be offered to users based on their role, for instance, white-collar worker versus floor worker. +- Create groups by cluster and assign the license with service plan. +- Optionally, an attribute can be defined to hold the packages for users. ++> [!IMPORTANT] +> Group-based licensing in Azure AD introduces the concept of users in a licensing error state. If you notice any licensing errors, then you should immediately [identify and resolve](../enterprise-users/licensing-groups-resolve-problems.md) any license assignment problems. ++![A screenshot of a computer screen Description automatically generated](./media/ops-guide-auth/ops-img2.png) ++#### Lifecycle management ++If you're currently using a tool, such as [Microsoft Identity Manager](/microsoft-identity-manager/) or third-party system, that relies on an on-premises infrastructure, we recommend you offload assignment from the existing tool, implement group-based licensing and define a group lifecycle management based on [groups](../enterprise-users/licensing-group-advanced.md#use-group-based-licensing-with-dynamic-groups). Likewise, if your existing process doesn't account for new employees or employees that leave the organization, you should deploy group-based licensing based on dynamic groups and define a group membership lifecycle. Finally, if group-based licensing is deployed against on-premises groups that lack lifecycle management, consider using cloud groups to enable capabilities such as delegated ownership or attribute-based dynamic membership. ++### Assignment of apps with "All users" group ++Resource owners may believe that the **All users** group contains only **Enterprise Employees** when they may actually contain both **Enterprise Employees** and **Guests**. As a result, you should take special care when using the **All users** group for application assignment and granting access to resources such as SharePoint content or applications. ++> [!IMPORTANT] +> If the **All users** group is enabled and used for conditional access policies, app or resource assignment, make sure to [secure the group](../external-identities/use-dynamic-groups.md) if you don't want it to include guest users. Furthermore, you should fix your licensing assignments by creating and assigning to groups that contain **Enterprise Employees** only. On the other hand, if you find that the **All users** group is enabled but not being used to grant access to resources, make sure your organization's operational guidance is to intentionally use that group (which includes both **Enterprise Employees** and **Guests**). ++### Automated user provisioning to apps ++[Automated user provisioning](../app-provisioning/user-provisioning.md) to applications is the best way to create a consistent provisioning, deprovisioning, and lifecycle of identities across multiple systems. ++If you're currently provisioning apps in an ad-hoc manner or using things like CSV files, JIT, or an on-premises solution that doesn't address lifecycle management, we recommend you [implement application provisioning](../app-provisioning/user-provisioning.md#how-do-i-set-up-automatic-provisioning-to-an-application) with Azure AD for supported applications and define a consistent pattern for applications that aren't yet supported by Azure AD. ++![Azure AD provisioning service](./media/ops-guide-auth/ops-img3.png) ++### Azure AD Connect delta sync cycle baseline ++It's important to understand the volume of changes in your organization and make sure that it isn't taking too long to have a predictable synchronization time. ++The [default delta sync](../hybrid/how-to-connect-sync-feature-scheduler.md) frequency is 30 minutes. If the delta sync is taking longer than 30 minutes consistently, or there are significant discrepancies between the delta sync performance of staging and production, you should investigate and review the [factors influencing the performance of Azure AD Connect](../hybrid/plan-connect-performance-factors.md). ++#### Azure AD Connect troubleshooting recommended reading ++- [Prepare directory attributes for synchronization with Microsoft 365 by using the IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) +- [Azure AD Connect: Troubleshooting Errors during synchronization](../hybrid/tshoot-connect-sync-errors.md) ++## Summary ++There are five aspects to a secure Identity infrastructure. This list will help you quickly find and take the necessary actions to secure and manage the lifecycle of identities and their entitlements in your organization. ++- Assign owners to key tasks. +- Find and resolve synchronization issues. +- Define a failover strategy for disaster recovery. +- Streamline the management of licenses and assignment of apps. +- Automate user provisioning to apps. ++## Next steps ++Get started with the [Authentication management checks and actions](ops-guide-auth.md). |
active-directory | Ops Guide Intro | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/ops-guide-intro.md | + + Title: Azure Active Directory operations reference guide +description: This operations reference guide describes the checks and actions you should take to secure and maintain identity and access management, authentication, governance, and operations ++++tags: azuread ++++ Last updated : 08/17/2022++++# Azure Active Directory operations reference guide ++This operations reference guide describes the checks and actions you should take to secure and maintain the following areas: ++- **[Identity and access management](ops-guide-iam.md)** - ability to manage the lifecycle of identities and their entitlements. +- **[Authentication management](ops-guide-auth.md)** - ability to manage credentials, define authentication experience, delegate assignment, measure usage, and define access policies based on enterprise security posture. +- **[Governance](ops-guide-govern.md)** - ability to assess and attest the access granted nonprivileged and privileged identities, audit, and control changes to the environment. +- **[Operations](ops-guide-ops.md)** - optimize the operations Azure Active Directory (Azure AD). ++Some recommendations here might not be applicable to all customers' environment, for example, AD FS best practices might not apply if your organization uses password hash sync. ++> [!NOTE] +> These recommendations are current as of the date of publishing but can change over time. Organizations should continuously evaluate their identity practices as Microsoft products and services evolve over time. Recommendations can change when organizations subscribe to a different Azure AD Premium license. ++## Stakeholders ++Each section in this reference guide recommends assigning stakeholders to plan and implement key tasks successfully. The following table outlines the list of all the stakeholders in this guide: ++| Stakeholder | Description | +| :- | :- | +| IAM Operations Team | This team handles managing the day to day operations of the Identity and Access Management system | +| Productivity Team | This team owns and manages the productivity applications such as email, file sharing and collaboration, instant messaging, and conferencing. | +| Application Owner | This team owns the specific application from a business and usually a technical perspective in an organization. | +| InfoSec Architecture Team | This team plans and designs the Information Security practices of an organization. | +| InfoSec Operations Team | This team runs and monitors the implemented Information Security practices of the InfoSec Architecture team. | ++## Next steps ++Get started with the [Identity and access management checks and actions](ops-guide-iam.md). |
active-directory | Ops Guide Ops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/ops-guide-ops.md | + + Title: Azure Active Directory general operations guide reference +description: This operations reference guide describes the checks and actions you should take to secure general operations ++++tags: azuread ++++ Last updated : 08/17/2022++++# Azure Active Directory general operations guide reference ++This section of the [Azure AD operations reference guide](ops-guide-intro.md) describes the checks and actions you should take to optimize the general operations of Azure Active Directory (Azure AD). ++> [!NOTE] +> These recommendations are current as of the date of publishing but can change over time. Organizations should continuously evaluate their operational practices as Microsoft products and services evolve over time. ++## Key operational processes ++### Assign owners to key tasks ++Managing Azure Active Directory requires the continuous execution of key operational tasks and processes, which may not be part of a rollout project. It's still important you set up these tasks to optimize your environment. The key tasks and their recommended owners include: ++| Task | Owner | +| :- | :- | +| Drive Improvements on Identity Secure Score | InfoSec Operations Team | +| Maintain Azure AD Connect Servers | IAM Operations Team | +| Regularly execute and triage IdFix Reports | IAM Operations Team | +| Triage Azure AD Connect Health Alerts for Sync and AD FS | IAM Operations Team | +| If not using Azure AD Connect Health, then customer has equivalent process and tools to monitor custom infrastructure | IAM Operations Team | +| If not using AD FS, then customer has equivalent process and tools to monitor custom infrastructure | IAM Operations Team | +| Monitor Hybrid Logs: Azure AD App Proxy Connectors | IAM Operations Team | +| Monitor Hybrid Logs: Passthrough Authentication Agents | IAM Operations Team | +| Monitor Hybrid Logs: Password Writeback Service | IAM Operations Team | +| Monitor Hybrid Logs: On-premises password protection gateway | IAM Operations Team | +| Monitor Hybrid Logs: Azure AD MFA NPS Extension (if applicable) | IAM Operations Team | ++As you review your list, you may find you need to either assign an owner for tasks that are missing an owner or adjust ownership for tasks with owners that aren't aligned with the recommendations above. ++#### Owners recommended reading ++- [Assigning administrator roles in Azure Active Directory](../roles/permissions-reference.md) ++## Hybrid management ++### Recent versions of on-premises components ++Having the most up-to-date versions of on-premises components provides the customer all the latest security updates, performance improvements and functionality that could help to further simplify the environment. Most components have an automatic upgrade setting, which will automate the upgrade process. ++These components include: ++- Azure AD Connect +- Azure AD Application Proxy Connectors +- Azure AD Pass-through authentication agents +- Azure AD Connect Health Agents ++Unless one has been established, you should define a process to upgrade these components and rely on the automatic upgrade feature whenever possible. If you find components that are six or more months behind, you should upgrade as soon as possible. ++#### Hybrid management recommended reading ++- [Azure AD Connect: Automatic upgrade](../hybrid/how-to-connect-install-automatic-upgrade.md) +- [Understand Azure AD Application Proxy connectors | Automatic updates](../app-proxy/application-proxy-connectors.md#automatic-updates) ++### Azure AD Connect Health alert baseline ++Organizations should deploy [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md#what-is-azure-ad-connect-health) for monitoring and reporting of Azure AD Connect and AD FS. Azure AD Connect and AD FS are critical components that can break lifecycle management and authentication and therefore lead to outages. Azure AD Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of your environment. ++![Azure AD Connect Heath architecture](./media/ops-guide-auth/ops-img16.png) ++As you monitor the health of your environment, you must immediately address any high severity alerts, followed by lower severity alerts. ++#### Azure AD Connect Health recommended reading ++- [Azure AD Connect Health Agent Installation](../hybrid/how-to-connect-health-agent-install.md) ++### On-premises agents logs ++Some identity and access management services require on-premises agents to enable hybrid scenarios. Examples include password reset, pass-through authentication (PTA), Azure AD Application Proxy, and Azure AD MFA NPS extension. It's key that the operations team baseline and monitor the health of these components by archiving and analyzing the component agent logs using solutions such as System Center Operations Manager or SIEM. It's equally important your Infosec Operations team or help desk understand how to troubleshoot patterns of errors. ++#### On-premises agents logs recommended reading ++- [Troubleshoot Application Proxy](../app-proxy/application-proxy-troubleshoot.md) +- [Self-service password reset troubleshooting](../authentication/troubleshoot-sspr.md) +- [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md) +- [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md#collecting-pass-through-authentication-agent-logs) +- [Troubleshoot error codes for the Azure AD MFA NPS extension](../authentication/howto-mfa-nps-extension-errors.md) ++### On-premises agents management ++Adopting best practices can help the optimal operation of on-premises agents. Consider the following best practices: ++- Multiple Azure AD Application proxy connectors per connector group are recommended to provide seamless load balancing and high availability by avoiding single points of failure when accessing the proxy applications. If you presently have only one connector in a connector group that handles applications in production, you should deploy at least two connectors for redundancy. +- Creating and using an app proxy connector group for debugging purposes can be useful for troubleshooting scenarios and when onboarding new on-premises applications. We also recommend installing networking tools such as Message Analyzer and Fiddler in the connector machines. +- Multiple pass-through authentication agents are recommended to provide seamless load balancing and high availability by avoiding single point of failure during the authentication flow. Be sure to deploy at least two pass-through authentication agents for redundancy. ++#### On-premises agents management recommended reading ++- [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md) +- [Azure AD Pass-through Authentication - quickstart](../hybrid/how-to-connect-pta-quick-start.md#step-4-ensure-high-availability) ++## Management at scale ++### Identity secure score ++The [identity secure score](./identity-secure-score.md) provides a quantifiable measure of the security posture of your organization. It's key to constantly review and address findings reported and strive to have the highest score possible. The score helps you to: ++- Objectively measure your identity security posture +- Plan identity security improvements +- Review the success of your improvements ++![Secure score](./media/ops-guide-auth/ops-img17.png) ++If your organization currently has no program in place to monitor changes in Identity Secure Score, it is recommended you implement a plan and assign owners to monitor and drive improvement actions. Organizations should remediate improvement actions with a score impact higher than 30 as soon as possible. ++### Notifications ++Microsoft sends email communications to administrators to notify various changes in the service, configuration updates that are needed, and errors that require admin intervention. It's important that customers set the notification email addresses so that notifications are sent to the proper team members who can acknowledge and act upon all notifications. We recommend you add multiple recipients to the [Message Center](/office365/admin/manage/message-center) and request that notifications (including Azure AD Connect Health notifications) be sent to a distribution list or shared mailbox. If you only have one Global Administrator account with an email address, be sure to configure at least two email-capable accounts. ++There are two "From" addresses used by Azure AD: <o365mc@email2.microsoft.com>, which sends Message Center notifications; and <azure-noreply@microsoft.com>, which sends notifications related to: ++- [Azure AD Access Reviews](../governance/access-reviews-overview.md) +- [Azure AD Connect Health](../hybrid/how-to-connect-health-operations.md#enable-email-notifications) +- [Azure AD Identity Protection](../identity-protection/howto-identity-protection-configure-notifications.md) +- [Azure AD Privileged Identity Management](../privileged-identity-management/pim-email-notifications.md) +- [Enterprise App Expiring Certificate Notifications](../manage-apps/manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration) +- Enterprise App Provisioning Service Notifications ++Refer to the following table to learn the type of notifications that are sent and where to check for them: ++| Notification source | What is sent | Where to check | +|:-|:-|:-| +| Technical contact | Sync errors | Azure portal - properties blade | +| Message Center | Incident and degradation notices of Identity Services and Microsoft 365 backend services | Office Portal | +| Identity Protection Weekly Digest | Identity Protection Digest | Azure AD Identity Protection blade | +| Azure AD Connect Health | Alert notifications | Azure portal - Azure AD Connect Health blade | +| Enterprise Applications Notifications | Notifications when certificates are about to expire and provisioning errors | Azure portal - Enterprise Application blade (each app has its own email address setting) | ++#### Notifications recommended reading ++- [Change your organization's address, technical contact, and more](/office365/admin/manage/change-address-contact-and-more) ++## Operational surface area ++### AD FS lockdown ++Organizations, which configure applications to authenticate directly to Azure AD benefit from [Azure AD smart lockout](../authentication/concept-sspr-howitworks.md). If you use AD FS in Windows Server 2012 R2, implement AD FS [extranet lockout protection](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection). If you use AD FS on Windows Server 2016 or later, implement [extranet smart lockout](https://support.microsoft.com/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016). At a minimum, we recommend you enable extranet lockout to contain the risk of brute force attacks against on-premises Active Directory. However, if you have AD FS in Windows 2016 or higher, you should also enable extranet smart lockout that will help to mitigate [password spray](https://www.microsoft.com/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) attacks. ++If AD FS is only used for Azure AD federation, there are some endpoints that can be turned off to minimize the attack surface area. For example, if AD FS is only used for Azure AD, you should disable WS-Trust endpoints other than the endpoints enabled for **usernamemixed** and **windowstransport**. ++### Access to machines with on-premises identity components ++Organizations should lock down access to the machines with on-premises hybrid components in the same way as your on-premises domain. For example, a backup operator or Hyper-V administrator shouldn't be able to log in to the Azure AD Connect Server to change rules. ++The Active Directory administrative tier model was designed to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise. ++![Diagram showing the three layers of the Tier model](./media/ops-guide-auth/ops-img18.png) ++The [tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material) is composed of three levels and only includes administrative accounts, not standard user accounts. ++- **Tier 0** - Direct Control of enterprise identities in the environment. Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it. The security sensitivity of all Tier 0 assets is equivalent as they're all effectively in control of each other. +- **Tier 1** - Control of enterprise servers and applications. Tier 1 assets include server operating systems, cloud services, and enterprise applications. Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services. +- **Tier 2** - Control of user workstations and devices. Tier 2 administrator accounts have administrative control of a significant amount of business value that is hosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data. ++Lock down access to on-premises identity components such as Azure AD Connect, AD FS, and SQL services the same way as you do for domain controllers. ++## Summary ++There are seven aspects to a secure Identity infrastructure. This list will help you find the actions you should take to optimize the operations for Azure Active Directory (Azure AD). ++- Assign owners to key tasks. +- Automate the upgrade process for on-premises hybrid components. +- Deploy Azure AD Connect Health for monitoring and reporting of Azure AD Connect and AD FS. +- Monitor the health of on-premises hybrid components by archiving and analyzing the component agent logs using System Center Operations Manager or a SIEM solution. +- Implement security improvements by measuring your security posture with Identity Secure Score. +- Lock down AD FS. +- Lock down access to machines with on-premises identity components. ++## Next steps ++Refer to the [Azure AD deployment plans](active-directory-deployment-plans.md) for implementation details on any capabilities you haven't deployed. |
active-directory | Secure With Azure Ad Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-best-practices.md | When designing isolated environments, it's important to consider the following p * **Directory-level role assignments** - Avoid or reduce numbers of directory-level role assignments (User Administrator on directory scope instead of AU-scoping) or service-specific directory roles with control plane actions (Knowledge Admin with permissions to manage security group memberships). -In addition to the guidance in the [Azure Active Directory general operations guide](../fundamentals/active-directory-ops-guide-ops.md), we also recommend the following considerations for isolated environments. +In addition to the guidance in the [Azure Active Directory general operations guide](../fundamentals/ops-guide-ops.md), we also recommend the following considerations for isolated environments. ## Human identity provisioning We recommend you use security groups to grant access to Microsoft services that Azure AD cloud native groups can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](../governance/access-reviews-overview.md). Organizations who already have on-premises group governance tools can continue to use those tools and rely on identity synchronization with Azure AD Connect to reflect group membership changes. -Azure AD also supports direct user assignment to third-party SaaS services (for example, Salesforce, Service Now) for single sign-on and identity provisioning. Direct assignments to resources can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](../fundamentals/active-directory-ops-guide-ops.md). Direct assignment might be a good fit for end-user facing assignment. +Azure AD also supports direct user assignment to third-party SaaS services (for example, Salesforce, Service Now) for single sign-on and identity provisioning. Direct assignments to resources can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](../fundamentals/ops-guide-ops.md). Direct assignment might be a good fit for end-user facing assignment. Some scenarios might require granting access to on-premises resources through on-premises Active Directory security groups. For those cases, consider the synchronization cycle to Azure AD when designing processes SLA. Below are some considerations when designing a governed subscription lifecycle p ## Operations -The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), the [Microsoft cloud security benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](./active-directory-ops-guide-ops.md) for detailed guidance to operate individual environments. +The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), the [Microsoft cloud security benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](./ops-guide-ops.md) for detailed guidance to operate individual environments. ### Cross-environment roles and responsibilities |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | For listing your application in the Azure AD app gallery, please read the detail **Service category:** MFA **Product capability:** Identity Security & Protection -We have improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) we now indicate they're registered as a Time-based One-time password method. For more information, see: [Set up the Microsoft Authenticator app as your verification method](https://support.microsoft.com/account-billing/set-up-the-microsoft-authenticator-app-as-your-verification-method-33452159-6af9-438f-8f82-63ce94cf3d29). +We have improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator or other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) we now indicate they're registered as a Time-based One-time password method. For more information, see: [Set up the Microsoft Authenticator app as your verification method](https://support.microsoft.com/account-billing/set-up-the-microsoft-authenticator-app-as-your-verification-method-33452159-6af9-438f-8f82-63ce94cf3d29). |
active-directory | How To Connect Health Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-operations.md | You can configure the Azure AD Connect Health service to send email notification >[!NOTE] > When there are issues processing synchronization requests in our backend service, this service sends a notification email with the details of the error to the administrative contact email address(es) of your tenant. We heard feedback from customers that in certain cases the volume of these messages is prohibitively large so we are changing the way we send these messages. >-> Instead of sending a message for every sync error every time it occurs we will send out a daily digest of all errors the backend service has returned. This enables customers to process these errors in a more efficient manner and reduces the number of duplicate error messages. +> Instead of sending a message for every sync error every time it occurs we will send out a daily digest of all errors the backend service has returned. Sync error emails are sent once a day, based on the previous day's unresolved errors. So if the customer triggers an error, but resolves it fairly quickly, they will not get an email the following day. This enables customers to process these errors in a more efficient manner and reduces the number of duplicate error messages. ## Delete a server or service instance |
active-directory | Cloudflare Conditional Access Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-conditional-access-policies.md | Enforce Conditional Access policies on a Cloudflare Access application. * [What is Conditional Access?](../conditional-access/overview.md) * [Secure Hybrid Access with Azure AD partner integrations](secure-hybrid-access-integrations.md)-* [Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-azure-ad-integration.md) +* [Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-integration.md) |
active-directory | Cloudflare Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-integration.md | + + Title: Configure Cloudflare with Azure Active Directory for secure hybrid access +description: In this tutorial, learn how to integrate Cloudflare with Azure AD for secure hybrid access +++++++ Last updated : 05/02/2023++++++# Tutorial: Configure Cloudflare with Azure Active Directory for secure hybrid access ++In this tutorial, learn to integrate Azure Active Directory (Azure AD) with Cloudflare Zero Trust. Build rules based on user identity and group membership. Users authenticate with Azure AD credentials and connect to Zero Trust protected applications. ++## Prerequisites ++* An Azure AD subscription + * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) +* An Azure AD tenant linked to the Azure AD subscription + * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md) +* A Cloudflare Zero Trust account + * If you don't have one, go to [Get started with Cloudflare's Zero Trust platform](https://dash.cloudflare.com/sign-up/teams) ++## Integrate organization identity providers with Cloudflare Access ++Cloudflare Zero Trust Access helps enforce default-deny, Zero Trust rules that limit access to corporate applications, private IP spaces, and hostnames. This feature connects users faster and safer than a virtual private network (VPN). Organizations can use multiple identity providers (IdPs), reducing friction when working with partners or contractors. ++To add an IdP as a sign-in method, sign in to Cloudflare on the [Cloudflare sign in page](https://dash.teams.cloudflare.com/) and Azure AD. ++The following architecture diagram shows the integration. ++ ![Diagram of the Cloudflare and Azure AD integration architecture.](./media/cloudflare-integration/cloudflare-architecture-diagram.png) ++## Integrate a Cloudflare Zero Trust account with Azure AD ++Integrate Cloudflare Zero Trust account with an instance of Azure AD. ++1. Sign in to the Cloudflare Zero Trust dashboard on the [Cloudflare sign in page](https://dash.teams.cloudflare.com/). +2. Navigate to **Settings**. +3. Select **Authentication**. +4. For **Login methods**, select **Add new**. ++ ![Screenshot of the Login methods option on Authentication.](./media/cloudflare-integration/login-methods.png) ++5. Under **Select an identity provider**, select **Azure AD.** ++ ![Screenshot of the Azure AD option under Select an identity provider.](./media/cloudflare-integration/idp.png) ++6. The **Add Azure ID** dialog appears. +7. Enter Azure AD instance credentials and make needed selections. ++ ![Screenshot of options and selections for Add Azure AD.](./media/cloudflare-integration/add-idp.png) ++8. Select **Save**. ++## Register Cloudflare with Azure AD ++Use the instructions in the following three sections to register Cloudflare with Azure AD. ++1. Sign in to the [Azure portal](https://portal.azure.com/). +2. Under **Azure Services**, select **Azure Active Directory**. +3. In the left menu, under **Manage**, select **App registrations**. +4. Select the **+ New registration** tab. +5. Enter an application **Name** +6. Enter a team name with **callback** at the end of the path. For example, `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback` +7. Select **Register**. ++See the [team domain](https://developers.cloudflare.com/cloudflare-one/glossary#team-domain) definition in the Cloudflare Glossary. ++ ![Screenshot of options and selections for Register an application.](./media/cloudflare-integration/register-application.png) ++### Certificates & secrets ++1. On the **Cloudflare Access** screen, under **Essentials**, copy and save the Application (Client) ID and the Directory (Tenant) ID. ++ [![Screenshot of the Cloudflare Access screen.](./media/cloudflare-integration/cloudflare-access.png)](./media/cloudflare-integration/cloudflare-access.png#lightbox) +++++2. In the left menu, under **Manage**, select **Certificates & secrets**. ++ ![Screenshot of the certificates and secrets screen.](./media/cloudflare-integration/add-client-secret.png) ++3. Under **Client secrets**, select **+ New client secret**. +4. In **Description**, enter the Client Secret. +5. Under **Expires**, select an expiration. +6. Select **Add**. +7. Under **Client secrets**, from the **Value** field, copy the value. Consider the value an application password. The example value appears, Azure values appear in the Cloudflare Access configuration. ++ ![Screenshot of Client secrets input.](./media/cloudflare-integration/cloudflare-access-configuration.png) ++### Permissions ++1. In the left menu, select **API permissions**. +2. Select **+ Add a permission**. +3. Under **Select an API**, select **Microsoft Graph**. ++ ![Screenshot of the Microsoft Graph option under Request API permissions.](./media/cloudflare-integration/microsoft-graph.png) ++4. Select **Delegated permissions** for the following permissions: ++ * Email + * openid + * profile + * offline_access + * user.read + * directory.read.all + * group.read.all +++5. Under **Manage**, select **+ Add permissions**. ++ [![Screenshot options and selections for Request API permissions.](./media/cloudflare-integration/request-api-permissions.png)](./media/cloudflare-integration/request-api-permissions.png#lightbox) ++++6. Select **Grant Admin Consent for ...**. ++ [![Screenshot of configured permissions under API permissions.](./media/cloudflare-integration/grant-admin-consent.png)](./media/cloudflare-integration/grant-admin-consent.png#lightbox) ++++7. On the Cloudflare Zero Trust dashboard, navigate to **Settings > Authentication**. +8. Under **Login methods**, select **Add new**. +9. Select **Azure AD**. +10. Enter values for **Application ID**, **Application Secret**, and **Directory ID**. +11. Select **Save**. ++ >[!NOTE] + >For Azure AD groups, in **Edit your Azure AD identity provider**, for **Support Groups** select **On**. ++## Test the integration ++1. On the Cloudflare Zero Trust dashboard, navigate to **Settings** > **Authentication**. +2. Under **Login methods**, for Azure AD select **Test**. ++ ![Screenshot of login methods.](./media/cloudflare-integration/login-methods-test.png) ++3. Enter Azure AD credentials. +4. The **Your connection works** message appears. ++ ![Screenshot of the Your connection works message.](./media/cloudflare-integration/connection-success-screen.png) +++## Next steps ++- Go to developer.cloudflare.com for [Integrate SSO](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/) +- [Tutorial: Configure Conditional Access policies for Cloudflare Access](cloudflare-conditional-access-policies.md) +- [Tutorial: Configure Cloudflare Web Application Firewall with Azure AD B2C](../../active-directory-b2c/partner-cloudflare.md) |
active-directory | Datawiza Sso Mfa Oracle Ebs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-oracle-ebs.md | + + Title: Configure Datawiza for Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle EBS +description: Learn how to enable Azure AD Multi-Factor Authentication and SSO for an Oracle E-Business Suite application via Datawiza. +++++++ Last updated : 01/26/2023++++++# Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS ++In this article, learn how to enable Azure Active Directory (Azure AD) Multi-Factor Authentication and single sign-on (SSO) for an Oracle E-Business Suite (Oracle EBS) application via Datawiza. ++Here are some benefits of integrating applications with Azure AD via Datawiza: ++* A [Zero Trust](https://www.microsoft.com/security/business/zero-trust) security model adapts to modern environments and embraces a hybrid workplace while it helps protect people, devices, apps, and data. +* [Single sign-on](https://azure.microsoft.com/solutions/active-directory-sso/#overview) provides secure and seamless access for device users and apps from any location. +* [Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) prompts users during sign-in for forms of identification, such as a code on their device or a fingerprint scan. +* [Conditional Access](../conditional-access/overview.md) provides policies as if/then statements. If a user wants to access a resource, then they must complete an action. +* [Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/) provides authentication and authorization in Azure AD with no code. Use web applications such as Oracle JDE, Oracle EBS, Oracle Siebel, and home-grown apps. +* Use the [Datawiza Cloud Management Console](https://console.datawiza.com) (DCMC) to manage access to applications in public clouds and on-premises. ++This article focuses on modern identity providers (IdPs) integrating with the legacy Oracle EBS application. The application requires a set of Oracle EBS service account credentials and an Oracle EBS database container (DBC) file. ++## Architecture ++The solution has the following components: ++* **Azure AD**: Microsoft's cloud-based identity and access management service, which helps users sign in and access external and internal resources. +* **Oracle EBS**: The legacy application that Azure AD will help protect. +* **Datawiza Access Proxy (DAP)**: A lightweight container-based reverse proxy that implements OIDC/OAuth or SAML for user sign-on flow. It transparently passes identity to applications through HTTP headers. +* **DCMC**: A centralized management console that manages DAP. The console provides UI and RESTful APIs for administrators to manage the configurations of DAP and its granular access control policies. ++## Prerequisites ++To complete the steps in this article, you need: ++* An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/). +* An Azure AD tenant linked to the Azure subscription. +* An account with Azure AD Application Administrator permissions. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md). +* Docker and Docker Compose, to run DAP. For more information, see [Get Docker](https://docs.docker.com/get-docker/) and [Docker Compose Overview](https://docs.docker.com/compose/install/). +* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory. For more information, see [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md). +* An Oracle EBS environment. ++## Configure the Oracle EBS environment for SSO and create the DBC file ++To enable SSO in the Oracle EBS environment: ++1. Sign in to the Oracle EBS management console as an administrator. +2. Scroll down the navigation pane, expand **User Management**, and then select **Users**. ++ [![Screenshot of the navigation pane in the Oracle EBS management console.](./media/datawiza-sso-mfa-oracle-ebs/navigator-user-management.png)](./media/datawiza-sso-mfa-oracle-ebs/navigator-user-management.png#lightbox) ++3. Add a user account. Select **Create User** > **User Account**. ++ [![Screenshot of selections for creating a user account.](./media/datawiza-sso-mfa-oracle-ebs/user-account.png)](./media/datawiza-sso-mfa-oracle-ebs/user-account.png#lightbox) ++4. For **User Name**, enter **DWSSOUSER**. +5. For **Password**, enter a password. +6. For **Description**, enter **DW User account for SSO**. +7. For **Password Expiration**, select **None**. +8. Assign **Apps Schema Connect Role** to the user. ++ [![Screenshot of selections to assign Apps Schema Connect Role in search results.](./media/datawiza-sso-mfa-oracle-ebs/assign-role.png)](./media/datawiza-sso-mfa-oracle-ebs/assign-role.png#lightbox) ++## Register DAP with Oracle EBS ++In the Oracle EBS Linux environment, generate a new DBC file for DAP. You need the app's user credentials and the default DBC file (under `$FND_SECURE`) that the application tier uses. ++1. Configure the environment for Oracle EBS by using a command similar to `./u01/install/APPS/EBSapps.env run`. +2. Use the AdminDesktop utility to generate the new DBC file. Specify the name of a new desktop node for this DBC file: ++ `java oracle.apps.fnd.security.AdminDesktop apps/apps CREATE NODE_NAME=\<ebs domain name> DBC=/u01/install/APPS/fs1/inst/apps/EBSDB_apps/appl/fnd/12.0.0/secure/EBSDB.dbc` ++ This action generates a file called `ebsdb_\<ebs domain name>.dbc` in the location where you ran the command. +3. Copy the DBC file's content to a notebook. You'll use the content later. ++## Enable Oracle EBS for SSO ++1. To integrate JDE with Azure AD, sign in to the [Datawiza Cloud Management Console](https://console.datawiza.com/). ++ The welcome page appears. +1. Select the orange **Getting started** button. ++ ![Screenshot of the button for getting started with an access proxy on the Datawiza Cloud Management Console.](./media/datawiza-sso-mfa-oracle-ebs/getting-started.png#lightbox) ++1. For **Name**, enter a name for the deployment. ++ [![Screenshot of the text box for a deployment name.](./media/datawiza-sso-mfa-oracle-ebs/deployment-name.png)](./media/datawiza-sso-mfa-oracle-ebs/deployment-name.png#lightbox) +1. For **Description**, enter a description of the deployment. +1. Select **Next**. ++1. On **Add Application**, for **Platform**, select **Oracle E-Business Suite**. +1. For **App Name**, enter the app name. +1. For **Public Domain**, enter the external-facing URL of the application. For example, enter `https://ebs-external.example.com`. You can use localhost DNS for testing. +1. For **Listen Port**, select the port that DAP listens on. You can use the port in **Public Domain** if you aren't deploying the DAP behind a load balancer. +1. For **Upstream Servers**, enter the URL and port combination of the Oracle EBS implementation that you want to protect. +1. For **EBS Service Account**, enter the username from the service account (**DWSSOUSER**). +1. For **EBS Account Password**, enter the password for the service account. +1. For **EBS User Mapping**, the product decides the attribute to be mapped to the Oracle EBS username for authentication. +1. For **EBS DBC Content**, use the content that you copied. +1. Select **Next**. ++[![Screenshot of entries and selections for adding an application.](./media/datawiza-sso-mfa-oracle-ebs/add-application.png)](./media/datawiza-sso-mfa-oracle-ebs/add-application.png#lightbox) ++### IdP configuration ++Use the DCMC one-click integration to help you complete Azure AD configuration. With this feature, you can reduce management costs and the likelihood of configuration errors. ++[![Screenshot of entries and selections for configuring IdP.](./media/datawiza-sso-mfa-oracle-ebs/configure-idp.png)](./media/datawiza-sso-mfa-oracle-ebs/configure-idp.png#lightbox) ++### Docker Compose file ++Configuration on the management console is complete. You're prompted to deploy DAP with your application. Make a note of the deployment Docker Compose file. The file includes the DAP image, `PROVISIONING_KEY`, and `PROVISIONING_SECRET`. DAP uses this information to pull the latest configuration and policies from DCMC. ++![Screenshot of Docker information.](./media/datawiza-sso-mfa-oracle-ebs/docker-information.png) ++### SSL configuration ++1. For certificate configuration, select the **Advanced** tab on your application page. Then select **SSL** > **Edit**. ++ [![Screenshot of the tab for advanced settings.](./media/datawiza-sso-mfa-oracle-ebs/advanced-tab.png)](./media/datawiza-sso-mfa-oracle-ebs/advanced-tab.png#lightbox) ++2. Turn on the **Enable SSL** toggle. +3. For **Cert Type**, select a certificate type. ++ [![Screenshot of options for enabling SSL and selecting a certificate type.](./media/datawiza-sso-mfa-oracle-ebs/cert-type.png)](./media/datawiza-sso-mfa-oracle-ebs/cert-type.png#lightbox) ++ There's a self-signed certificate for localhost. To use that certificate for testing, select **Self Signed**. ++ [![Screenshot of the option to use a self-signed certificate.](./media/datawiza-sso-mfa-oracle-ebs/self-signed-cert-type.png)](./media/datawiza-sso-mfa-oracle-ebs/self-signed-cert-type.png#lightbox) ++ Optionally, you can upload a certificate from a file. For **Cert Type**, select **Upload**. Then, for **Select Option**, select **File Based**. ++ [![Screenshot of the option to upload a file-based certificate.](./media/datawiza-sso-mfa-oracle-ebs/file-based-cert-option.png)](./media/datawiza-sso-mfa-oracle-ebs/file-based-cert-option.png#lightbox) ++4. Select **Save**. ++### Optional: Enable Multi-Factor Authentication on Azure AD ++To provide more security for sign-ins, you can enable Multi-Factor Authentication in the Azure portal: ++1. Sign in to the Azure portal as a Global Administrator. +2. Select **Azure Active Directory** > **Manage** > **Properties**. +3. Under **Properties**, select **Manage security defaults**. ++ [![Screenshot of selections for managing security defaults.](./media/datawiza-sso-mfa-oracle-ebs/manage-security-defaults.png)](./media/datawiza-sso-mfa-oracle-ebs/manage-security-defaults.png#lightbox) ++4. Under **Enable security defaults**, select **Yes**. ++ [![Screenshot of selections for enabling security defaults.](./media/datawiza-sso-mfa-oracle-ebs/enable-security-defaults.png)](./media/datawiza-sso-mfa-oracle-ebs/enable-security-defaults.png#lightbox) ++5. Select **Save**. ++## Next steps ++- [Video: Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90) +- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md) +- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md) +- [Datawiza user guides](https://docs.datawiza.com/) |
active-directory | Secure Hybrid Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access.md | The following partners offer solutions to support [Conditional Access policies p ||| |Akamai Technologies|[Tutorial: Azure AD SSO integration with Akamai](../saas-apps/akamai-tutorial.md)| |Citrix Systems, Inc.|[Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)](../saas-apps/citrix-netscaler-tutorial.md)|-|Cloudflare, Inc.|[Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-azure-ad-integration.md)| +|Cloudflare, Inc.|[Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-integration.md)| |Datawiza|[Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](datawiza-with-azure-ad.md)| |F5, Inc.|[Integrate F5 BIG-IP with Azure AD](f5-aad-integration.md)</br>[Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO](f5-aad-password-less-vpn.md)| |Progress Software Corporation, Progress Kemp|[Tutorial: Azure AD SSO integration with Kemp LoadMaster Azure AD integration](../saas-apps/kemp-tutorial.md)| |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/whats-new-docs.md | Welcome to what's new in Azure Active Directory (Azure AD) application managemen - [Manage app consent policies](manage-app-consent-policies.md) - [Configure permission classifications](configure-permission-classifications.md) - [Disable user sign-in for an application](disable-user-sign-in-portal.md)-- [Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS](datawiza-azure-ad-sso-mfa-oracle-ebs.md)+- [Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS](datawiza-sso-mfa-oracle-ebs.md) |
active-directory | Reference Azure Ad Sla Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md | The SLA attainment is truncated at three places after the decimal. Numbers aren' | February | 99.999% | 99.999% | 99.999% | | March | 99.568% | 99.998% | 99.999% | | April | 99.999% | 99.999% | 99.999% |-| May | 99.999% | 99.999% | | +| May | 99.999% | 99.999% | 99.999% | | June | 99.999% | 99.999% | | | July | 99.999% | 99.999% | | | August | 99.999% | 99.999% | | |
active-directory | 8X8virtualoffice Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/8x8virtualoffice-tutorial.md | The next part of the tutorial depends on what kind of subscription you have with ### Configure 8x8 Admin Console -1. To automate the configuration within 8x8, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --1. After adding extension to the browser, click on **Set up 8x8** will direct you to the 8x8 application. From there, provide the admin credentials to sign into 8x8. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup configuration](common/setup-sso.png) --1. If you want to setup 8x8 manually, sign in to 8x8 [Admin Console](https://admin.8x8.com/) as an administrator. +1. In a different web browser window, sign in to the 8x8 [Admin Console](https://admin.8x8.com/) as an administrator. 1. From the home page click **Identity Management**. |
active-directory | Acquireio Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/acquireio-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure AcquireIO SSO -1. To automate the configuration within AcquireIO, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding the extension to the browser, click **Set up AcquireIO**, which directs you to the AcquireIO application. From there, provide the admin credentials to sign in to AcquireIO. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up AcquireIO manually, in a different web browser window, sign in to AcquireIO as an Administrator. +1. In a different web browser window, sign in to your up AcquireIO company site as an administrator 1. From the left side of menu, click on **App Store**. |
active-directory | Adobe Identity Management Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/adobe-identity-management-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Adobe Identity Management (SAML) SSO -1. To automate the configuration within Adobe Identity Management (SAML), you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Adobe Identity Management (SAML)** will direct you to the Adobe Identity Management (SAML) application. From there, provide the admin credentials to sign into Adobe Identity Management (SAML). The browser extension will automatically configure the application for you and automate steps 3-8. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Adobe Identity Management (SAML) manually, in a different web browser window, sign in to your Adobe Identity Management (SAML) company site as an administrator. +1. In a different web browser window, sign in to your Adobe Identity Management (SAML) company site as an administrator 4. Go to the **Settings** tab and click on **Create Directory**. |
active-directory | Adpfederatedsso Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/adpfederatedsso-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ADP SSO -1. To automate the configuration within ADP, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up ADP** will direct you to the ADP application. From there, provide the admin credentials to sign in to ADP. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up ADP manually, open a new web browser window and sign in to your ADP company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up ADP company site as an administrator 1. Click **Federation Setup** and go to **Identity Provider** then, select the **Microsoft Azure**. |
active-directory | Aha Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aha-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Aha! SSO -1. To automate the configuration within Aha!, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Aha!** will direct you to the Aha! application. From there, provide the admin credentials to sign into Aha!. The browser extension will automatically configure the application for you and automate steps 3-8. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Aha! manually, open a new web browser window and sign into your Aha! company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Aha! company site as an administrator 4. In the menu on the top, click **Settings**. |
active-directory | Alertops Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alertops-tutorial.md | In this section, you'll enable Britta Simon to use Azure single sign-on by grant ## Configure AlertOps SSO -1. To automate the configuration within AlertOps, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup AlertOps** will direct you to the AlertOps application. From there, provide the admin credentials to sign into AlertOps. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup AlertOps manually, open a new web browser window and sign into your AlertOps company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your AlertOps company site as an administrator 4. Click on the **Account settings** from the user profile. |
active-directory | Amazon Business Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/amazon-business-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Amazon Business SSO -1. To automate the configuration within Amazon Business, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Amazon Business** will direct you to the Amazon Business Single Sign-On application. From there, provide the admin credentials to sign in to Amazon Business Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-17. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up Amazon Business manually, in a different web browser window, sign in to your Amazon Business company site as an administrator. +1. In a different web browser window, sign in to your up Amazon Business company site as an administrator 1. Click on the **User Profile** and select **Business Settings**. |
active-directory | Amplitude Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/amplitude-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Amplitude SSO -1. To automate the configuration within Amplitude, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Amplitude** will direct you to the Amplitude application. From there, provide the admin credentials to sign into Amplitude. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Amplitude manually, open a new web browser window and sign into your Amplitude company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Amplitude company site as an administrator 1. Click on the **Plan Admin** from the left navigation bar. |
active-directory | Appraisd Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/appraisd-tutorial.md | In this section, you'll enable B. Simon to use Azure single sign-on by granting ## Configure Appraisd SSO -1. To automate the configuration within Appraisd, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Appraisd** will direct you to the Appraisd application. From there, provide the admin credentials to sign into Appraisd. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Appraisd manually, open a new web browser window and sign into your Appraisd company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Appraisd company site as an administrator 4. On the top right of the page, click on **Settings** icon, then navigate to **Configuration**. |
active-directory | Arcgis Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/arcgis-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ArcGIS Online SSO -1. To automate the configuration within ArcGIS Online, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up ArcGIS Online** will direct you to the ArcGIS Online application. From there, provide the admin credentials to sign in to ArcGIS Online. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup ArcGIS Online manually, open a new web browser window and log into your ArcGIS Online company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your ArcGIS Online company site as an administrator 2. Go to the **Organization** -> **Settings**. |
active-directory | Arcgisenterprise Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/arcgisenterprise-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ArcGIS Enterprise SSO -1. To automate the configuration within ArcGIS Enterprise, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up ArcGIS Enterprise** will direct you to the ArcGIS Enterprise application. From there, provide the admin credentials to sign into ArcGIS Enterprise. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup ArcGIS Enterprise manually, log in to your ArcGIS Enterprise company site as an administrator. +1. In a different web browser window, sign in to your ArcGIS Enterprise company site as an administrator 1. Select **Organization >EDIT SETTINGS**. |
active-directory | Askyourteam Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/askyourteam-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure AskYourTeam SSO -1. To automate the configuration within AskYourTeam, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up AskYourTeam** will direct you to the AskYourTeam application. From there, provide the admin credentials to sign into AskYourTeam. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup AskYourTeam manually, in a different web browser window, sign in to your AskYourTeam company site as an administrator. +1. In a different web browser window, sign in to your AskYourTeam company site as an administrator 1. Click on the **My Organization**. |
active-directory | Atlassian Cloud Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/atlassian-cloud-tutorial.md | To configure and test Azure AD SSO with Atlassian Cloud, perform the following s Follow these steps to enable Azure AD SSO in the Azure portal. -1. To automate the configuration within Atlassian Cloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --1. After adding extension to the browser, click on **Set up Atlassian Cloud** will direct you to the Atlassian Cloud application. From there, provide the admin credentials to sign into Atlassian Cloud. The browser extension will automatically configure the application for you. -- ![Setup configuration](common/setup-sso.png) --1. If you want to set up Atlassian Cloud manually, log in to your Atlassian Cloud company site as an administrator and perform the following steps. +1. In a different web browser window, sign in to your up Atlassian Cloud company site as an administrator 1. In the **ATLASSIAN Admin** portal, navigate to **Security** > **Identity providers** > **Microsoft Azure AD**. |
active-directory | Aws Single Sign On Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-single-sign-on-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure AWS IAM Identity Center SSO -1. To automate the configuration within AWS IAM Identity Center, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up AWS IAM Identity Center** will direct you to the AWS IAM Identity Center application. From there, provide the admin credentials to sign into AWS IAM Identity Center. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup AWS IAM Identity Center manually, in a different web browser window, sign in to your AWS IAM Identity Center company site as an administrator. +1. In a different web browser window, sign in to your AWS IAM Identity Center company site as an administrator 1. Go to the **Services -> Security, Identity, & Compliance -> AWS IAM Identity Center**. 2. In the left navigation pane, choose **Settings**. |
active-directory | Box Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/box-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Box SSO -1. To automate the configuration within Box, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Set up Box** will direct you to the Box application. From there, provide the admin credentials to sign into Box. The browser extension will automatically configure the application for you and automate step 3. -- ![Setup configuration](common/setup-sso.png) --3. If you want to setup Box manually, in a different web browser window, sign in to your Box company site as an administrator and follow the procedure in [Set up SSO on your own](https://community.box.com/t5/How-to-Guides-for-Admins/Setting-Up-Single-Sign-On-SSO-for-your-Enterprise/ta-p/1263#ssoonyourown). +1. In a different web browser window, sign in to your Box company site as an administrator and follow the procedure in [Set up SSO on your own](https://community.box.com/t5/How-to-Guides-for-Admins/Setting-Up-Single-Sign-On-SSO-for-your-Enterprise/ta-p/1263#ssoonyourown). > [!NOTE] > If you are unable to configure the SSO settings for your Box account, you need to send the downloaded **Federation Metadata XML** to [Box support team](https://community.box.com/t5/custom/page/page-id/submit_sso_questionaire). They set this setting to have the SAML SSO connection set properly on both sides. |
active-directory | Cakehr Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cakehr-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure CakeHR SSO -1. To automate the configuration within CakeHR, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up CakeHR** will direct you to the CakeHR application. From there, provide the admin credentials to sign into CakeHR. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup CakeHR manually, open a new web browser window and sign into your CakeHR company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your CakeHR company site as an administrator 1. On the top-right corner of the page, click on **Profile** and then navigate to **Settings**. |
active-directory | Carbonite Endpoint Backup Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/carbonite-endpoint-backup-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Carbonite Endpoint Backup SSO -1. To automate the configuration within Carbonite Endpoint Backup, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Carbonite Endpoint Backup** will direct you to the Carbonite Endpoint Backup application. From there, provide the admin credentials to sign into Carbonite Endpoint Backup. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Carbonite Endpoint Backup manually, open a new web browser window and sign into your Carbonite Endpoint Backup company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Carbonite Endpoint Backup company site as an administrator 4. Click on the **Company** from the left pane. |
active-directory | Citrix Cloud Saml Sso Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Citrix Cloud SAML SSO -1. To automate the configuration within Citrix Cloud SAML SSO, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Citrix Cloud SAML SSO** will direct you to the Citrix Cloud SAML SSO application. From there, provide the admin credentials to sign in to Citrix Cloud SAML SSO. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up Citrix Cloud SAML SSO manually, log in to your Citrix Cloud SAML SSO company site as an administrator. +1. In a different web browser window, sign in to your up Citrix Cloud SAML SSO company site as an administrator 1. Navigate to the Citrix Cloud menu and select **Identity and Access Management**. |
active-directory | Clebex Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/clebex-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Clebex SSO -1. To automate the configuration within Clebex, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Clebex** will direct you to the Clebex application. From there, provide the admin credentials to sign into Clebex. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Clebex manually, in a different web browser window, sign in to your Clebex company site as an administrator. +1. In a different web browser window, sign in to your Clebex company site as an administrator 1. Go to the COMPANY ADMIN -> **Connectors** -> **Single Sign On (SSO)** and click **select**. |
active-directory | Concur Travel And Expense Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/concur-travel-and-expense-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure SAP Concur Travel and Expense SSO--1. To automate the configuration within SAP Concur Travel and Expense, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Set up SAP Concur Travel and Expense** will direct you to the SAP Concur Travel and Expense application. From there, provide the admin credentials to sign into SAP Concur Travel and Expense. The browser extension will automatically configure the application for you and automate steps 3-7. -- ![Setup configuration](common/setup-sso.png) --3. If you want to setup SAP Concur Travel and Expense manually, in a different web browser window, you need to upload the downloaded **Federation Metadata XML** to [Concur SSO Self-Service Tool](https://www.concursolutions.com/nui/authadmin/ssoadmin) and sign in to your SAP Concur Travel and Expense company site as an administrator. +1. In a different web browser window, you need to upload the downloaded **Federation Metadata XML** to [Concur SSO Self-Service Tool](https://www.concursolutions.com/nui/authadmin/ssoadmin) and sign in to your SAP Concur Travel and Expense company site as an administrator. 1. Click **Add**. 1. Enter a custom name for your IdP, for example "Azure AD (US)". |
active-directory | Deskradar Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/deskradar-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Deskradar SSO -1. To automate the configuration within Deskradar, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Setup Deskradar** will direct you to the Deskradar application. From there, provide the admin credentials to sign into Deskradar. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Deskradar manually, open a new web browser window and sign into your Deskradar company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Deskradar company site as an administrator 1. Open **Team** panel by clicking the icon in the Sidebar. |
active-directory | Displayr Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/displayr-tutorial.md | Follow these steps to enable Azure AD SSO in the Azure portal. ## Configure Displayr SSO -1. To automate the configuration within Displayr, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Displayr** will direct you to the Displayr application. From there, provide the admin credentials to sign into Displayr. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to set up Displayr manually, open a new web browser window and sign into your Displayr company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up Displayr company site as an administrator 4. Click on the **User** icon, then navigate to **Account settings**. |
active-directory | Dmarcian Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/dmarcian-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure dmarcian SSO -1. To automate the configuration within dmarcian, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup dmarcian** will direct you to the dmarcian application. From there, provide the admin credentials to sign into dmarcian. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup dmarcian manually, open a new web browser window and sign into your dmarcian company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your dmarcian company site as an administrator 4. Click on **Profile** on the top-right corner and navigate to **Preferences**. |
active-directory | Docusign Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/docusign-tutorial.md | In this section, you'll grant B.Simon access to DocuSign so that this user can u 1. In the **Add Assignment** dialog box, select the **Assign** button. ## Configure DocuSign SSO--1. To automate the configuration in DocuSign, you must install the My Apps Secure Sign-in browser extension by selecting **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After you add the extension to the browser, select **Setup DocuSign**. You're directed to the DocuSign application. From there, provide the admin credentials to sign in to DocuSign. The browser extension automatically configures the application and automates steps 3 through 5. -- ![Setup configuration](common/setup-sso.png) --3. If you want to set up DocuSign manually, open a new web browser window and sign in to your DocuSign company site as an administrator. +1. In a different web browser window, sign in to your up DocuSign company site as an administrator 4. In the upper-left corner of the page, select the app launcher (9 dots), and then select **Admin**. |
active-directory | Dome9arc Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/dome9arc-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Check Point CloudGuard Posture Management SSO -1. To automate the configuration within Check Point CloudGuard Posture Management, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Setup Check Point CloudGuard Posture Management** will direct you to the Check Point CloudGuard Posture Management application. From there, provide the admin credentials to sign into Check Point CloudGuard Posture Management. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup configuration](common/setup-sso.png) --3. If you want to setup Check Point CloudGuard Posture Management manually, open a new web browser window and sign into your Check Point CloudGuard Posture Management company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Check Point CloudGuard Posture Management company site as an administrator 4. Click on the **Profile Settings** on the right top corner and then click **Account Settings**. |
active-directory | Drift Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/drift-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Drift SSO -1. To automate the configuration within Drift, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Drift** will direct you to the Drift application. From there, provide the admin credentials to sign into Drift. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Drift manually, open a new web browser window and sign into your Drift company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Drift company site as an administrator 4. From the left side of menu bar, click on **Settings icon** > **App Settings** > **Authentication** and perform the following steps: |
active-directory | Dropboxforbusiness Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/dropboxforbusiness-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Dropbox Business SSO -1. To automate the configuration within Dropbox Business, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Dropbox Business** will direct you to the Dropbox Business application. From there, provide the admin credentials to sign into Dropbox Business. The browser extension will automatically configure the application for you and automate steps 3-8. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Dropbox Business manually, open a new web browser window and go on your Dropbox Business tenant and sign on to your Dropbox Business tenant. and perform the following steps: +1. In a different web browser window, sign in to your Dropbox Business company site as an administrator ![Screenshot that shows the "Dropbox Business Sign in" page.](./media/dropboxforbusiness-tutorial/account.png "Configure single sign-on") |
active-directory | Easysso For Bamboo Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/easysso-for-bamboo-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure EasySSO for Bamboo SSO -1. To automate the configuration within Zoom, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Zoom** will direct you to the Zoom application. From there, provide the admin credentials to sign into Zoom. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Zoom manually, in a different web browser window, sign in to your Zoom company site as an administrator. +1. In a different web browser window, sign in to your Zoom company site as an administrator 1. Navigate to the **Manage Apps** section. |
active-directory | Easysso For Bitbucket Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/easysso-for-bitbucket-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure EasySSO for BitBucket SSO -1. To automate the configuration within Zoom, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Zoom** will direct you to the Zoom application. From there, provide the admin credentials to sign into Zoom. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Zoom manually, in a different web browser window, sign in to your Zoom company site as an administrator. +1. In a different web browser window, sign in to your Zoom company site as an administrator 1. Go to the **Administration** section. |
active-directory | Easysso For Confluence Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/easysso-for-confluence-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure EasySSO for Confluence SSO--1. To automate the configuration within EasySSO for Confluence, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Set up EasySSO for Confluence** will direct you to the EasySSO for Confluence application. From there, provide the admin credentials to sign into EasySSO for Confluence. The browser extension will automatically configure the application for you and automate steps 3-9. -- ![Setup configuration](common/setup-sso.png) --1. If you want to setup EasySSO for Confluence manually, sign into your Atlassian Confluence instance with Administrator privileges and navigate to the **Manage Apps** section. +1. In a different web browser window, sign in to your EasySSO for Confluence company site as an administrator and navigate to the **Manage Apps** section. ![Manage Apps](./media/easysso-for-confluence-tutorial/confluence-admin-1.png) |
active-directory | Ekarda Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ekarda-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ekarda SSO -1. To automate the configuration within ekarda, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up ekarda** will direct you to the ekarda application. From there, provide the admin credentials to sign into ekarda. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup ekarda manually, in a different web browser window, sign in to your ekarda company site as an administrator. +1. In a different web browser window, sign in to your ekarda company site as an administrator 1. Select **Admin** > **My Account**. |
active-directory | Elium Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/elium-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Elium SSO -1. To automate the configuration within Elium, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Elium** will direct you to the Elium application. From there, provide the admin credentials to sign into Elium. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Elium manually, open a new web browser window and sign into your Elium company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Elium company site as an administrator 1. Click on the **User profile** from right top corner and then select **Settings**. |
active-directory | Embed Signage Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/embed-signage-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure embed signage SSO -1. To automate the configuration within Embed Signage, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Embed Signage** will direct you to the Embed Signage application. From there, provide the admin credentials to sign in to Embed Signage. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up Embed Signage manually, log in to your Embed Signage company site as an administrator. +1. In a different web browser window, sign in to your up Embed Signage company site as an administrator 1. Go to **Account settings** and click **Security** > **Single sign on**. |
active-directory | Envoy Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/envoy-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Envoy SSO -1. To automate the configuration within Envoy, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Envoy** will direct you to the Envoy application. From there, provide the admin credentials to sign into Envoy. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Envoy manually, open a new web browser window and sign into your Envoy company site as an administrator and perform the following steps. +1. In a different web browser window, sign in to your Envoy company site as an administrator 4. Go to **Integrations** > **All integrations** and click to **Install** SAML under **Single sign-on**. |
active-directory | Evernote Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/evernote-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Evernote SSO -1. To automate the configuration within Evernote, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **setup Evernote** will direct you to the Evernote application. From there, provide the admin credentials to sign into Evernote. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Evernote manually, open a new web browser window and sign into your Evernote company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Evernote company site as an administrator 4. Go to **'Admin Console'** |
active-directory | Expensein Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/expensein-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ExpenseIn SSO -1. To automate the configuration within ExpenseIn, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up ExpenseIn** will direct you to the ExpenseIn application. From there, provide the admin credentials to sign into ExpenseIn. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup ExpenseIn manually, log in to your ExpenseIn company site as an administrator. +1. In a different web browser window, sign in to your ExpenseIn company site as an administrator 1. Click on **Admin** on the top of the page then navigate to **Single Sign-On** and click **Add provider**. |
active-directory | Ezofficeinventory Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ezofficeinventory-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure EZOfficeInventory SSO -1. To automate the configuration within EZOfficeInventory, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up EZOfficeInventory** will direct you to the EZOfficeInventory application. From there, provide the admin credentials to sign into EZOfficeInventory. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup EZOfficeInventory manually, open a new web browser window and sign into your EZOfficeInventory company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your EZOfficeInventory company site as an administrator 1. On the top-right corner of the page, click on **Profile** and then navigate to **Settings** > **Add Ons**. |
active-directory | Fax Plus Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fax-plus-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure FAX.PLUS SSO -1. To automate the configuration within FAX.PLUS, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up FAX.PLUS** will direct you to the FAX.PLUS application. From there, provide the admin credentials to sign into FAX.PLUS. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup FAX.PLUS manually, in a different web browser window, sign in to your FAX.PLUS company site as an administrator. +1. In a different web browser window, sign in to your FAX.PLUS company site as an administrator 2. Go to the **Security** section in your Admin Profile and scroll down to **Advanced**. |
active-directory | Foodee Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/foodee-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ### Configure Foodee SSO -1. To automate the configuration within Foodee, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Foodee** will direct you to the Foodee application. From there, provide the admin credentials to sign into Foodee. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Foodee manually, open a new web browser window and sign into your Foodee company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Foodee company site as an administrator 4. Click on **profile logo** on the top right corner of the page then navigate to **Single Sign On** and perform the following steps: |
active-directory | Freedcamp Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/freedcamp-tutorial.md | In this section, you'll enable Britta Simon to use Azure single sign-on by grant ## Configure Freedcamp SSO -1. To automate the configuration within Freedcamp, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Freedcamp** will direct you to the Freedcamp application. From there, provide the admin credentials to sign into Freedcamp. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Freedcamp manually, open a new web browser window and sign into your Freedcamp company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Freedcamp company site as an administrator 4. On the top-right corner of the page, click on **profile** and then navigate to **My Account**. |
active-directory | Fresh Relevance Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fresh-relevance-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Fresh Relevance SSO -1. To automate the configuration within Fresh Relevance, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Fresh Relevance** will direct you to the Fresh Relevance application. From there, provide the admin credentials to sign into Fresh Relevance. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Fresh Relevance manually, in a different web browser window, sign in to your Fresh Relevance company site as an administrator. +1. In a different web browser window, sign in to your Fresh Relevance company site as an administrator 1. Go to **Settings** > **All Settings** > **Security and Privacy** and click **SAML/Azure AD Single Sign-On**. |
active-directory | Freshservice Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/freshservice-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Freshservice SSO -1. To automate the configuration within Freshservice, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Freshservice** will direct you to the Freshservice application. From there, provide the admin credentials to sign into Freshservice. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Freshservice manually, log in to your Freshservice company site as an administrator. +1. In a different web browser window, sign in to your Freshservice company site as an administrator 1. In the menu on the left, click **Admin** and select **Helpdesk Security** in the **General Settings**. |
active-directory | Harness Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/harness-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Harness SSO -1. To automate the configuration within Harness, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Harness** will direct you to the Harness application. From there, provide the admin credentials to sign into Harness. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Harness manually, open a new web browser window and sign into your Harness company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Harness company site as an administrator 4. On the top-right of the page, click on **Continuous Security** > **Access Management** > **Authentication Settings**. |
active-directory | Helpscout Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/helpscout-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Help Scout SSO -1. To automate the configuration within Help Scout, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Help Scout** will direct you to the Help Scout application. From there, provide the admin credentials to sign into Help Scout. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Help Scout manually, open a new web browser window and sign into your Help Scout company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Help Scout company site as an administrator 1. Click on **Manage** from the top menu and then select **Company** from the dropdown menu. |
active-directory | Hightail Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hightail-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Hightail SSO -1. To automate the configuration within Hightail, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Hightail** will direct you to the Hightail application. From there, provide the admin credentials to sign into Hightail. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Hightail manually, in another browser window, open the **Hightail** admin portal. +1. In a different web browser window, sign in to your Hightail company site as an administrator 1. Click on **User icon** from the top right corner of the page. |
active-directory | Hrworks Single Sign On Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure HRworks Single Sign-On SSO -1. To automate the configuration within HRworks Single Sign-On, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up HRworks Single Sign-On** will direct you to the HRworks Single Sign-On application. From there, provide the admin credentials to sign into HRworks Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup HRworks Single Sign-On manually, open a new web browser window and sign into your HRworks Single Sign-On company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your HRworks Single Sign-On company site as an administrator 1. Click on **Administrator** > **Basics** > **Security** > **Single Sign-on** from the left side of menu bar and perform the following steps: |
active-directory | Idrive360 Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/idrive360-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ### Create IDrive360 test user -1. To automate the configuration within IDrive360, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up IDrive360** will direct you to the IDrive360 application. From there, provide the admin credentials to sign into IDrive360. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup IDrive360 manually, in a different web browser window, sign in to your IDrive360 company site as an administrator. +1. In a different web browser window, sign in to your IDrive360 company site as an administrator 2. Navigate to the **Users** tab and click **Add User**. |
active-directory | Invision Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/invision-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure InVision SSO -1. To automate the configuration within InVision, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up InVision** will direct you to the InVision application. From there, provide the admin credentials to sign into InVision. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup InVision manually, in a different web browser window, sign in to your InVision company site as an administrator. +1. In a different web browser window, sign in to your InVision company site as an administrator 1. Click on **Team** and select **Settings**. |
active-directory | Kanbanize Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kanbanize-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Kanbanize SSO -1. To automate the configuration within Kanbanize, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Kanbanize** will direct you to the Kanbanize application. From there, provide the admin credentials to sign into Kanbanize. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Kanbanize manually, open a new web browser window and sign into your Kanbanize company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Kanbanize company site as an administrator 4. Go to top right of the page, click on **Settings** logo. |
active-directory | Kendis Scaling Agile Platform Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kendis-scaling-agile-platform-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Kendis-Azure AD Integration SSO -1. To automate the configuration within Kendis - Azure AD Integration, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Kendis - Azure AD Integration** will direct you to the Kendis - Azure AD Integration application. From there, provide the admin credentials to sign into Kendis - Azure AD Integration. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Kendis - Azure AD Integration manually, in a different web browser window, sign in to your Kendis - Azure AD Integration company site as an administrator. +1. In a different web browser window, sign in to your Kendis - Azure AD Integration company site as an administrator 4. Go to the **Settings > SAML Configurations**. |
active-directory | Knowledge Anywhere Lms Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/knowledge-anywhere-lms-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Knowledge Anywhere LMS SSO -1. To automate the configuration within Knowledge Anywhere LMS, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Knowledge Anywhere LMS** will direct you to the Knowledge Anywhere LMS application. From there, provide the admin credentials to sign into Knowledge Anywhere LMS. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Knowledge Anywhere LMS manually, open a new web browser window and sign into your Knowledge Anywhere LMS company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Knowledge Anywhere LMS company site as an administrator 4. Select on the **Site** tab. |
active-directory | Litmus Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/litmus-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Litmus SSO -1. To automate the configuration within Litmus, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Litmus** will direct you to the Litmus application. From there, provide the admin credentials to sign into Litmus. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Litmus manually, in a different web browser window, sign in to your Litmus company site as an administrator. +1. In a different web browser window, sign in to your Litmus company site as an administrator 1. Click on the **Security** from the left navigation panel. |
active-directory | Logmein Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/logmein-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure LogMeIn SSO -1. To automate the configuration within LogMeIn, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up LogMeIn** will direct you to the LogMeIn application. From there, provide the admin credentials to sign into LogMeIn. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup LogMeIn manually, in a different web browser window, sign in to your LogMeIn company site as an administrator. +1. In a different web browser window, sign in to your LogMeIn company site as an administrator 1. Go to the **Identity Provider** tab and in the **Metadata url** textbox, paste the **Federation Metadata URL**, which you have copied from the Azure portal. |
active-directory | Marketo Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/marketo-tutorial.md | In this section, you enable B.Simon to use Azure single sign-on by granting acce ## Configure Marketo SSO -1. To automate the configuration within Marketo, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Marketo** will direct you to the Marketo application. From there, provide the admin credentials to sign into Marketo. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Marketo manually, in a different web browser window, sign in to your Marketo company site as an administrator. +1. In a different web browser window, sign in to your Marketo company site as an administrator 1. To get Munchkin ID of your application, perform the following actions: |
active-directory | Meraki Dashboard Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/meraki-dashboard-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Meraki Dashboard SSO--1. To automate the configuration within Meraki Dashboard, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Set up Meraki Dashboard** will direct you to the Meraki Dashboard application. From there, provide the admin credentials to sign into Meraki Dashboard. The browser extension will automatically configure the application for you and automate steps 3-7. -- ![Setup configuration](common/setup-sso.png) --3. If you want to setup Meraki Dashboard manually, in a different web browser window, sign in to your Meraki Dashboard company site as an administrator. +1. In a different web browser window, sign in to your Meraki Dashboard company site as an administrator 4. Navigate to **Organization** -> **Settings**. |
active-directory | Mondaycom Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mondaycom-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure monday.com SSO -1. To automate the configuration within monday.com, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Setup monday.com** which will direct you to the monday.com application. From there, provide the admin credentials to sign into monday.com. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up monday.com manually, open a new web browser window and sign in to monday.com as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up monday.com company site as an administrator 1. Go to the **Profile** on the top-right corner of page and click on **Admin**. |
active-directory | Myworkdrive Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/myworkdrive-tutorial.md | In this section, you'll enable Britta Simon to use Azure single sign-on by grant ## Configure MyWorkDrive SSO -1. To automate the configuration within MyWorkDrive, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Setup MyWorkDrive** will direct you to the MyWorkDrive application. From there, provide the admin credentials to sign into MyWorkDrive. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup MyWorkDrive manually, In a different web browser window, sign in to MyWorkDrive as a Security Administrator. +1. In a different web browser window, sign in to your MyWorkDrive company site as an administrator 1. On the MyWorkDrive Server in the admin panel, click on **ENTERPRISE** and perform the following steps: |
active-directory | Nuclino Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/nuclino-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Nuclino SSO -1. To automate the configuration within Nuclino, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Nuclino** will direct you to the Nuclino application. From there, provide the admin credentials to sign into Nuclino. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Nuclino manually, open a new web browser window and sign into your Nuclino company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Nuclino company site as an administrator 4. Click on the **ICON**. |
active-directory | Onedesk Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/onedesk-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure OneDesk SSO -1. To automate the configuration within OneDesk, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up OneDesk** will direct you to the OneDesk application. From there, provide the admin credentials to sign into OneDesk. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup OneDesk manually, open a new web browser window and sign into your OneDesk company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your OneDesk company site as an administrator 1. Click on the **Integrations** tab. |
active-directory | Opsgenie Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/opsgenie-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure OpsGenie SSO -1. To automate the configuration within OpsGenie, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up OpsGenie** will direct you to the OpsGenie application. From there, provide the admin credentials to sign into OpsGenie. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup OpsGenie manually, in a different web browser window, sign in to your OpsGenie company site as an administrator. +1. In a different web browser window, sign in to your OpsGenie company site as an administrator 2. Click **Settings**, and then click the **Single Sign On** tab. |
active-directory | People Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/people-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure People SSO -1. To automate the configuration within People, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup People** will direct you to the People application. From there, provide the admin credentials to sign into People. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup People manually, open a new web browser window and sign into your People company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your People company site as an administrator 4. In the menu on the left side, click **Settings**. |
active-directory | Perimeter 81 Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/perimeter-81-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Perimeter 81 SSO -1. To automate the configuration within Perimeter 81, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Perimeter 81** will direct you to the Perimeter 81 application. From there, provide the admin credentials to sign into Perimeter 81. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Perimeter 81 manually, in a different web browser window, sign in to your Perimeter 81 company site as an administrator. +1. In a different web browser window, sign in to your Perimeter 81 company site as an administrator 4. Go to **Settings** and click on **Identity Providers**. |
active-directory | Productboard Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/productboard-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure productboard SSO--1. To automate the configuration within productboard, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --1. After adding the extension to the browser, click **Set up productboard**, which directs you to the productboard application. From there, provide the admin credentials to sign in to productboard. The browser extension will automatically configure the application for you. -- ![Setup configuration](common/setup-sso.png) --1. If you want to set up single sign-on on **productboard** manually, you need to send the **App Federation Metadata Url** to [productboard support team](mailto:support@productboard.com). They set this setting to have the SAML SSO connection set properly on both sides. +1. You need to send the **App Federation Metadata Url** to [productboard support team](mailto:support@productboard.com). They set this setting to have the SAML SSO connection set properly on both sides. ### Create productboard test user |
active-directory | Purelyhr Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/purelyhr-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure PurelyHR SSO -1. To automate the configuration within PurelyHR, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up PurelyHR** will direct you to the PurelyHR application. From there, provide the admin credentials to sign into PurelyHR. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up PurelyHR manually, open a new web browser window and sign in to your PurelyHR company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up PurelyHR company site as an administrator 1. Open the **Dashboard** from the options in the toolbar and click **SSO Settings**. |
active-directory | Ringcentral Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ringcentral-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure RingCentral SSO -1. To automate the configuration within RingCentral, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up RingCentral** will direct you to the RingCentral application. From there, provide the admin credentials to sign into RingCentral. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup RingCentral manually, open a new web browser window and sign into your RingCentral company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your RingCentral company site as an administrator 1. On the top, click on **Tools**. |
active-directory | Saba Cloud Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/saba-cloud-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Saba Cloud SSO -1. To automate the configuration within Saba Cloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Saba Cloud** will direct you to the Saba Cloud application. From there, provide the admin credentials to sign into Saba Cloud. The browser extension will automatically configure the application for you and automate steps 3-9. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Saba Cloud manually, in a different web browser window, sign in to your Saba Cloud company site as an administrator. +1. In a different web browser window, sign in to your Saba Cloud company site as an administrator 1. Click on **Menu** icon and click **Admin**, then select **System Admin** tab. |
active-directory | Salesforce Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/salesforce-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Salesforce SSO -1. To automate the configuration within Salesforce, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Salesforce** will direct you to the Salesforce Single Sign-On application. From there, provide the admin credentials to sign in to Salesforce Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-13. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up Salesforce manually, open a new web browser window and sign in to your Salesforce company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up Salesforce company site as an administrator 1. Click on the **Setup** under **settings icon** on the top right corner of the page. |
active-directory | Sap Hana Cloud Platform Identity Authentication Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure SAP Cloud Identity Services SSO--1. To automate the configuration within SAP Cloud Identity Services, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Set up SAP Cloud Identity Services** will direct you to the SAP Cloud Identity Services application. From there, provide the admin credentials to sign into SAP Cloud Identity Services. The browser extension will automatically configure the application for you and automate steps 3-7. -- ![Setup configuration](common/setup-sso.png) --3. If you want to set up SAP Cloud Identity Services manually, in a different web browser window, go to the SAP Cloud Identity Services administration console. The URL has the following pattern: `https://<tenant-id>.accounts.ondemand.com/admin`. Then read the documentation about SAP Cloud Identity Services at [Integration with Microsoft Azure AD](https://developers.sap.com/tutorials/cp-ias-azure-ad.html). +1. In a different web browser window,go to the SAP Cloud Identity Services administration console. The URL has the following pattern: `https://<tenant-id>.accounts.ondemand.com/admin`. Then read the documentation about SAP Cloud Identity Services at [Integration with Microsoft Azure AD](https://developers.sap.com/tutorials/cp-ias-azure-ad.html). 2. In the Azure portal, select the **Save** button. |
active-directory | Scalex Enterprise Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/scalex-enterprise-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure ScaleX Enterprise SSO -1. To automate the configuration within ScaleX Enterprise, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up ScaleX Enterprise** will direct you to the ScaleX Enterprise application. From there, provide the admin credentials to sign into ScaleX Enterprise. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup ScaleX Enterprise manually, open a new web browser window and sign into your ScaleX Enterprise company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your ScaleX Enterprise company site as an administrator 1. Click the menu in the upper right and select **Contoso Administration**. |
active-directory | Screencast Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/screencast-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Screencast-O-Matic SSO -1. To automate the configuration within Screencast-O-Matic, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Screencast-O-Matic** will direct you to the Screencast-O-Matic application. From there, provide the admin credentials to sign into Screencast-O-Matic. The browser extension will automatically configure the application for you and automate steps 3-10. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Screencast-O-Matic manually, open a new web browser window and sign into your Screencast-O-Matic company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Screencast-O-Matic company site as an administrator 1. Click on **Subscription**. |
active-directory | Sharefile Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sharefile-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Citrix ShareFile SSO -1. To automate the configuration within **Citrix ShareFile**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Citrix ShareFile** will direct you to the Citrix ShareFile application. From there, provide the admin credentials to sign into Citrix ShareFile. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Citrix ShareFile manually, in a different web browser window, sign in to your Citrix ShareFile company site as an administrator. +1. In a different web browser window, sign in to your Citrix ShareFile company site as an administrator 1. In the **Dashboard**, click on **Settings** and select **Admin Settings**. |
active-directory | Slack Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/slack-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Slack SSO -1. To automate the configuration within Slack, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Slack** will direct you to the Slack application. From there, provide the admin credentials to sign into Slack. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to set up Slack manually, in a different web browser window, sign in to your Slack company site as an administrator. +1. In a different web browser window, sign in to your up Slack company site as an administrator 2. click on your workspace name in the top left, then go to **Settings & administration** -> **Workspace settings**. |
active-directory | Smartdraw Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smartdraw-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure SmartDraw SSO -1. To automate the configuration within SmartDraw, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up SmartDraw** will direct you to the SmartDraw application. From there, provide the admin credentials to sign into SmartDraw. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup SmartDraw manually, open a new web browser window and sign into your SmartDraw company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your SmartDraw company site as an administrator 1. Click on **Single Sign-On** under Manage your SmartDraw License. |
active-directory | Soloinsight Cloudgate Sso Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/soloinsight-cloudgate-sso-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Soloinsight-CloudGate SSO -1. To automate the configuration within Soloinsight-CloudGate SSO, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Soloinsight-CloudGate SSO** will direct you to the Soloinsight-CloudGate SSO application. From there, provide the admin credentials to sign into Soloinsight-CloudGate SSO. The browser extension will automatically configure the application for you and automate steps 3-8. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Soloinsight-CloudGate SSO manually, open a new web browser window and sign into your Soloinsight-CloudGate SSO company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Soloinsight-CloudGate SSO company site as an administrator 4. To get the values that are to be pasted in the Azure portal while configuring Basic SAML, sign in to the CloudGate Web Portal using your credentials then access the SSO settings, which can be found on the following path **Home>Administration>System settings>General**. |
active-directory | Statuspage Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/statuspage-tutorial.md | In this section, you enable Britta Simon to use Azure single sign-on by granting ## Configure StatusPage SSO -1. To automate the configuration within StatusPage, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up StatusPage** will direct you to the StatusPage application. From there, provide the admin credentials to sign into StatusPage. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup StatusPage manually, in a different web browser window, sign in to your StatusPage company site as an administrator. +1. In a different web browser window, sign in to your StatusPage company site as an administrator 1. In the main toolbar, click **Manage Account**. |
active-directory | Tableauonline Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tableauonline-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Tableau Cloud SSO -1. To automate the configuration within Tableau Cloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Tableau Cloud** will direct you to the Tableau Cloud application. From there, provide the admin credentials to sign into Tableau Cloud. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to set up Tableau Cloud manually, in a different web browser window, sign in to your Tableau Cloud company site as an administrator. +1. In a different web browser window, sign in to your up Tableau Cloud company site as an administrator 1. Go to **Settings** and then **Authentication**. |
active-directory | Target Process Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/target-process-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure TargetProcess SSO--1. To automate the configuration within **TargetProcess**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![image](./media/target-process-tutorial/install-extension.png) --1. After adding extension to the browser, click on **setup TargetProcess** will direct you to the TargetProcess application. From there, provide the admin credentials to sign into TargetProcess. The browser extension will automatically configure the application for you and automate steps 3-7. -- ![Setup configuration](common/setup-sso.png) -- **If you want to configure the application manually perform the following steps:** - 1. Sign-on to your TargetProcess application as an administrator. 1. In the menu on the top, click **Setup**. |
active-directory | Teamphoria Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/teamphoria-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Teamphoria SSO -1. To automate the configuration within Teamphoria, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Teamphoria** will direct you to the Teamphoria application. From there, provide the admin credentials to sign into Teamphoria. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Teamphoria manually, open a new web browser window and sign into your Teamphoria company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Teamphoria company site as an administrator 4. Go to **ADMIN SETTINGS** option in the left toolbar and under the Configure Tab click on **SINGLE SIGN-ON** to open the SSO configuration window. |
active-directory | Terraform Cloud Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/terraform-cloud-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Terraform Cloud SSO -1. To automate the configuration within Terraform Cloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Terraform Cloud** will direct you to the Terraform Cloud application. From there, provide the admin credentials to sign into Terraform Cloud. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Terraform Cloud manually, in a different web browser window, sign in to your Terraform Cloud company site as an administrator. +1. In a different web browser window, sign in to your Terraform Cloud company site as an administrator 2. Go to the **Settings > SSO > Edit Settings**. |
active-directory | Textmagic Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/textmagic-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure TextMagic SSO -1. To automate the configuration within TextMagic, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup TextMagic** will direct you to the TextMagic application. From there, provide the admin credentials to sign into TextMagic. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup TextMagic manually, open a new web browser window and sign into your TextMagic company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your TextMagic company site as an administrator 4. Select **Account settings** under the username. |
active-directory | Timeclock 365 Saml Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/timeclock-365-saml-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Timeclock 365 SAML SSO -1. To automate the configuration within Timeclock 365 SAML, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Timeclock 365 SAML** will direct you to the Timeclock 365 SAML application. From there, provide the admin credentials to sign into Timeclock 365 SAML. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to set up Timeclock 365 SAML manually, in a different web browser window, sign in to your Timeclock 365 SAML company site as an administrator. +1. In a different web browser window, sign in to your up Timeclock 365 SAML company site as an administrator 1. Perform the below mentioned steps. |
active-directory | Tutorial List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tutorial-list.md | To find more tutorials, use the table of contents on the left. | Logo | Application tutorial for single sign-on | Application tutorial for user provisioning | | : | : | : | | ![logo-Amazon Web Services (AWS) Console](./medi#configure-azure-ad-sso) |-| ![logo-Alibaba Cloud Service (Role bases SSO)](./medi)| | +| ![logo-Alibaba Cloud Service (Role based SSO)](./medi)| | | ![logo-Google Cloud Platform](./medi) | | ![logo-Salesforce](./medi) | | ![logo-SAP Cloud Identity Platform](./medi) | -## OneClick SSO --| Logo | Application tutorial for single sign-on | -| : | : | -| ![logo-8x8](./medi)| -| ![logo-AcquireIO](./medi)| -| ![logo-Adobe Identity Management](./medi)| -| ![logo-Aha!](./medi)| -| ![logo-AlertOps](./medi)| -| ![logo-Amplitude](./medi)| -| ![logo-Appraisd](./medi)| -| ![logo-ArcGIS Enterprise](./medi)| -| ![logo-AskYourTeam](./medi)| -| ![logo-Atlassian Cloud](./medi)| -| ![logo-AWS Single Sign-On](./medi)| -| ![logo-Box](./medi)| -| ![logo-CakeHR](./medi)| -| ![logo-Carbonite Endpoint Backup](./medi)| -| ![logo-Cisco Webex](./medi)| -| ![logo-Citrix ShareFile](./medi)| -| ![logo-Concur Travel and Expense](./medi)| -| ![logo-Deskradar](./medi)| -| ![logo-Displayr](./medi)| -| ![logo-dmarcian](./medi)| -| ![logo-DocuSign](./medi)| -| ![logo-Dome9 Arc](./medi)| -| ![logo-Drift](./medi)| -| ![logo-Dropbox for Business](./medi)| -| ![logo-EasySSO for Bamboo](./medi)| -| ![logo-EasySSO for BitBucket](./medi)| -| ![logo-EasySSO for Confluence](./medi)| -| ![logo-Ekarda](./medi)| -| ![logo-Elium](./medi)| -| ![logo-Envoy](./medi)| -| ![logo-Evernote](./medi)| -| ![logo-ExpenseIn](./medi)| -| ![logo-EZOfficeInventory](./medi)| -| ![logo-FAX.PLUS](./medi)| -| ![logo-Foodee](./medi)| -| ![logo-Freedcamp](./medi)| -| ![logo-Freshservice](./medi)| -| ![logo-Harness](./medi)| -| ![logo-Help Scout](./medi)| -| ![logo-Hightail](./medi)| -| ![logo-HRworks Single Sign-On](./medi)| -| ![logo-InVision](./medi)| -| ![logo-Jamf Pro](./medi)| -| ![logo-Kanbanize](./medi)| -| ![logo-Kendis - Azure AD Integration](./medi)| -| ![logo-Knowledge Anywhere LMS](./medi)| -| ![logo-Litmus](./medi)| -| ![logo-LogMeIn](./medi)| -| ![logo-Marketo](./medi)| -| ![logo-Meraki Dashboard](./medi)| -| ![logo-monday.com](./medi)| -| ![logo-MyWorkDrive](./medi)| -| ![logo-Nuclino](./medi)| -| ![logo-OneDesk](./medi)| -| ![logo-OpsGenie](./medi)| -| ![logo-People](./medi)| -| ![logo-Perimeter 81](./medi)| -| ![logo-productboard](./medi)| -| ![logo-PurelyHR](./medi)| -| ![logo-RingCentral](./medi)| -| ![logo-Saba Cloud](./medi)| -| ![logo-Salesforce](./medi)| -| ![logo-SAP Cloud Platform Identity Authentication](./medi)| -| ![logo-ScaleX Enterprise](./medi)| -| ![logo-Screencast-O-Matic](./medi)| -| ![logo-Slack](./medi)| -| ![logo-SmartDraw](./medi)| -| ![logo-Soloinsight-CloudGate SSO](./medi)| -| ![logo-StatusPage](./medi)| -| ![logo-Tableau Online](./medi)| -| ![logo-TargetProcess](./medi)| -| ![logo-Teamphoria](./medi)| -| ![logo-Terraform Cloud](./medi)| -| ![logo-TextMagic](./medi)| -| ![logo-Timeclock 365 SAML](./medi)| -| ![logo-Upshotly](./medi)| -| ![logo-Velpic SAML](./medi)| -| ![logo-Wandera](./medi)| -| ![logo-Watch by Colors](./medi)| -| ![logo-Way We Do](./medi)| -| ![logo-Whimsical](./medi)| -| ![logo-WhosOffice](./medi)| -| ![logo-Wootric](./medi)| -| ![logo-Workplace by Facebook](./medi)| -| ![logo-Workteam](./medi)| -| ![logo-XaitPorter](./medi)| -| ![logo-Yodeck](./medi)| -| ![logo-Zendesk](./medi)| -| ![logo-Zoom](./medi)| -| ![logo-Zscaler](./medi)| -| ![logo-Zscaler Beta](./medi)| -| ![logo-Zscaler One](./medi)| -| ![logo-Zscaler Private Access (ZPA)](./medi)| -| ![logo-Zscaler Three](./medi)| -| ![logo-Zscaler Two](./medi)| -| ![logo-Zscaler ZSCloud](./medi)| - ## Next steps To learn more about application management, see [What is application management](../manage-apps/what-is-application-management.md). |
active-directory | Upshotly Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/upshotly-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Upshotly SSO -1. To automate the configuration within Upshotly, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Upshotly** will direct you to the Upshotly application. From there, provide the admin credentials to sign into Upshotly. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Upshotly manually, in a different web browser window, sign in to your Upshotly company site as an administrator. +1. In a different web browser window, sign in to your Upshotly company site as an administrator 1. Click on the **User Profile** and navigate to **Admin > SSO** and perform the following steps: |
active-directory | Velpicsaml Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/velpicsaml-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Velpic SAML SSO -1. To automate the configuration within Velpic SAML, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Velpic SAML** will direct you to the Velpic SAML application. From there, provide the admin credentials to sign into Velpic SAML. The browser extension will automatically configure the application for you and automate steps 3-8. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Velpic SAML manually, open a new web browser window and sign into your Velpic SAML company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Velpic SAML company site as an administrator 4. Click on **Manage** tab and go to **Integration** section where you need to click on **Plugins** button to create new plugin for Sign-In. |
active-directory | Wandera Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/wandera-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Wandera RADAR Admin SSO -1. To automate the configuration within Wandera RADAR Admin, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Wandera RADAR Admin** will direct you to the Wandera RADAR Admin application. From there, provide the admin credentials to sign into Wandera RADAR Admin. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Wandera RADAR Admin manually, open a new web browser window and sign into your Wandera RADAR Admin company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Wandera RADAR Admin company site as an administrator 4. On the top-right corner of the page, click on **Settings** > **Administration** > **Single Sign-On** and then check the option **Enable SAML 2.0** to perform the following steps. |
active-directory | Watch By Colors Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/watch-by-colors-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Watch by Colors SSO -1. To automate the configuration within Watch by Colors, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **setup Watch by Colors** will direct you to the Watch by Colors application. From there, provide the admin credentials to sign into Watch by Colors. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Watch by Colors manually, open a new web browser window and sign into your Watch by Colors company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Watch by Colors company site as an administrator 4. On the top-right corner of the page, click on **profile** > **Account Settings** > **SSO (Single Sign On)**. |
active-directory | Waywedo Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/waywedo-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Way We Do SSO -1. To automate the configuration within Way We Do, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Setup Way We Do** will direct you to the Way We Do application. From there, provide the admin credentials to sign into Way We Do. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Way We Do manually, open a new web browser window and sign into your Way We Do company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Way We Do company site as an administrator 1. Click the **person icon** in the top right corner of any page in Way We Do, then click **Account** in the dropdown menu. |
active-directory | Webcargo Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/webcargo-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Webcargo SSO -1. To automate the configuration within Webcargo, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Webcargo** will direct you to the Webcargo Single Sign-On application. From there, provide the admin credentials to sign in to Webcargo Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --1. If you want to set up Webcargo manually, open a new web browser window and sign in to your Webcargo company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up Webcargo company site as an administrator 1. Click on **Team** at the left side navigation and select **SSO idP** tab then, enable the **Microsoft Azure**. |
active-directory | Whimsical Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/whimsical-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Whimsical SSO -1. To automate the configuration within Whimsical, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Whimsical** will direct you to the Whimsical application. From there, provide the admin credentials to sign into Whimsical. The browser extension will automatically configure the application for you and automate steps 3-4. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Whimsical manually, in a different web browser window, sign in to your Whimsical company site as an administrator. +1. In a different web browser window, sign in to your Whimsical company site as an administrator 4. To configure single sign-on on the **Whimsical** side, you need to upload the **Federation Metadata XML** you just downloaded to your [workspace settings](https://whimsical.com/workspace/settings). |
active-directory | Whosoffice Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/whosoffice-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure WhosOffice SSO -1. To automate the configuration within WhosOffice, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up WhosOffice** will direct you to the WhosOffice application. From there, provide the admin credentials to sign into WhosOffice. The browser extension will automatically configure the application for you and automate steps 3-7. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup WhosOffice manually, in a different web browser window, sign in to your WhosOffice company site as an administrator. +1. In a different web browser window, sign in to your WhosOffice company site as an administrator 1. Click on **Settings** and select **Company**. |
active-directory | Wootric Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/wootric-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Wootric SSO -1. To automate the configuration within Wootric, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Wootric** will direct you to the Wootric application. From there, provide the admin credentials to sign into Wootric. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Wootric manually, in a different web browser window, sign in to your Wootric company site as an administrator. +1. In a different web browser window, sign in to your Wootric company site as an administrator 1. Click on **Settings Icon** from the top menu. |
active-directory | Workplacebyfacebook Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workplacebyfacebook-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Workplace by Meta SSO -1. To automate the configuration within Workplace by Meta, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -1. After adding extension to the browser, click on **Set up Workplace by Meta** will direct you to the Workplace by Meta application. From there, provide the admin credentials to sign into Workplace by Meta. The browser extension will automatically configure the application for you and automate steps 3-5. - ![Setup configuration](common/setup-sso.png) --1. If you want to setup Workplace by Meta manually, open a new web browser window and sign into your Workplace by Meta company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Workplace by Meta company site as an administrator > [!NOTE] > As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to Azure AD. |
active-directory | Workteam Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workteam-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Workteam SSO -1. To automate the configuration within Workteam, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Workteam** will direct you to the Workteam application. From there, provide the admin credentials to sign into Workteam. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Workteam manually, open a new web browser window and sign into your Workteam company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Workteam company site as an administrator 4. In the top right corner click on **profile logo** and then click on **Organization settings**. |
active-directory | Xaitporter Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/xaitporter-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure XaitPorter SSO -1. To automate the configuration within XaitPorter, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup XaitPorter** will direct you to the XaitPorter application. From there, provide the admin credentials to sign into XaitPorter. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup XaitPorter manually, open a new web browser window and sign into your XaitPorter company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your XaitPorter company site as an administrator 4. Click on **Admin**. |
active-directory | Yodeck Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/yodeck-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Yodeck SSO--1. To automate the configuration within **Yodeck**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![Screenshot shows the Install the extension button.](./media/target-process-tutorial/install_extension.png) --1. After adding extension to the browser, click on **setup Yodeck** will direct you to the Yodeck application. From there, provide the admin credentials to sign into Yodeck. The browser extension will automatically configure the application for you and automate steps 3-5. -- ![Setup configuration](common/setup-sso.png) -- **If you want to configure the application manually perform the following steps:** - 1. In a different web browser window, sign in to your Yodeck company site as an administrator. 1. Click on **User Settings** option from the top right corner of the page and select **Account Settings**. |
active-directory | Zendesk Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zendesk-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Zendesk SSO You can set up one SAML configuration for team members and a second SAML configuration for end users.--1. To automate the configuration within **Zendesk**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![Screenshot shows the Install the extension button.](./media/target-process-tutorial/install_extension.png) --1. After adding extension to the browser, click on **setup Zendesk** will direct you to the Zendesk application. From there, provide the admin credentials to sign into Zendesk. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup configuration](common/setup-sso.png) --1. If you want to set up Zendesk manually, open a new web browser window and sign into your Zendesk company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your up Zendesk company site as an administrator 1. In the **Zendesk Admin Center**, go to **Account -> Security -> Single sign-on**, then click **Create SSO configuration** and select **SAML**. |
active-directory | Zoom Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zoom-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Zoom SSO -1. To automate the configuration within Zoom, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Set up Zoom** will direct you to the Zoom application. From there, provide the admin credentials to sign into Zoom. The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Zoom manually, in a different web browser window, sign in to your Zoom company site as an administrator. +1. In a different web browser window, sign in to your Zoom company site as an administrator 2. Click the **Single Sign-On** tab. |
active-directory | Zscaler One Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-one-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ### Configure Zscaler One SSO--1. To automate the configuration within Zscaler One, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Setup Zscaler One** will direct you to the Zscaler One application. From there, provide the admin credentials to sign into Zscaler One. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup sso](common/setup-sso.png) --3. If you want to setup Zscaler One manually, open a new web browser window and sign into your Zscaler One company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler One company site as an administrator 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: |
active-directory | Zscaler Three Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-three-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Zscaler Three SSO--1. To automate the configuration within Zscaler Three, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Setup Zscaler Three** will direct you to the Zscaler Three application. From there, provide the admin credentials to sign into Zscaler Three. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup](common/setup-sso.png) --3. If you want to setup Zscaler Three manually, open a new web browser window and sign into your Zscaler Three company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler Three company site as an administrator 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: |
active-directory | Zscaler Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Zscaler SSO--1. To automate the configuration within Zscaler, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --1. After adding extension to the browser, click on **Setup Zscaler** will direct you to the Zscaler application. From there, provide the admin credentials to sign into Zscaler. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup SSO](common/setup-sso.png) --1. If you want to setup Zscaler manually, open a new web browser window and sign into your Zscaler company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler company site as an administrator 1. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: |
active-directory | Zscaler Two Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-two-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Zscaler Two SSO--1. To automate the configuration within Zscaler Two, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Setup Zscaler Two** will direct you to the Zscaler Two application. From there, provide the admin credentials to sign into Zscaler Two. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup sso](common/setup-sso.png) --3. If you want to setup Zscaler Two manually, open a new web browser window and sign into your Zscaler Two company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler Two company site as an administrator 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: |
active-directory | Zscaler Zscloud Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-zscloud-tutorial.md | In this section, you enable Britta Simon to use Azure single sign-on by granting > Default access role is not supported as this will break provisioning, so the default role cannot be selected while assigning user. ## Configure Zscaler ZSCloud SSO--1. To automate the configuration within Zscaler ZSCloud, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. -- ![My apps extension](common/install-myappssecure-extension.png) --2. After adding extension to the browser, click on **Setup Zscaler ZSCloud** will direct you to the Zscaler ZSCloud application. From there, provide the admin credentials to sign into Zscaler ZSCloud. The browser extension will automatically configure the application for you and automate steps 3-6. -- ![Setup sso](common/setup-sso.png) --3. If you want to setup Zscaler ZSCloud manually, open a new web browser window and sign into your Zscaler ZSCloud company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler ZSCloud company site as an administrator 4. Go to **Administration > Authentication > Authentication Settings** and perform the following steps: |
active-directory | Zscalerprivateaccess Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscalerprivateaccess-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a ## Configure Zscaler Private Access (ZPA) SSO -1. To automate the configuration within Zscaler Private Access (ZPA), you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**. - ![My apps extension](common/install-myappssecure-extension.png) -2. After adding extension to the browser, click on **Setup Zscaler Private Access (ZPA)** will direct you to the Zscaler Private Access (ZPA) application. From there, provide the admin credentials to sign into Zscaler Private Access (ZPA). The browser extension will automatically configure the application for you and automate steps 3-6. - ![Setup configuration](common/setup-sso.png) --3. If you want to setup Zscaler Private Access (ZPA) manually, open a new web browser window and sign into your Zscaler Private Access (ZPA) company site as an administrator and perform the following steps: +1. In a different web browser window, sign in to your Zscaler Private Access (ZPA) company site as an administrator 4. From the left side of menu, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**. |
active-directory | Configure Cmmc Level 1 Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-1-controls.md | The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - | | AC.L1-3.1.1<br><br>**Practice statement:** Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).<br><br>**Objectives:**<br>Determine if:<br>[a.] authorized users are identified;<br>[b.] processes acting on behalf of authorized users are identified;<br>[c.] devices (and other systems) authorized to connect to the system are identified;<br>[d.] system access is limited to authorized users;<br>[e.] system access is limited to processes acting on behalf of authorized users; and<br>[f.] system access is limited to authorized devices (including other systems). | You're responsible for setting up Azure AD accounts, which is accomplished from external HR systems, on-premises Active Directory, or directly in the cloud. You configure Conditional Access to only grant access from a known (Registered/Managed) device. In addition, apply the concept of least privilege when granting application permissions. Where possible, use delegated permission. <br><br>Set up users<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md) <li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<li>[Add or delete users ΓÇô Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<br><br>Set up devices<li>[What is device identity in Azure Active Directory](../devices/overview.md)<br><br>Configure applications<li>[QuickStart: Register an app in the Microsoft identity platform](../develop/quickstart-register-app.md)<li>[Microsoft identity platform scopes, permissions, & consent](../develop/v2-permissions-and-consent.md)<li>[Securing service principals in Azure Active Directory](../fundamentals/service-accounts-principal.md)<br><br>Conditional access<li>[What is Conditional Access in Azure Active Directory](../conditional-access/overview.md)<li>[Conditional Access require managed device](../conditional-access/require-managed-devices.md) |-| AC.L1-3.1.2<br><br>**Practice statement:** Limit information system access to the types of transactions and functions that authorized users are permitted to execute.<br><br>**Objectives:**<br>Determine if:<br>[a.] the types of transactions and functions that authorized users are permitted to execute are defined; and<br>[b.] system access is limited to the defined types of transactions and functions for authorized users. | You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Azure AD.<br><br>Set up RBAC<li>[Overview of role-based access control in Active Directory ](../roles/custom-overview.md)[Azure AD built-in roles](../roles/permissions-reference.md)<li>[Create and assign a custom role in Azure Active Directory](../roles/custom-create.md)<br><br>Set up ABAC<li>[What is Azure attribute-based access control (Azure ABAC)](../../role-based-access-control/conditions-overview.md)<li>[What are custom security attributes in Azure AD?](../fundamentals/custom-security-attributes-overview.md)<br><br>Configure groups for role assignment<li>[Use Azure AD groups to manage role assignments](../roles/groups-concept.md) | -| AC.L1-3.1.20<br><br>**Practice statement:** Verify and control/limit connections to and use of external information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] connections to external systems are identified;<br>[b.] the use of external systems is identified;<br>[c.] connections to external systems are verified;<br>[d.] the use of external systems is verified;<br>[e.] connections to external systems are controlled and or limited; and<br>[f.] the use of external systems is controlled and or limited. | You're responsible for configuring conditional access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access.<br><br>Set up Conditional Access as required<li>[What is Conditional Access?](../conditional-access/overview.md)<li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md)<li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<li>[Conditional Access: Filter for devices](../conditional-access/concept-condition-filters-for-devices.md)<br><br>Use Conditional Access to block access<li>[Conditional Access - Block access by location](../conditional-access/howto-conditional-access-policy-location.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use ](../conditional-access/require-tou.md) | -| AC.L1-3.1.22<br><br>**Practice statement:** Control information posted or processed on publicly accessible information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] individuals authorized to post or process information on publicly accessible systems are identified;<br>[b.] procedures to ensure FCI isn't posted or processed on publicly accessible systems are identified;<br>[c.] a review process is in place prior to posting of any content to publicly accessible systems; and<br>[d.] content on publicly accessible systems is reviewed to ensure that it doesn't include federal contract information (FCI). | You're responsible for configuring Privileged Identity Management (PIM) to manage access to systems where posted information is publicly accessible. Require approvals with justification prior to role assignment in PIM. Configure Terms of Use (TOU) for systems where posted information is publicly accessible for recorded acknowledgment of terms and conditions for posting of publicly accessible information.<br><br>Plan PIM deployment<li>[What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<li>[Plan a Privileged Identity Management deployment](../privileged-identity-management/pim-deployment-plan.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use ](../conditional-access/require-tou.md)<li>[Configure Azure AD role settings in PIM - Require Justification](../privileged-identity-management/pim-how-to-change-default-settings.md) | +| AC.L1-3.1.2<br><br>**Practice statement:** Limit information system access to the types of transactions and functions that authorized users are permitted to execute.<br><br>**Objectives:**<br>Determine if:<br>[a.] the types of transactions and functions that authorized users are permitted to execute are defined; and<br>[b.] system access is limited to the defined types of transactions and functions for authorized users. | You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Azure AD.<br><br>Set up RBAC<li>[Overview of role-based access control in Active Directory](../roles/custom-overview.md)[Azure AD built-in roles](../roles/permissions-reference.md)<li>[Create and assign a custom role in Azure Active Directory](../roles/custom-create.md)<br><br>Set up ABAC<li>[What is Azure attribute-based access control (Azure ABAC)](../../role-based-access-control/conditions-overview.md)<li>[What are custom security attributes in Azure AD?](../fundamentals/custom-security-attributes-overview.md)<br><br>Configure groups for role assignment<li>[Use Azure AD groups to manage role assignments](../roles/groups-concept.md) | +| AC.L1-3.1.20<br><br>**Practice statement:** Verify and control/limit connections to and use of external information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] connections to external systems are identified;<br>[b.] the use of external systems is identified;<br>[c.] connections to external systems are verified;<br>[d.] the use of external systems is verified;<br>[e.] connections to external systems are controlled and or limited; and<br>[f.] the use of external systems is controlled and or limited. | You're responsible for configuring conditional access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access.<br><br>Set up Conditional Access as required<li>[What is Conditional Access?](../conditional-access/overview.md)<li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md)<li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<li>[Conditional Access: Filter for devices](../conditional-access/concept-condition-filters-for-devices.md)<br><br>Use Conditional Access to block access<li>[Conditional Access - Block access by location](../conditional-access/howto-conditional-access-policy-location.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](../conditional-access/require-tou.md) | +| AC.L1-3.1.22<br><br>**Practice statement:** Control information posted or processed on publicly accessible information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] individuals authorized to post or process information on publicly accessible systems are identified;<br>[b.] procedures to ensure FCI isn't posted or processed on publicly accessible systems are identified;<br>[c.] a review process is in place prior to posting of any content to publicly accessible systems; and<br>[d.] content on publicly accessible systems is reviewed to ensure that it doesn't include federal contract information (FCI). | You're responsible for configuring Privileged Identity Management (PIM) to manage access to systems where posted information is publicly accessible. Require approvals with justification prior to role assignment in PIM. Configure Terms of Use (TOU) for systems where posted information is publicly accessible for recorded acknowledgment of terms and conditions for posting of publicly accessible information.<br><br>Plan PIM deployment<li>[What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<li>[Plan a Privileged Identity Management deployment](../privileged-identity-management/pim-deployment-plan.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](../conditional-access/require-tou.md)<li>[Configure Azure AD role settings in PIM - Require Justification](../privileged-identity-management/pim-how-to-change-default-settings.md) | ## Identification and Authentication (IA) domain The following table provides a list of practice statement and objectives, and Az ### Next steps -* [Configure Azure Active Directory for CMMC compliance](configure-azure-active-directory-for-cmmc-compliance.md) +* [Configure Azure Active Directory for CMMC compliance](configure-for-cmmc-compliance.md) * [Configure CMMC Level 2 Access Control (AC) controls](configure-cmmc-level-2-access-control.md) * [Configure CMMC Level 2 Identification and Authentication (IA) controls](configure-cmmc-level-2-identification-and-authentication.md) * [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) |
active-directory | Configure Cmmc Level 2 Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-access-control.md | The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |-| AC.L2-3.1.3<br><br>**Practice statement:** Control the flow of CUI in accordance with approved authorizations.<br><br>**Objectives:**<br>Determine if:<br>[a.] information flow control policies are defined;<br>[b.] methods and enforcement mechanisms for controlling the flow of CUI are defined;<br>[c.] designated sources and destinations (for example, networks, individuals, and devices) for CUI within the system and between intercfeetonnected systems are identified;<br>[d.] authorizations for controlling the flow of CUI are defined; and<br>[e.] approved authorizations for controlling the flow of CUI are enforced. | Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Azure AD Application Proxy to secure access to on-premises applications.<br>[Location condition in Azure Active Directory Conditional Access ](../conditional-access/location-condition.md)<br>[Grant controls in Conditional Access policy - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require approved client app](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require app protection policy](../conditional-access/concept-conditional-access-grant.md)<br>[Session controls in Conditional Access policy - Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad)<br>[Cloud apps, actions, and authentication context in Conditional Access policy ](../conditional-access/concept-conditional-access-cloud-apps.md)<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md)<br><br>**Authentication Context**<br>[Configuring Authentication context & Assign to Conditional Access Policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br><br>**Information Protection**<br>Know and protect your data; help prevent data loss.<br>[Protect your sensitive data with Microsoft Purview](/microsoft-365/compliance/information-protection?view=o365-worldwide&preserve-view=true)<br><br>**Conditional Access**<br>[Conditional Access for Azure information protection (AIP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/conditional-access-policies-for-azure-information-protection/ba-p/250357) <br><br>**Application Proxy**<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md) | +| AC.L2-3.1.3<br><br>**Practice statement:** Control the flow of CUI in accordance with approved authorizations.<br><br>**Objectives:**<br>Determine if:<br>[a.] information flow control policies are defined;<br>[b.] methods and enforcement mechanisms for controlling the flow of CUI are defined;<br>[c.] designated sources and destinations (for example, networks, individuals, and devices) for CUI within the system and between intercfeetonnected systems are identified;<br>[d.] authorizations for controlling the flow of CUI are defined; and<br>[e.] approved authorizations for controlling the flow of CUI are enforced. | Configure Conditional Access policies to control the flow of CUI from trusted locations, trusted devices, approved applications and require app protection policy. For finer grained authorization to CUI, configure app-enforced restrictions(Exchange/SharePoint Online), App Control (with Microsoft Defender for Cloud Apps), Authentication Context. Deploy Azure AD Application Proxy to secure access to on-premises applications.<br>[Location condition in Azure Active Directory Conditional Access](../conditional-access/location-condition.md)<br>[Grant controls in Conditional Access policy - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require approved client app](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require app protection policy](../conditional-access/concept-conditional-access-grant.md)<br>[Session controls in Conditional Access policy - Application enforced restrictions](../conditional-access/concept-conditional-access-session.md)<br>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/defender-cloud-apps/proxy-intro-aad)<br>[Cloud apps, actions, and authentication context in Conditional Access policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md)<br><br>**Authentication Context**<br>[Configuring Authentication context & Assign to Conditional Access Policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br><br>**Information Protection**<br>Know and protect your data; help prevent data loss.<br>[Protect your sensitive data with Microsoft Purview](/microsoft-365/compliance/information-protection?view=o365-worldwide&preserve-view=true)<br><br>**Conditional Access**<br>[Conditional Access for Azure information protection (AIP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/conditional-access-policies-for-azure-information-protection/ba-p/250357) <br><br>**Application Proxy**<br>[Remote access to on-premises apps using Azure AD Application Proxy](../app-proxy/application-proxy.md) | |AC.L2-3.1.4<br><br>**Practice statement:** Separate the duties of individuals to reduce the risk of malevolent activity without collusion.<br><br>**Objectives:**<br>Determine if:<br>[a.] the duties of individuals requiring separation are defined;<br>[b.] responsibilities for duties that require separation are assigned to separate individuals; and<br>[c.] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. | Ensuring adequate separation of duties by scoping appropriate access. Configure Entitlement Management Access packages to govern access to applications, groups, Teams and SharePoint sites. Configure Separation of Duties checks within access packages to avoid a user obtaining excessive access. In Azure AD entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. This configuration includes restrictions such that a user of a particular group, or already assigned a different access package, isn't assigned other access packages, by policy.<br><br>Configure administrative units in Azure Active Directory to scope administrative privilege so that administrators with privileged roles are scoped to only have those privileges on limited set of directory objects(users, groups, devices).<br>[What is entitlement management?](../governance/entitlement-management-overview.md)<br>[What are access packages and what resources can I manage with them?](../governance/entitlement-management-overview.md)<br>[Configure separation of duties for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md)<br>[Administrative units in Azure Active Directory](../roles/administrative-units.md)| | AC.L2-3.1.5<br><br>**Practice statement:** Employ the principle of least privilege, including specific security functions and privileged accounts.<br><br>**Objectives:**<br>Determine if:<br>[a.] privileged accounts are identified;<br>[b.] access to privileged accounts is authorized in accordance with the principle of least privilege;<br>[c.] security functions are identified; and<br>[d.] access to security functions is authorized in accordance with the principle of least privilege. | You're responsible for implementing and enforcing the rule of least privilege. This action can be accomplished with Privileged Identity Management for configuring enforcement, monitoring, and alerting. Set requirements and conditions for role membership.<br><br>Once privileged accounts are identified and managed, use [Entitlement Lifecycle Management](../governance/entitlement-management-overview.md) and [Access reviews](../governance/access-reviews-overview.md) to set, maintain and audit adequate access. Use the [MS Graph API](/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http&preserve-view=true) to discover and monitor directory roles.<br><br>**Assign roles**<br>[Assign Azure AD roles in PIM](../privileged-identity-management/pim-how-to-add-role-to-user.md)<br>[Assign Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-assign-roles.md)<br>[Assign eligible owners and members for PIM for Groups](../privileged-identity-management/groups-assign-member-owner.md)<br><br>**Set role settings** <br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Configure Azure resource role settings in PIM](../privileged-identity-management/pim-resource-roles-configure-role-settings.md)<br>[Configure PIM for Groups settings in PIM](../privileged-identity-management/groups-role-settings.md)<br><br>**Set up alerts**<br>[Security alerts for Azure AD roles in PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md)<br>[Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md) | | AC.L2-3.1.6<br><br>**Practice statement:** Use non-privileged accounts or roles when accessing non security functions.<br><br>**Objectives:**<br>Determine if:<br>[a.] non security functions are identified; and <br>[b.] users are required to use non-privileged accounts or roles when accessing non security functions.<br><br>AC.L2-3.1.7<br><br>**Practice statement:** Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.<br><br>**Objectives:**<br>Determine if:<br>[a.] privileged functions are defined;<br>[b.] non-privileged users are defined;<br>[c.] non-privileged users are prevented from executing privileged functions; and<br>[d.] the execution of privileged functions is captured in audit logs. |Requirements in AC.L2-3.1.6 and AC.L2-3.1.7 complement each other. Require separate accounts for privilege and non-privileged use. Configure Privileged Identity Management (PIM) to bring just-in-time(JIT) privileged access and remove standing access. Configure role based conditional access policies to limit access to productivity application for privileged users. For highly privileged users, secure devices as part of the privileged access story. All privileged actions are captured in the Azure AD Audit logs.<br>[Securing privileged access overview](/security/compass/overview)<br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Users and groups in Conditional Access policy](../conditional-access/concept-conditional-access-users-groups.md)<br>[Why are privileged access devices important](/security/compass/privileged-access-devices) | The following table provides a list of practice statement and objectives, and Az ### Next steps -* [Configure Azure Active Directory for CMMC compliance](configure-azure-active-directory-for-cmmc-compliance.md) +* [Configure Azure Active Directory for CMMC compliance](configure-for-cmmc-compliance.md) * [Configure CMMC Level 1 controls](configure-cmmc-level-1-controls.md) * [Configure CMMC Level 2 Identification and Authentication (IA) controls](configure-cmmc-level-2-identification-and-authentication.md) * [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) |
active-directory | Configure Cmmc Level 2 Identification And Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-identification-and-authentication.md | The following table provides a list of practice statement and objectives, and Az ### Next steps -* [Configure Azure Active Directory for CMMC compliance](configure-azure-active-directory-for-cmmc-compliance.md) +* [Configure Azure Active Directory for CMMC compliance](configure-for-cmmc-compliance.md) * [Configure CMMC Level 1 controls](configure-cmmc-level-1-controls.md) * [Configure CMMC Level 2 Access Control (AC) controls](configure-cmmc-level-2-access-control.md) * [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) |
active-directory | Configure For Cmmc Compliance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-for-cmmc-compliance.md | + + Title: Configure Azure Active Directory for CMMC compliance +description: Learn how to configure Azure AD to meet CMMC requirements. +++++++ Last updated : 1/3/2023++++++# Configure Azure Active Directory for CMMC compliance ++Azure Active Directory helps you meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes. ++In CMMC Level 1, there are three domains that have one or more practices related to identity: ++* Access Control (AC) +* Identification and Authentication (IA) +* System and Information integrity (SI) ++In CMMC Level 2, there are 13 domains that have one or more practices related to identity: ++* Access Control +* Audit & Accountability +* Configuration Management +* Identification & Authentication +* Incident Response +* Maintenance +* Media Protection +* Personnel Security +* Physical Protection +* Risk Assessment +* Security Assessment +* System and Communications Protection +* System and Information Integrity ++The remaining articles in this series provide guidance and links to resources, organized by level and domain. For each domain, there's a table with the relevant controls listed, and links to guidance to accomplish the practice. ++Learn more: ++* DoD CMMC website - [Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification](https://dodcio.defense.gov/CMMC/) +* Microsoft Download Center - [Microsoft Product Placemat for CMMC 2.0 (preview)](https://www.microsoft.com/download/details.aspx?id=102536) ++### Next steps ++* [Configure CMMC Level 1 controls](configure-cmmc-level-1-controls.md) +* [Configure CMMC Level 2 Access Control (AC) controls](configure-cmmc-level-2-access-control.md) +* [Configure CMMC Level 2 Identification and Authentication (IA) controls](configure-cmmc-level-2-identification-and-authentication.md) +* [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) |
active-directory | Configure For Fedramp High Impact | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-for-fedramp-high-impact.md | + + Title: Configure Azure Active Directory to meet FedRAMP High Impact level +description: Overview of how you can meet a FedRAMP High Impact level for your organization by using Azure Active Directory. +++++++++ Last updated : 03/09/2023++++++# Configure Azure Active Directory to meet FedRAMP High Impact level ++The [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) (FedRAMP) is an assessment and authorization process for cloud service providers (CSPs). Specifically, the process is for CSPs that create cloud solution offerings (CSOs) for use with federal agencies. Azure and Azure Government have earned a [Provisional Authority to Operate (P-ATO) at the High Impact level](/compliance/regulatory/offering-fedramp) from the Joint Authorization Board, the highest bar for FedRAMP accreditation. ++Azure provides the capability to fulfill all control requirements to achieve a FedRAMP high rating for your CSO, or as a federal agency. It's your organizationΓÇÖs responsibility to complete additional configurations or processes to be compliant. This responsibility applies to both CSPs seeking a FedRAMP high authorization for their CSO, and federal agencies seeking an Authority to Operate (ATO). ++## Microsoft and FedRAMP ++Microsoft Azure supports more services at [FedRAMP High Impact](../../azure-government/compliance/azure-services-in-fedramp-auditscope.md) levels than any other CSP. And while this level in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements might rely on the Azure Government cloud. Azure Government provides additional safeguards, such as the heightened screening of personnel. ++Microsoft is required to recertify its cloud services each year to maintain its authorizations. To do so, Microsoft continuously monitors and assesses its security controls, and demonstrates that the security of its services remains in compliance. For more information, see [Microsoft cloud services FedRAMP authorizations](https://marketplace.fedramp.gov/), and [Microsoft FedRAMP Audit Reports](https://aka.ms/MicrosoftFedRAMPAuditDocuments). To receive other FedRAMP reports, send email to [Azure Federal Documentation](mailto:AzFedDoc@microsoft.com). ++There are multiple paths towards FedRAMP authorization. You can reuse the existing authorization package of Azure and the guidance here to significantly reduce the time and effort required to obtain an ATO or a P-ATO. ++## Scope of guidance ++The FedRAMP high baseline is made up of 421 controls and control enhancements from [NIST 800-53 Security Controls Catalog Revision 4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final). Where applicable, we included clarifying information from the [800-53 Revision 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). This article set covers a subset of these controls that are related to identity, and which you must configure. ++We provide prescriptive guidance to help you achieve compliance with controls you're responsible for configuring in Azure Active Directory (Azure AD). To fully address some identity control requirements, you might need to use other systems. Other systems might include a security information and event management tool, such as Microsoft Sentinel. If you're using Azure services outside of Azure Active Directory, there will be other controls you need to consider, and you can use the capabilities Azure already has in place to meet the controls. ++The following is a list of FedRAMP resources: ++* [Federal Risk and Authorization Management Program](https://www.fedramp.gov/) ++* [FedRAMP Security Assessment Framework](https://reciprocity.com/blog/conducting-a-fedramp-risk-assessment/) ++* [Agency Guide for FedRAMP Authorizations](https://www.fedramp.gov/assets/resources/documents/Agency_Authorization_Playbook.pdf) ++* [Managing compliance in the cloud at Microsoft](https://www.microsoft.com/trustcenter/common-controls-hub) ++* [Microsoft Government Cloud](https://go.microsoft.com/fwlink/p/?linkid=2087246) ++* [Azure Compliance Offerings](https://aka.ms/azurecompliance) ++* [FedRAMP High Azure Policy built-in initiative definition](../../governance/policy/samples/fedramp-high.md) ++* [Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center) ++* [Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager) ++## Next steps ++[Configure access controls](fedramp-access-controls.md) ++[Configure identification and authentication controls](fedramp-identification-and-authentication-controls.md) ++[Configure other controls](fedramp-other-controls.md) |
active-directory | Fedramp Access Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-access-controls.md | Each row in the following table provides prescriptive guidance to help you devel ## Next steps -- [FedRAMP compliance overview](configure-azure-active-directory-for-fedramp-high-impact.md)+- [FedRAMP compliance overview](configure-for-fedramp-high-impact.md) - [Configure identification and authentication controls to meet FedRAMP High Impact level](fedramp-identification-and-authentication-controls.md) - [Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md) |
active-directory | Pci Requirement 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-1.md | -|**1.2.1** Configuration standards for NSC rulesets are: </br> Defined </br> Implemented </br> Maintained|Integrate access technologies such as VPN, remote desktop, and network access points with Azure AD for authentication and authorization, if the access technologies support modern authentication. Ensure NSC standards, which pertain to identity-related controls, include definition of Conditional Access policies, application assignment, access reviews, group management, credential policies, etc. [Azure AD operations reference guide](../fundamentals/active-directory-ops-guide-intro.md)| +|**1.2.1** Configuration standards for NSC rulesets are: </br> Defined </br> Implemented </br> Maintained|Integrate access technologies such as VPN, remote desktop, and network access points with Azure AD for authentication and authorization, if the access technologies support modern authentication. Ensure NSC standards, which pertain to identity-related controls, include definition of Conditional Access policies, application assignment, access reviews, group management, credential policies, etc. [Azure AD operations reference guide](../fundamentals/ops-guide-intro.md)| |**1.2.2** All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1|Not applicable to Azure AD.| |**1.2.3** An accurate network diagram(s) is maintained that shows all connections between the cardholder data environment (CDE) and other networks, including any wireless networks.|Not applicable to Azure AD.| |**1.2.4** An accurate data-flow diagram(s) is maintained that meets the following: </br> Shows all account data flows across systems and networks. </br> Updated as needed upon changes to the environment.|Not applicable to Azure AD.| |
active-directory | Standards Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/standards-overview.md | To learn more about supported compliance frameworks, see [Azure compliance offer * See, Standards documentation [Implement identity standards with Azure Active Directory](index.yml) * [Configure Azure Active Directory to achieve NIST authenticator assurance levels](nist-overview.md)-* [Configure Azure Active directory to meet FedRAMP High Impact level](configure-azure-active-directory-for-fedramp-high-impact.md) +* [Configure Azure Active directory to meet FedRAMP High Impact level](configure-for-fedramp-high-impact.md) |
aks | Cluster Container Registry Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-container-registry-integration.md | If you don't already have an ACR, create one using the following command. ```azurecli # Set this variable to the name of your ACR. The name must be globally unique.+# Connected registry name must use only lowercase -MYACR=myContainerRegistry +MYACR=mycontainerregistry az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic ``` az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic ```azurepowershell # Set this variable to the name of your ACR. The name must be globally unique.+# Connected registry name must use only lowercase -$MYACR = 'myContainerRegistry' +$MYACR = 'mycontainerregistry' New-AzContainerRegistry -Name $MYACR -ResourceGroupName myContainerRegistryResourceGroup -Sku Basic ``` If you already have an ACR, use the following command to create a new AKS cluste ```azurecli # Set this variable to the name of your ACR. The name must be globally unique.+# Connected registry name must use only lowercase -MYACR=myContainerRegistry +MYACR=mycontainerregistry # Create an AKS cluster with ACR integration. This command may take several minutes to complete. ```azurepowershell # Set this variable to the name of your ACR. The name must be globally unique.--$MYACR = 'myContainerRegistry' +# Connected registry name must use only lowercase + +$MYACR = 'mycontainerregistry' # Create an AKS cluster with ACR integration. |
aks | Node Pool Snapshot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-pool-snapshot.md | Title: Snapshot Azure Kubernetes Service (AKS) node pools description: Learn how to snapshot AKS cluster node pools and create clusters and node pools from a snapshot. Previously updated : 09/11/2020 Last updated : 06/05/2023 az aks nodepool upgrade --name nodepool1 --cluster-name myAKSCluster --resource- > [!NOTE] > Your node pool image version will be the same contained in the snapshot and will remain the same throughout every scale operation. However, if this node pool is upgraded or a node image upgrade is performed without providing a snapshot-id the node image will be upgraded to latest. +> [!NOTE] +> To upgrade only the node version for your node pool, use the `--node-image-only` flag. This is required when upgrading the node image version for a node pool based on a snapshot with an identical Kubernetes version. + ## Create a cluster from a snapshot When you create a cluster from a snapshot, the cluster original system pool will be created from the snapshot configuration. |
api-management | Api Management Howto Configure Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-notifications.md | API Management provides notification templates for the administrative email mess Each email template has a subject in plain text, and a body definition in HTML format. Each item can be customized as desired. +> [!NOTE] +> HTML content in a template must be well-formed and adhere to the [XML specification](https://www.w3.org/XML/). The ` ` character isn't allowed. + To view and configure a notification template in the portal: 1. In the left menu, select **Notification templates**. |
api-management | Authentication Managed Identity Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-managed-identity-policy.md | Both system-assigned identity and any of the multiple user-assigned identities c <authentication-managed-identity resource="https://servicebus.azure.net/"/> <!--Azure Service Bus--> ``` ```xml +<authentication-managed-identity resource="https://eventhubs.azure.net/"/> <!--Azure Event Hub--> +``` +```xml <authentication-managed-identity resource="https://storage.azure.com/"/> <!--Azure Blob Storage--> ``` ```xml |
api-management | Self Hosted Gateway Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-overview.md | To operate properly, each self-hosted gateway needs outbound connectivity on por | Public IP addresses of Azure Storage [service tag](../virtual-network/service-tags-overview.md) | ✔️ | Optional<sup>2</sup> | IP addresses must correspond to primary location of API Management instance. | | Hostname of Azure Blob Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) | | Hostname of Azure Table Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) |-| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>3</sup> | Optional<sup>3</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/app/ip-addresses.md#outgoing-ports) | -| Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>3</sup> | Optional<sup>3</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) | -| Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>3</sup> | Optional<sup>3</sup> | This requirement depends on the external cache that is being used | +| Endpoints for Azure Active Directory integration | ✔️ | Optional<sup>3</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. | +| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>4</sup> | Optional<sup>4</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/app/ip-addresses.md#outgoing-ports) | +| Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>4</sup> | Optional<sup>4</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) | +| Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>4</sup> | Optional<sup>4</sup> | This requirement depends on the external cache that is being used | <sup>1</sup>For an API Management instance in an internal virtual network, enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network.<br/> <sup>2</sup>Only required in v2 when API inspector or quotas are used in policies.<br/>-<sup>3</sup> Only required when feature is used and requires public IP address, port, and hostname information.<br/> +<sup>3</sup>Only required when using Azure AD authentication or Azure AD-related policies.<br/> +<sup>4</sup>Only required when feature is used and requires public IP address, port, and hostname information.<br/> > [!IMPORTANT] > * DNS hostnames must be resolvable to IP addresses and the corresponding IP addresses must be reachable. |
api-management | Virtual Network Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md | When an API Management service instance is hosted in a VNet, the ports in the fo NSG rules allowing outbound connectivity to Storage, SQL, and Azure Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, **Storage.WestUS** for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region. ## TLS functionality - To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity to `ocsp.msocsp.com`, `mscrl.microsoft.com`, and `crl.microsoft.com`. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root. ++To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity to `ocsp.msocsp.com`, `mscrl.microsoft.com`, and `crl.microsoft.com`. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root. ## DNS access- Outbound access on port `53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management. ++Outbound access on port `53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management. ++### FQDN dependencies ++To operate properly, each [self-hosted gateway](self-hosted-gateway-overview.md) needs outbound connectivity on port 443 to the following endpoints associated with its cloud-based API Management instance: ++| Description | Required | Notes | +|:|:|:| +| Endpoints for Azure Active Directory integration | ✔️ | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. | ## Metrics and health monitoring Outbound network connectivity to Azure Monitoring endpoints, which resolve under | Azure Public | <ul><li>gcs.prod.monitoring.core.windows.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.com</li></ul> | | Azure Government | <ul><li>fairfax.warmpath.usgovcloudapi.net</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-black.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.us</li></ul> | | Azure China 21Vianet | <ul><li>mooncake.warmpath.chinacloudapi.cn</li><li>global.prod.microsoftmetrics.com</li><li>shoebox2.prod.microsoftmetrics.com</li><li>shoebox2-red.prod.microsoftmetrics.com</li><li>shoebox2-black.prod.microsoftmetrics.com</li><li>prod3.prod.microsoftmetrics.com</li><li>prod3-red.prod.microsoftmetrics.com</li><li>prod5.prod.microsoftmetrics.com</li><li>prod5-black.prod.microsoftmetrics.com</li><li>prod5-red.prod.microsoftmetrics.com</li><li>gcs.prod.warm.ingestion.monitoring.azure.cn</li></ul> -## Developer portal CAPTCHA ++## Developer portal CAPTCHA Allow outbound network connectivity for the developer portal's CAPTCHA, which resolves under the hosts `client.hip.live.com` and `partner.hip.live.com`. ## Publishing the developer portal The following IP addresses are divided by **Azure Environment** and **Region**. | Azure Government| USDoD Central| 52.182.32.132| | Azure Government| USDoD East| 52.181.32.192| - ## Next steps Learn more about: |
applied-ai-services | Get Started Sdks Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/quickstarts/get-started-sdks-rest-api.md | |
azure-app-configuration | Quickstart Feature Flag Spring Boot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-feature-flag-spring-boot.md | To create a new Spring Boot project: 1. Open the *pom.xml* file in a text editor and add the following to the list of `<dependencies>`: + ### [Spring Boot 3](#tab/spring-boot-3) + ```xml <dependency> <groupId>com.azure.spring</groupId> <artifactId>spring-cloud-azure-appconfiguration-config-web</artifactId>- <version>4.7.0</version> + <version>5.2.0</version> </dependency> <dependency> <groupId>com.azure.spring</groupId> <artifactId>spring-cloud-azure-feature-management-web</artifactId>- <version>4.7.0</version> + <version>5.2.0</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> To create a new Spring Boot project: </dependency> ``` + ### [Spring Boot 2](#tab/spring-boot-2) ++ ```xml + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-appconfiguration-config-web</artifactId> + <version>4.8.0</version> + </dependency> + <dependency> + <groupId>com.azure.spring</groupId> + <artifactId>spring-cloud-azure-feature-management-web</artifactId> + <version>4.8.0</version> + </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-thymeleaf</artifactId> + </dependency> + ``` ++ + > [!NOTE] > * There is a non-web Feature Management Library that doesn't have a dependency on spring-web. Refer to GitHub's [documentation](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring/spring-cloud-azure-feature-management) for differences. |
azure-app-configuration | Reference Kubernetes Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/reference-kubernetes-provider.md | + + Title: Azure App Configuration Kubernetes Provider reference (preview) | Microsoft Docs +description: "It describes the supported properties of AzureAppConfigurationProvider object in the Azure App Configuration Kubernetes Provider." ++++ Last updated : 04/12/2023++#Customer intent: As an Azure Kubernetes Service user, I want to manage all my app settings in one place using Azure App Configuration. +++# Azure App Configuration Kubernetes Provider reference (preview) ++The following reference outlines the properties supported by the Azure App Configuration Kubernetes Provider. ++## Properties ++An `AzureAppConfigurationProvider` resource has the following top-level child properties under the `spec`. ++|Name|Description|Required|Type| +||||| +|endpoint|The endpoint of Azure App Configuration, which you would like to retrieve the key-values from|true|string| +|target|The destination of the retrieved key-values in Kubernetes|true|object| +|auth|The authentication method to access Azure App Configuration|false|object| +|keyValues|The settings for querying and processing key-values|false|object| ++The `spec.target` property has the following child property. ++|Name|Description|Required|Type| +||||| +|configMapName|The name of the ConfigMap to be created|true|string| ++If the `spec.auth` property isn't set, the system-assigned managed identity is used. It has the following child properties. Only one authentication method should be set. ++|Name|Description|Required|Type| +||||| +|managedIdentityClientId|The Client ID of user-assigned managed identity|false|string| +|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal|false|string| ++The `spec.keyValues` has the following child properties. The `spec.keyValues.keyVaults` property is required if any Key Vault references are expected to be downloaded. ++|Name|Description|Required|Type| +||||| +|selectors|The list of selectors for key-value filtering|false|object array| +|trimKeyPrefixes|The list of key prefixes to be trimmed|false|string array| +|keyVaults|The settings for Key Vault references|conditional|object| ++If the `spec.keyValues.selectors` property isn't set, all key-values with no label will be downloaded. It contains an array of *selector* objects, which have the following child properties. ++|Name|Description|Required|Type| +||||| +|keyFilter|The key filter for querying key-values|true|string| +|labelFilter|The label filter for querying key-values|false|string| +++The `spec.keyValues.keyVaults` property has the following child properties. ++|Name|Description|Required|Type| +||||| +|target|The destination of resolved Key Vault references in Kubernetes|true|object| +|auth|The authentication method to access Key Vaults|false|object| ++The `spec.keyValues.keyVaults.target` property has the following child property. ++|Name|Description|Required|Type| +||||| +|secretName|The name of the Kubernetes Secret to be created|true|string| ++If the `spec.keyValues.keyVaults.auth` property isn't set, the system-assigned managed identity is used. It has the following child properties. ++|Name|Description|Required|Type| +||||| +|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with vaults that don't have individual authentication methods specified|false|string| +|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with vaults that don't have individual authentication methods specified|false|string| +|vaults|The authentication methods for individual vaults|false|object array| ++The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId` and `servicePrincipalReference` must be provided. ++|Name|Description|Required|Type| +||||| +|uri|The URI of a vault|true|string| +|managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with a vault|false|string| +|servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with a vault|false|string| ++## Examples ++### Authentication ++#### Use System-Assigned Managed Identity ++1. [Enable the system-assigned managed identity in the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#enable-system-assigned-managed-identity-on-an-existing-virtual-machine-scale-set) used by the Azure Kubernetes Service (AKS) cluster. +1. [Grant the system-assigned managed identity **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration. +1. Deploy the following sample `AzureAppConfigurationProvider` resource to the AKS cluster. ++ ``` yaml + apiVersion: azconfig.io/v1beta1 + kind: AzureAppConfigurationProvider + metadata: + name: appconfigurationprovider-sample + spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + ``` ++#### Use User-Assigned Managed Identity ++1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation. +1. [Assign the user-assigned managed identity to the virtual machine scale set](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) used by the Azure Kubernetes Service (AKS) cluster. +1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration. +1. Set the `spec.auth.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster. ++ ``` yaml + apiVersion: azconfig.io/v1beta1 + kind: AzureAppConfigurationProvider + metadata: + name: appconfigurationprovider-sample + spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + auth: + managedIdentityClientId: <your-managed-identity-client-id> + ``` ++#### Use Service Principal ++1. [Create a Service Principal](/azure/active-directory/develop/howto-create-service-principal-portal) +1. [Grant the service principal **App Configuration Data Reader** role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration) in Azure App Configuration. +1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add *azure_client_id*, *azure_client_secret*, and *azure_tenant_id* of the service principal to the Secret. +1. Set the `spec.auth.servicePrincipalReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster. ++ ``` yaml + apiVersion: azconfig.io/v1beta1 + kind: AzureAppConfigurationProvider + metadata: + name: appconfigurationprovider-sample + spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + auth: + servicePrincipalReference: <your-service-principal-secret-name> + ``` ++### Key-value selection ++Use the `selectors` property to filter the key-values to be downloaded from Azure App Configuration. ++The following sample downloads all key-values with no label. ++``` yaml +apiVersion: azconfig.io/v1beta1 +kind: AzureAppConfigurationProvider +metadata: + name: appconfigurationprovider-sample +spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider +``` ++In following example, two selectors are used to retrieve two sets of key-values, each with unique labels. It's important to note that the values of the last selector take precedence and override any overlapping keys from the previous selectors. ++``` yaml +apiVersion: azconfig.io/v1beta1 +kind: AzureAppConfigurationProvider +metadata: + name: appconfigurationprovider-sample +spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + keyValues: + selectors: + - keyFilter: app1* + labelFilter: common + - keyFilter: app1* + labelFilter: development +``` ++### Key prefix trimming ++The following sample uses the `trimKeyPrefixes` property to trim two prefixes from key names before adding them to the generated ConfigMap. ++``` yaml +apiVersion: azconfig.io/v1beta1 +kind: AzureAppConfigurationProvider +metadata: + name: appconfigurationprovider-sample +spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + keyValues: + trimKeyPrefixes: [prefix1, prefix2] +``` ++### Key Vault references ++The following sample instructs using a service principal to authenticate with a specific vault and a user-assigned managed identity for all other vaults. ++``` yaml +apiVersion: azconfig.io/v1beta1 +kind: AzureAppConfigurationProvider +metadata: + name: appconfigurationprovider-sample +spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + keyValues: + selectors: + - keyFilter: app1* + keyVaults: + target: + secretName: secret-created-by-appconfig-provider + auth: + managedIdentityClientId: <your-user-assigned-managed-identity-client-id> + vaults: + - uri: <your-key-vault-uri> + servicePrincipalReference: <name-of-secret-containing-service-principal-credentials> +``` |
azure-arc | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/release-notes.md | New for this release: - Added support for specifying multiple encryption types for AD connectors using the Azure CLI extension or Azure portal. - Arc-enabled PostgreSQL server- - Removed Hyperscale/Citus scale-out capabilities. Focus will be on providing a single node Postgres server service. All user experiences have had terms and concepts like `Hyperscale`, `server groups`, `worker nodes`, `coordinator nodes`, and so forth. removed. **BREAKING CHANGE** - - The postgresql container image is based on [CBL-Mariner](https://github.com/microsoft/CBL-Mariner) base OS image. + - Removed Hyperscale/Citus scale-out capabilities. Focus will be on providing a single node Postgres server service. All user experiences have had terms and concepts like `Hyperscale`, `server groups`, `worker nodes`, `coordinator nodes`, and so forth. removed. **BREAKING CHANGE** + - Only PostgreSQL version 14 is supported for now. Versions 11 and 12 have been removed. Two new images are introduced: `arc-postgres-14` and `arc-postgresql-agent`. The `arc-postgres-11` and `arc-postgres-12` container images are removed going forward. - The postgresql CRD version has been updated to v1beta3. Some properties such as `workers` have been removed or changed. Update any scripts or automation you have as needed to align to the new CRD schema. **BREAKING CHANGE** This section describes the new features introduced or enabled for this release. - [Create an Azure Database for PostgreSQL server on Azure Arc](create-postgresql-server.md) (requires creation of an Azure Arc data controller first) - [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md) + |
azure-arc | Use Azure Policy Flux 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/use-azure-policy-flux-2.md | Title: "Deploy applications consistently at scale using Flux v2 configurations and Azure Policy" Previously updated : 05/15/2023 Last updated : 06/02/2023 description: "Use Azure Policy to apply Flux v2 configurations at scale on Azure Arc-enabled Kubernetes or AKS clusters." Verify you have `Microsoft.Authorization/policyAssignments/write` permissions on ## Create a policy assignment +In order for a policy to apply Flux v2 configurations to a cluster, the Flux extension must be installed on each cluster. You can ensure this by assigning the **Configure installation of Flux extension on Kubernetes cluster** policy definition to the desired scope. + 1. In the Azure portal, navigate to **Policy**. 1. In the **Authoring** section of the sidebar, select **Definitions**.-1. In the "Kubernetes" category, choose the **Configure Kubernetes clusters with Flux v2 configuration using public Git repository** built-in policy definition. +1. In the "Kubernetes" category, select the **Configure installation of Flux extension on Kubernetes cluster** built-in policy definition. 1. Select **Assign**. 1. Set the **Scope** to the management group, subscription, or resource group to which the policy assignment will apply. * If you want to exclude any resources from the policy assignment scope, set **Exclusions**.-1. Give the policy assignment an easily identifiable **Name** and **Description**. +1. Give the policy assignment an easily identifiable **Assignment name** and **Description**. +1. Ensure **Policy enforcement** is set to **Enabled**. +1. Select **Review + create**, then select **Create**. ++Next, return to the **Definitions** list to apply the configuration policy definition to the same scope. ++1. In the "Kubernetes" category, select the **Configure Kubernetes clusters with Flux v2 configuration using public Git repository** +built-in policy definition. +1. Select **Assign**. +1. Set the **Scope** to the same scope that you selected when assigning the first policy, including any exceptions. +1. Give the policy assignment an easily identifiable **Assignment name** and **Description**. 1. Ensure **Policy enforcement** is set to **Enabled**.-1. Select **Next**. +1. Select **Next**, then select **Next** again to open the **Parameters** tab. 1. Set the parameter values to be used. * For more information about parameters, see the [tutorial on deploying Flux v2 configurations](./tutorial-use-gitops-flux2.md). * When creating Flux configurations you must provide a value for one (and only one) of these parameters: `repositoryRefBranch`, `repositoryRefTag`, `repositoryRefSemver`, `repositoryRefCommit`.-1. Select **Next**. +1. Select **Next** to open the **Remediation** task. 1. Enable **Create a remediation task**.-1. Verify **Create a managed identity** is checked, and that the identity will have **Contributor** permissions. +1. Verify that **Create a Managed Identity** is checked, and that the identity will have **Contributor** permissions. * For more information, see [Quickstart: Create a policy assignment to identify non-compliant resources](../../governance/policy/assign-policy-portal.md) and [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md).-1. Select **Review + create**. +1. Select **Review + create**, then select **Create**. -After creating the policy assignment, the configuration is applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment. +After creating the policy assignments, the configuration is applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment. For existing clusters, you may need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect. |
azure-arc | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/prerequisites.md | Azure Arc supports the following Windows and Linux operating systems. Only x86-6 * Windows 10, 11 (see [client operating system guidance](#client-operating-system-guidance)) * Windows IoT Enterprise * Azure Stack HCI-* CBL-Mariner 1.0, 2.0 +* Azure Linux 1.0, 2.0 * Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS * Debian 10 and 11 * CentOS Linux 7 and 8 |
azure-arc | Ssh Arc Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/ssh-arc-overview.md | Authenticating with Azure AD credentials has additional requirements: An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Azure AD login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines. > [!NOTE]- > The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#limits) per subscription. + > The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshoot-limits.md) per subscription. ### Availability SSH access to Arc-enabled servers is currently supported in all regions supported by Arc-Enabled Servers with the following exceptions: |
azure-cache-for-redis | Cache How To Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-version.md | Last updated 09/08/2022 In this article, you'll learn how to configure the Redis software version to be used with your cache instance. Azure Cache for Redis offers the latest major version of Redis and at least one previous version. It will update these versions regularly as newer Redis software is released. You can choose between the two available versions. Keep in mind that your cache will be upgraded to the next version automatically if the version it's using currently is no longer supported. > [!NOTE]-> At this time, Redis 6 does not support Access Control Lists (ACL) or geo-replication between a Redis 4 cache and Redis 6 cache. +> At this time, Redis 6 does not directly support Access Control Lists (ACL) but ACLs can be setup through [Active AD](cache-configure-role-based-access-control.md). For more information, seee to [Use Azure Active Directory for cache authentication](cache-azure-active-directory-for-authentication.md) +> Presently, Redis 6 does not support geo-replication between a Redis 4 cache and Redis 6 cache. > ## Prerequisites |
azure-functions | Create First Function Arc Custom Container | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-arc-custom-container.md | Title: Create your first containerized Azure Functions on Azure Arc description: Get started with Azure Functions on Azure Arc by deploying your first function app in a custom Linux container. Previously updated : 05/07/2023 Last updated : 06/05/2023 ms.devlang: azurecli zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Premium Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-premium-plan.md | See the complete regional availability of Functions on the [Azure web site](http |Australia East| 100 | 40 | |Australia Southeast | 100 | 20 | |Brazil South| 100 | 20 |-|Canada Central| 100 | 20 | +|Canada Central| 100 | 100 | |Central India| 100 | 20 | |Central US| 100 | 100 | |China East 2| 100 | 20 | |
azure-linux | Intro Azure Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-linux/intro-azure-linux.md | To learn more about Azure Linux, see the [Azure Linux GitHub repository](https:/ The Azure Linux Container Host offers the following key benefits: - **Secure supply chain**: Microsoft builds, signs, and validates the Azure Linux Container Host packages from source, and hosts its packages and sources in Microsoft-owned and secured platforms.-- **Small and lightweight**: The Azure Linux Container Host only includes the necessary set of packages needed to run container workloads - as a result, it consumes limited disk and memory resources.+- **Small and lightweight**: The Azure Linux Container Host only includes the necessary set of packages needed to run container workloads. As a result, it consumes limited disk and memory resources. - **Secure by default**: The Azure Linux Container Host has an emphasis on security and follows the secure-by-default principles, including using a hardened Linux kernel with Azure cloud optimizations and flags tuned for Azure. It also provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. For more information on Azure Linux Container Host security principles, see the [AKS security concepts](../../articles/aks/concepts-security.md). - **Extensively validated**: The AKS and Azure Linux teams run a suite of functional and performance regression tests with the Azure Linux Container Host before releasing to customers, which enables earlier issue detection and mitigation.ΓÇï -## Limitations --The Azure Linux Container Host has the following limitation: --- The Azure Linux Container Host supports the NCv3 series and NCasT4_v3 series VM sizes. The NC A100 v4 series is currently not supported.--If there are areas you would like to have priority, please file an issue in the [AKS GitHub repository](https://github.com/Azure/AKS/issues). +> [!NOTE] +> +> For GPU workloads, Azure Linux doesn't support NC A100 v4 series. All other VM SKUs that are available on AKS are available with Azure Linux. +> +> If there are any areas you would like to have priority, please file an issue in the [AKS GitHub repository](https://github.com/Azure/AKS/issues). ## Next steps |
azure-maps | How To Create Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-create-template.md | The Azure Maps account resource is defined in this template: * **Resource group**: select **Create new**, enter a unique name for the resource group, and then select **OK**. * **Location**: select a location. * **Account Name**: enter a name for your Azure Maps account, which must be globally unique.- * **Pricing Tier**: select the appropriate pricing tier, the default value for the template is S0. + * **Pricing Tier**: select the appropriate pricing tier, the default value for the template is G2. 3. Select **Review + create**. 4. Confirm your settings on the review page and select **Create**. Once deployed successfully, you get a notification: |
azure-monitor | Agent Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agent-windows.md | The following table highlights the specific parameters supported by setup for th |ADD_OPINSIGHTS_WORKSPACE | 1 = Configure the agent to report to a workspace. | |OPINSIGHTS_WORKSPACE_ID | Workspace ID (guid) for the workspace to add. | |OPINSIGHTS_WORKSPACE_KEY | Workspace key used to initially authenticate with the workspace. |-|OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE | Specify the cloud environment where the workspace is located. <br> 0 = Azure commercial cloud (default). <br> 1 = Azure Government. | +|OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE | Specify the cloud environment where the workspace is located. <br> 0 = Azure commercial cloud (default). <br> 1 = Azure Government. <br> 2 = Azure China cloud. | |OPINSIGHTS_PROXY_URL | URI for the proxy to use. Example: OPINSIGHTS_PROXY_URL=IPAddress:Port or OPINSIGHTS_PROXY_URL=FQDN:Port | |OPINSIGHTS_PROXY_USERNAME | Username to access an authenticated proxy. | |OPINSIGHTS_PROXY_PASSWORD | Password to access an authenticated proxy. | The following table highlights the specific parameters supported by setup for th ```shell setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=1 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1 ```+ + Or to configure the agent to report to Azure China cloud, enter: ++ ```shell + setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=2 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1 + ``` >[!NOTE] >The string values for the parameters *OPINSIGHTS_WORKSPACE_ID* and *OPINSIGHTS_WORKSPACE_KEY* need to be enclosed in double quotation marks to instruct Windows Installer to interpret as valid options for the package. |
azure-monitor | Alerts Create New Alert Rule | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-create-new-alert-rule.md | Alerts triggered by these alert rules contain a payload that uses the [common al 1. On the **Actions** tab, select or create the required [action groups](./action-groups.md). - > [!NOTE] > We're continually adding more regions for regional data processing. -1. (Optional) In the **Custom properties** section, if you've configured action groups for this alert rule, you can add custom properties in key:value pairs to the alert notification payload to add more information to it. Add the property **Name** and **Value** for the custom property you want included in the payload. +1. (Optional) In the <a name="custom-props">**Custom properties**</a> section, if you've configured action groups for this alert rule, you can add custom properties in key:value pairs to the alert notification payload to add more information to it. Add the property **Name** and **Value** for the custom property you want included in the payload. You can also use custom properties to extract and manipulate data from alert payloads that use the common schema. You can use those values in the action group webhook or logic app.+ + > [!NOTE] + > In this phase the custom properties are not part of the e-mail template - The format for extracting values from the common schema, use a "$", and then the path of the [common schema](https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-common-schema) field inside curly brackets. For example: `${data.essentials.monitorCondition}`. --+ The format for extracting values from the common schema, use a "$", and then the path of the [Common alert schema](alerts-common-schema.md) field inside curly brackets. For example: `${data.essentials.monitorCondition}`. In the following examples, values in the **custom properties** are used to utilize data from the payload: Alerts triggered by these alert rules contain a payload that uses the [common al > [!NOTE] > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for log alerts. - 1. On the **Details** tab, define the **Project details**. - Select the **Subscription**. - Select the **Resource group**. |
azure-monitor | Java Standalone Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-config.md | and have it inherited by dependency and log telemetry, which are captured in the ```json {- "inheritedAttributes": [ - { - "key": "mycustomer", - "type": "string" - } - ] + "preview": { + "inheritedAttributes": [ + { + "key": "mycustomer", + "type": "string" + } + ] + } } ``` |
azure-monitor | Activity Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/activity-log.md | AzureActivity | where CategoryValue == "Administrative" ``` +> [!Important] +> In some scenarios, it's possible that values in fields of AzureActivity might have different casings from otherwise equivalent values. Take care when querying data in AzureActivity to use case-insensitive operators for string comparisons, or use a scalar function to force a field to a uniform casing before any comparisons. For example, use the [tolower()](/azure/kusto/query/tolowerfunction) function on a field to force it to always be lowercase or the [=~ operator](/azure/kusto/query/datatypes-string-operators) when performing a string comparison. + ## Send to Azure Event Hubs Send the activity log to Azure Event Hubs to send entries outside of Azure, for example, to a third-party SIEM or other log analytics solutions. Activity log events from event hubs are consumed in JSON format with a `records` element that contains the records in each payload. The schema depends on the category and is described in [Azure activity log event schema](activity-log-schema.md). |
azure-monitor | Metrics Supported | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/metrics-supported.md | -Date list was last updated: 06/01/2023. +Date list was last updated: 06/04/2023. Azure Monitor provides several ways to interact with metrics, including charting them in the Azure portal, accessing them through the REST API, or querying them by using PowerShell or the Azure CLI (Command Line Interface). This latest update adds a new column and reorders the metrics to be alphabetical |IntegrationRuntimeAvailableMemory |Yes |Integration runtime available memory |Bytes |Average |Integration runtime available memory |IntegrationRuntimeName, NodeName | |IntegrationRuntimeAvailableNodeNumber |Yes |Integration runtime available node count |Count |Average |Integration runtime available node count |IntegrationRuntimeName | |IntegrationRuntimeAverageTaskPickupDelay |Yes |Integration runtime queue duration |Seconds |Average |Integration runtime queue duration |IntegrationRuntimeName |+|IntegrationRuntimeCopyAvailableCapacityPercentage |Yes |Integration runtime copy available capacity percentage |Percent |Maximum |Integration runtime copy available capacity percentage |IntegrationRuntimeName | +|IntegrationRuntimeCopyCapacityUtilization |Yes |Integration runtime copy capacity utilization |Percent |Maximum |Integration runtime copy capacity utilization |IntegrationRuntimeName | +|IntegrationRuntimeCopyWaitingQueueLength |Yes |Integration runtime copy waiting queue length |Count |Average |Integration runtime copy waiting queue length |IntegrationRuntimeName | |IntegrationRuntimeCpuPercentage |Yes |Integration runtime CPU utilization |Percent |Average |Integration runtime CPU utilization |IntegrationRuntimeName, NodeName |+|IntegrationRuntimeExternalAvailableCapacityPercentage |Yes |Integration runtime external available capacity percentage |Percent |Maximum |Integration runtime external available capacity percentage |IntegrationRuntimeName | +|IntegrationRuntimeExternalCapacityUtilization |Yes |Integration runtime external capacity utilization |Percent |Maximum |Integration runtime external capacity utilization |IntegrationRuntimeName | +|IntegrationRuntimeExternalWaitingQueueLength |Yes |Integration runtime external waiting queue length |Count |Average |Integration runtime external waiting queue length |IntegrationRuntimeName | +|IntegrationRuntimePipelineAvailableCapacityPercentage |Yes |Integration runtime pipeline available capacity percentage |Percent |Maximum |Integration runtime pipeline available capacity percentage |IntegrationRuntimeName | +|IntegrationRuntimePipelineCapacityUtilization |Yes |Integration runtime pipeline capacity utilization |Percent |Maximum |Integration runtime pipeline capacity utilization |IntegrationRuntimeName | +|IntegrationRuntimePipelineWaitingQueueLength |Yes |Integration runtime pipeline waiting queue length |Count |Average |Integration runtime pipeline waiting queue length |IntegrationRuntimeName | |IntegrationRuntimeQueueLength |Yes |Integration runtime queue length |Count |Average |Integration runtime queue length |IntegrationRuntimeName | |MaxAllowedFactorySizeInGbUnits |Yes |Maximum allowed factory size (GB unit) |Count |Maximum |Maximum allowed factory size (GB unit) |No Dimensions | |MaxAllowedResourceCount |Yes |Maximum allowed entities count |Count |Maximum |Maximum allowed entities count |No Dimensions | This latest update adds a new column and reorders the metrics to be alphabetical |SubmissionsOutstanding |No |Outstanding Submissions |Count |Average |The average number of outstanding submissions that are queued for processing. |Region | |SubmissionsSucceeded |No |Successful Submissions / Hr |Count |Maximum |The number of successful submissions / Hr. |Region | -## Microsoft.SecurityDetonation/SecurityDetonationChambers -<!-- Data source : arm--> --|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| -|||||||| -|% Processor Time |Yes |% CPU |Percent |Average |Percent CPU utilization |No Dimensions | - ## Microsoft.ServiceBus/Namespaces <!-- Data source : naam--> This latest update adds a new column and reorders the metrics to be alphabetical |WarmStorageMaxProperties |Yes |Warm Storage Max Properties |Count |Maximum |Maximum number of properties used allowed by the environment for S1/S2 SKU and maximum number of properties allowed by Warm Store for PAYG SKU |No Dimensions | |WarmStorageUsedProperties |Yes |Warm Storage Used Properties |Count |Maximum |Number of properties used by the environment for S1/S2 SKU and number of properties used by Warm Store for PAYG SKU |No Dimensions | +## Microsoft.VoiceServices/CommunicationsGateways +<!-- Data source : naam--> ++|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions| +|||||||| +|ActiveCallFailures |No |Active Call Failures |Percent |Average |Percentage of active call failures |Region | +|ActiveCalls |No |Active Calls |Count |Average |Count of the total number of active calls (signaling sessions) |Region | +|ActiveEmergencyCalls |No |Active Emergency Calls |Count |Average |Count of the total number of active emergency calls |Region | + ## Microsoft.Web/containerapps <!-- Data source : naam--> This latest update adds a new column and reorders the metrics to be alphabetical - [Export metrics to storage, Event Hub, or Log Analytics](../essentials/platform-logs-overview.md) -<!--Gen Date: Thu Jun 01 2023 09:57:38 GMT+0300 (Israel Daylight Time)--> +<!--Gen Date: Sun Jun 04 2023 10:14:09 GMT+0300 (Israel Daylight Time)--> |
azure-monitor | Resource Logs Categories | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/resource-logs-categories.md | Title: Supported categories for Azure Monitor resource logs description: Understand the supported services and event schemas for Azure Monitor resource logs. Previously updated : 06/01/2023 Last updated : 06/04/2023 If you think something is missing, you can open a GitHub comment at the bottom o * [Analyze logs from Azure storage with Log Analytics](./resource-logs.md#send-to-log-analytics-workspace) -<!--Gen Date: Thu Jun 01 2023 09:57:38 GMT+0300 (Israel Daylight Time)--> +<!--Gen Date: Sun Jun 04 2023 10:14:09 GMT+0300 (Israel Daylight Time)--> |
azure-monitor | Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/availability-zones.md | Azure Monitor currently supports data resilience for availability-zone-enabled d | Americas | Europe | Middle East | Africa | Asia Pacific | ||||||- | Brazil South | France Central | UAE North | South Africa North | Australia East | - | Canada Central | Germany West Central | | | Central India | + | Brazil South | France Central | Qatar Central | South Africa North | Australia East | + | Canada Central | Germany West Central | UAE North | | Central India | | Central US | North Europe | | | Japan East | | East US | Norway East | | | Korea Central | | East US 2 | UK South | | | Southeast Asia | | South Central US | West Europe | | | East Asia |- | US Gov Virginia | Sweden Central | | | China North 3 | - | West US 2 | Switzerland North | | | | - | West US 3 | | | | | + | West US 2 | Sweden Central | | | | + | West US 3 | Switzerland North | | | | + | | Poland Central | | | | ## Service resilience - supported regions |
azure-monitor | Basic Logs Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/basic-logs-configure.md | Configure a table for Basic logs if: | Service | Table | |:|:| | Active Directory | [AADDomainServicesDNSAuditsGeneral](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsGeneral)<br> [AADDomainServicesDNSAuditsDynamicUpdates](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsDynamicUpdates) |+ | API Management | [ApiManagementGatewayLogs](/azure/azure-monitor/reference/tables/ApiManagementGatewayLogs)<br>[ApiManagementWebSocketConnectionLogs](/azure/azure-monitor/reference/tables/ApiManagementWebSocketConnectionLogs) | | Application Insights | [AppTraces](/azure/azure-monitor/reference/tables/apptraces) |+ | Chaos Experiments | [AppTraces](/azure/azure-monitor/reference/tables/ChaosStudioExperimentEventLogs) | | Container Apps | [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) | | Container Insights | [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) | | Container Apps Environments | [AppEnvSpringAppConsoleLogs](/azure/azure-monitor/reference/tables/AppEnvSpringAppConsoleLogs) | Configure a table for Basic logs if: | Dev Center | [DevCenterDiagnosticLogs](/azure/azure-monitor/reference/tables/DevCenterDiagnosticLogs) | | Data Transfer | [DataTransferOperations](/azure/azure-monitor/reference/tables/DataTransferOperations) | | Firewalls | [AZFWFlowTrace](/azure/azure-monitor/reference/tables/AZFWFlowTrace) |- | Health Data | [AHDSMedTechDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSMedTechDiagnosticLogs) | + | Health Care APIs | [AHDSMedTechDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSMedTechDiagnosticLogs)<br>[AHDSDicomDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSDicomDiagnosticLogs)<br>[AHDSDicomAuditLogs](/azure/azure-monitor/reference/tables/AHDSDicomAuditLogs) | | Kubernetes services | [AKSAudit](/azure/azure-monitor/reference/tables/AKSAudit)<br>[AKSAuditAdmin](/azure/azure-monitor/reference/tables/AKSAuditAdmin)<br>[AKSControlPlane](/azure/azure-monitor/reference/tables/AKSControlPlane) | | Media Services | [AMSLiveEventOperations](/azure/azure-monitor/reference/tables/AMSLiveEventOperations)<br>[AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests)<br>[AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth)<br>[AMSStreamingEndpointRequests](/azure/azure-monitor/reference/tables/AMSStreamingEndpointRequests) | | Redis Cache Enterprise | [REDConnectionEvents](/azure/azure-monitor/reference/tables/REDConnectionEvents) | | Sphere | [ASCAuditLogs](/azure/azure-monitor/reference/tables/ASCAuditLogs)<br>[ASCDeviceEvents](/azure/azure-monitor/reference/tables/ASCDeviceEvents) | | Storage | [StorageBlobLogs](/azure/azure-monitor/reference/tables/StorageBlobLogs)<br>[StorageFileLogs](/azure/azure-monitor/reference/tables/StorageFileLogs)<br>[StorageQueueLogs](/azure/azure-monitor/reference/tables/StorageQueueLogs)<br>[StorageTableLogs](/azure/azure-monitor/reference/tables/StorageTableLogs) |+ | Synapse | [SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/SynapseSqlPoolExecRequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/SynapseSqlPoolRequestSteps)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/SynapseSqlPoolDmsWorkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/SynapseSqlPoolWaits) | | Storage Mover | [StorageMoverJobRunLogs](/azure/azure-monitor/reference/tables/StorageMoverJobRunLogs)<br>[StorageMoverCopyLogsFailed](/azure/azure-monitor/reference/tables/StorageMoverCopyLogsFailed)<br>[StorageMoverCopyLogsTransferred](/azure/azure-monitor/reference/tables/StorageMoverCopyLogsTransferred)<br> | | Virtual Network Manager | [AVNMNetworkGroupMembershipChange](/azure/azure-monitor/reference/tables/AVNMNetworkGroupMembershipChange) | |
azure-monitor | Delete Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/delete-workspace.md | Title: Delete and recover an Azure Log Analytics workspace | Microsoft Docs description: Learn how to delete your Log Analytics workspace if you created one in a personal subscription or restructure your workspace model. --++ Last updated 03/22/2022 |
azure-monitor | Get Started Queries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/get-started-queries.md | Title: Get started with log queries in Azure Monitor | Microsoft Docs description: This article provides a tutorial for getting started writing log queries in Azure Monitor. --++ Last updated 10/20/2021 |
azure-monitor | Log Standard Columns | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/log-standard-columns.md | Title: Standard columns in Azure Monitor log records | Microsoft Docs description: Describes columns that are common to multiple data types in Azure Monitor logs. --++ Last updated 02/18/2022 |
azure-monitor | Logs Dedicated Clusters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-dedicated-clusters.md | The managed identity service generates the *principalId* GUID when you create th ## Link a workspace to a cluster -When a Log Analytics workspace is linked to a dedicated cluster, the workspace billing plan in workspace is changed per cluster plan, new data ingested to the workspace is routed to the cluster, and existing data remains in Log Analytics cluster. Linking a workspace has no affect on data ingestion and query experiences. --Queries and experiences aren't affected by the -If the dedicated cluster is configured with customer-managed keys (CMK), new ingested data is encrypted with your key. The system abstracts the data location, you can query data as usual while the system performs cross-cluster queries in the background. +When a Log Analytics workspace is linked to a dedicated cluster, the workspace billing plan in workspace is changed to cluster plan, new data ingested to the workspace is routed to your dedicated cluster, and existing data remains in Log Analytics cluster. Linking a workspace has no effect on data ingestion and query experiences. Log Analytics query engine stitches data from old and new clusters automatically, and the results of queries are complete and accurate. + +When dedicated cluster is configured with customer-managed key (CMK), new ingested data is encrypted with your key, while older data remains encrypted with Microsoft-managed key (MMK). The key configuration is abstracted by Log Analytics and the query across old and new data encryptions is performed seamlessly. A cluster can be linked to up to 1,000 workspaces. Linked workspaces can be located in the same region as the cluster. A workspace can't be linked to a cluster more than twice a month, to prevent data fragmentation. |
azure-monitor | Parse Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/parse-text.md | Title: Parse text data in Azure Monitor logs | Microsoft Docs description: This article describes options for parsing log data in Azure Monitor records when the data is ingested and when it's retrieved in a query and compares the relative advantages for each. --++ Last updated 10/20/2021 |
azure-monitor | Query Audit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/query-audit.md | Title: Audit queries in Azure Monitor log queries description: Details of log query audit logs which provide telemetry about log queries run in Azure Monitor. --++ Last updated 10/20/2021 |
azure-monitor | Query Optimization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/query-optimization.md | Title: Optimize log queries in Azure Monitor description: Best practices for optimizing log queries in Azure Monitor. --++ Last updated 03/22/2022 |
azure-monitor | Scope | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/scope.md | Title: Log query scope in Azure Monitor Log Analytics description: Describes the scope and time range for a log query in Azure Monitor Log Analytics. --++ Last updated 10/20/2021 |
azure-monitor | Workspace Expression | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/workspace-expression.md | Last updated 04/20/2023 -# workspace() expression in Azure Monitor log query +# Using the workspace() expression in Azure Monitor log query -The `workspace` expression is used in an Azure Monitor query to retrieve data from a specific workspace in the same resource group, another resource group, or another subscription. This is useful to include log data in an Application Insights query and to query data across multiple workspaces in a log query. +Use the `workspace` expression in an Azure Monitor query to retrieve data from a specific workspace in the same resource group, another resource group, or another subscription. You can use this expression to include log data in an Application Insights query and to query data across multiple workspaces in a log query. ## Syntax `workspace(`*Identifier*`)` -## Arguments +### Arguments -- *Identifier*: Identifies the workspace using one of the formats in the table below.+The `workspace` expression takes the following arguments. ++#### Identifier ++Identifies the workspace by using one of the formats in the following table. | Identifier | Description | Example |:|:|:| The `workspace` expression is used in an Azure Monitor query to retrieve data fr | Azure Resource ID | Identifier for the Azure resource | workspace("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/Contoso/providers/Microsoft.OperationalInsights/workspaces/contosoretail") | -## Notes --* You must have read access to the workspace. -* Identifying a workspace by its ID or Azure Resource ID is strongly recommended since unique, removes ambiguity, and more performant. -* A related expression is `app` that allows you to query across Application Insights applications. +> [!NOTE] +> We strongly recommend identifying a workspace by its unique ID or Azure Resource ID because they remove ambiguity and are more performant. ## Examples union ## Next steps -- See the [app expression](./app-expression.md) to refer to an Application Insights app.+- See the [app expression](./app-expression.md), which allows you to query across Application Insights applications. - Read about how [Azure Monitor data](./log-query-overview.md) is stored. - Access full documentation for the [Kusto query language](/azure/kusto/query/). |
azure-resource-manager | User Defined Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/user-defined-data-types.md | Last updated 01/09/2023 Learn how to use user-defined data types in Bicep. -[Bicep version 1.2 or newer](./install.md) is required to use this feature. +[Bicep version 0.12.1 or newer](./install.md) is required to use this feature. ## Enable the preview feature |
backup | Backup Support Matrix Iaas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-matrix-iaas.md | Adding a disk to a protected VM | Supported. Resizing a disk on a protected VM | Supported. Shared storage| Backing up VMs by using Cluster Shared Volumes (CSV) or Scale-Out File Server isn't supported. CSV writers are likely to fail during backup. On restore, disks that contain CSV volumes might not come up. [Shared disks](../virtual-machines/disks-shared-enable.md) | Not supported.-<a name="ultra-disk-backup">Ultra SSD disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> Supported region(s) - Sweden Central, South Central US and East US <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU). <br><br> - Configuration of Ultra disk protection is supported via Recovery Services vault only. This configuration is currently not supported via virtual machine blade. <br><br> - Cross-region restore is currently not supported for machines using Ultra disks. -<a name="premium-ssd-v2-backup">Premium SSD v2 disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> Supported region(s) - East US, West Europe and South Central US. <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/h56TpTc773). <br><br> - Configuration of Premium v2 disk protection is supported via Recovery Services vault only. This configuration is currently not supported via virtual machine blade. <br><br> - Cross-region restore is currently not supported for machines using Premium v2 disks. +<a name="ultra-disk-backup">Ultra SSD disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> Supported region(s) - Sweden Central, South Central US, East US, East US 2, West US 2 and North Europe. <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU). <br><br> - Configuration of Ultra disk protection is supported via Recovery Services vault only. This configuration is currently not supported via virtual machine blade. <br><br> - Cross-region restore is currently not supported for machines using Ultra disks. +<a name="premium-ssd-v2-backup">Premium SSD v2 disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> Supported region(s) - East US, West Europe, South Central US, East US 2, West US 2 and North Europe. <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/h56TpTc773). <br><br> - Configuration of Premium v2 disk protection is supported via Recovery Services vault only. This configuration is currently not supported via virtual machine blade. <br><br> - Cross-region restore is currently not supported for machines using Premium v2 disks. [Temporary disks](../virtual-machines/managed-disks-overview.md#temporary-disk) | Azure Backup doesn't back up temporary disks. NVMe/[ephemeral disks](../virtual-machines/ephemeral-os-disks.md) | Not supported. [Resilient File System (ReFS)](/windows-server/storage/refs/refs-overview) restore | Supported. Volume Shadow Copy Service (VSS) supports app-consistent backups on ReFS. |
bastion | Configuration Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/configuration-settings.md | The following table shows the availability of features per corresponding SKU. ### Specify SKU -Currently, you must use the Azure portal if you want to specify the Standard SKU. If you use the Azure CLI or Azure PowerShell to configure Bastion, the SKU can't be specified and defaults to the Basic SKU. - | Method | SKU Value | Links | | | | | | Azure portal | Tier - Basic or Standard | [Tutorial](tutorial-create-host-portal.md) | | Azure portal | Tier - Basic| [Quickstart](quickstart-host-portal.md) |-| Azure PowerShell | Basic |[How-to](bastion-create-host-powershell.md) | -| Azure CLI | Basic| [How-to](create-host-cli.md) | +| Azure PowerShell | Tier - Basic or Standard |[How-to](bastion-create-host-powershell.md) | +| Azure CLI | Tier - Basic or Standard | [How-to](create-host-cli.md) | ### <a name="upgradesku"></a>Upgrade a SKU |
bastion | Create Host Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/create-host-cli.md | Verify that you have an Azure subscription. If you don't already have an Azure s This section helps you deploy Azure Bastion using Azure CLI. -> [!NOTE] -> As shown in the examples, use the `--location` parameter with `--resource-group` for every command to ensure that the resources are deployed together. - 1. If you don't already have a virtual network, create a resource group and a virtual network using [az group create](/cli/azure/group#az-group-create) and [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). ```azurecli-interactive This section helps you deploy Azure Bastion using Azure CLI. az network vnet subnet create --name AzureBastionSubnet --resource-group TestRG1 --vnet-name VNet1 --address-prefix 10.1.1.0/26 ``` -1. Create a public IP address for Azure Bastion. The public IP is the public IP address the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating. +1. Create a public IP address for Azure Bastion. The public IP is the public IP address the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating. For this reason, pay particular attention to the `--location` value that you specify. ```azurecli-interactive az network public-ip create --resource-group TestRG1 --name VNet1-ip --sku Standard --location eastus This section helps you deploy Azure Bastion using Azure CLI. 1. Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create a new Azure Bastion resource for your virtual network. It takes about 10 minutes for the Bastion resource to create and deploy. - Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/azure-bastion/). + [!INCLUDE [Pricing](../../includes/bastion-pricing.md)] The following example deploys Bastion using the **Basic** SKU tier. The SKU determines the features that your Bastion deployment supports. You can also deploy using the **Standard** SKU. If you don't specify a SKU in your command, the SKU defaults to Standard. For more information, see [Bastion SKUs](configuration-settings.md#skus). - ```azurecli-interactive az network bastion create --name VNet1-bastion --public-ip-address VNet1-ip --resource-group TestRG1 --vnet-name VNet1 --location eastus --sku Basic ``` This section helps you deploy Azure Bastion using Azure CLI. If you don't already have VMs in your virtual network, you can create a VM using [Quickstart: Create a Windows VM](../virtual-machines/windows/quick-create-portal.md), or [Quickstart: Create a Linux VM](../virtual-machines/linux/quick-create-portal.md) -Use the [Connection steps](#steps) in the following section to connect to your VM. You can also use any of the following articles to connect to a VM. Some connection types require the Bastion [Standard SKU](configuration-settings.md#skus). +You can use any of the following articles, or the steps in the following section, to help you connect to a VM. Some connection types require the Bastion [Standard SKU](configuration-settings.md#skus). [!INCLUDE [Links to Connect to VM articles](../../includes/bastion-vm-connect-article-list.md)] -### <a name="steps"></a>Connection steps +### <a name="steps"></a>Connect using the portal ++The following steps walk you through one type of connection using the Azure portal. [!INCLUDE [Connection steps](../../includes/bastion-vm-connect.md)] |
cdn | Cdn Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-features.md | Azure Content Delivery Network (CDN) includes four products: * **Azure CDN Premium from Verizon**. > [!IMPORTANT]-> Azure CDN from Akamai is scheduled to be retired on October 31, 2023. For more information, see [**Migrate CDN provider**](cdn-change-provider.md) for guidance on migrating to another Azure CDN provider. +> Azure CDN from Akamai is scheduled to be retired on October 31, 2023. You can no longer create new Azure CDN from Akamai after June 1, 2023. For more information, see [**Migrate CDN provider**](cdn-change-provider.md) for guidance on migrating to another Azure CDN provider. The following table compares the features available with each product. |
chaos-studio | Chaos Studio Region Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-region-availability.md | Title: Regional availability of Chaos Studio -description: Understand how Azure Chaos Studio makes chaos experiments and chaos targets available in Azure regions. + Title: Regional availability of Azure Chaos Studio Preview +description: Understand how Azure Chaos Studio Preview makes chaos experiments and chaos targets available in Azure regions. Last updated 4/29/2022 -# Regional availability of Azure Chaos Studio +# Regional availability of Azure Chaos Studio Preview -This article describes the regional availability model for Azure Chaos Studio, specifically the difference between a region where experiments can be deployed and one where resources can be targeted. It also provides an overview of Chaos Studio's high availability model. +This article describes the regional availability model for Azure Chaos Studio Preview. It explains the difference between a region where experiments can be deployed and one where resources can be targeted. It also provides an overview of the Chaos Studio high-availability model. -Chaos Studio is a regional Azure service, which means that the service is deployed and run within an Azure region. However, Chaos Studio has two regional components - the region where an experiment is deployed and the region where a resource is targeted. A chaos experiment can target a resource in a different region than the experiment (cross-region targeting), but in order to enable chaos experimentation on targets in more regions, Chaos Studio's set of regions in which you can do **resource targeting** is a superset of the regions in which you can create and manage **experiments**. You can [view the list of regions where Chaos Studio and resource targeting are available here](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio). +Chaos Studio is a regional Azure service, which means that the service is deployed and run within an Azure region. Chaos Studio has two regional components: the region where an experiment is deployed and the region where a resource is targeted. ++A chaos experiment can target a resource in a different region than the experiment. This process is called cross-region targeting. To enable chaos experimentation on targets in more regions, Chaos Studio has a set of regions in which you can do *resource targeting*. This set is a superset of the regions in which you can create and manage *experiments*. ++To view the list of regions where Chaos Studio and resource targeting are available, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio). ## Regional availability of chaos experiments-A [chaos experiment](chaos-studio-chaos-experiments.md) is an Azure resource that describes the faults that should be run and the resources those faults should be run against. An experiment is deployed to a single region and the following information and operations stay within that region: -* The experiment definition, which includes the hierarchy of steps, branches, and actions, the faults and parameters defined, and the resource IDs of target resources. Open-ended properties in the experiment resource JSON including the step name, branch name, and any fault parameters are stored in region and treated as system metadata. -* The experiment execution each time an experiment is run, or the activity that orchestrates the execution of steps, branches, and actions. -* The experiment history, which includes details such as the step, branch, and action timestamps, status, IDs, and any error messages for each historical experiment run. This data is treated as system metadata. +A [chaos experiment](chaos-studio-chaos-experiments.md) is an Azure resource that describes the faults that should be run and the resources those faults should be run against. An experiment is deployed to a single region. The following information and operations stay in that region: ++* **Experiment definition**. The definition includes the hierarchy of steps, branches, and actions, the faults and parameters defined, and the resource IDs of target resources. Open-ended properties in the experiment resource JSON including the step name, branch name, and any fault parameters are stored in region and treated as system metadata. +* **Experiment execution**. The execution includes each time an experiment is run or the activity that orchestrates the execution of steps, branches, and actions. +* **Experiment history**. The history includes details such as the step, branch, and action timestamps, status, IDs, and any error messages for each historical experiment run. This data is treated as system metadata. Any experiment data stored in Chaos Studio is deleted when an experiment is deleted. ## Regional availability of chaos targets (resource targeting)-A [chaos target](chaos-studio-targets-capabilities.md) enables Chaos Studio to interact with an Azure resource. Faults in a chaos experiment run against a chaos target, but the target resource can be in a different region than the experiment. A resource can only be onboarded as a chaos target if Chaos Studio resource targeting is available in that region. The list of regions where resource targeting is available is a superset of the regions where experiments can be created. A chaos target is deployed to the same region as the target resource and the following information and operations stay in that region: -* The target definition, which includes basic metadata about the target. Agent-based targets have one user-configurable property: the [identity that will be used to connect the agent to the chaos agent service](chaos-studio-permissions-security.md#agent-authentication). -* The capability definitions, which include basic metadata about the capabilities enabled on a target. -* The action execution. When an experiment runs a fault, the fault itself (for example, shutting down a VM) happens within the target region. +A [chaos target](chaos-studio-targets-capabilities.md) enables Chaos Studio to interact with an Azure resource. Faults in a chaos experiment run against a chaos target, but the target resource can be in a different region than the experiment. A resource can only be onboarded as a chaos target if Chaos Studio resource targeting is available in that region. ++The list of regions where resource targeting is available is a superset of the regions where you can create experiments. A chaos target is deployed to the same region as the target resource. The following information and operations stay in that region: ++* **Target definition**. The definition includes basic metadata about the target. Agent-based targets have one user-configurable property: the [identity that's used to connect the agent to the chaos agent service](chaos-studio-permissions-security.md#agent-authentication). +* **Capability definitions**. The definitions include basic metadata about the capabilities enabled on a target. +* **Action execution**. When an experiment runs a fault, the fault itself (for example, shutting down a VM) happens within the target region. Any target or capability metadata is deleted when a target is deleted. ## High availability with Chaos Studio -Chaos Studio is a regional, zone-redundant service (in regions that support availability zones). In the case of an availability zone outage, any chaos operation may fail, but experiment metadata, history, and details should remain available and the service should not see a full outage. +Chaos Studio is a regional, zone-redundant service (in regions that support availability zones). If there's an availability zone outage, any chaos operation might fail, but experiment metadata, history, and details should remain available and the service shouldn't see a full outage. ## Next steps-Now that you understand the region availability model for Chaos Studio, you are ready to: +Now that you understand the region availability model for Chaos Studio, you're ready to: - [Review the availability of Chaos Studio per region](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio) - [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md) |
chaos-studio | Chaos Studio Run Experiment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-run-experiment.md | Title: Run and manage a chaos experiment in Azure Chaos Studio -description: Learn how to start, stop, view details, and view history for a chaos experiment in Azure Chaos Studio + Title: Run and manage a chaos experiment in Azure Chaos Studio Preview +description: Learn how to start, stop, view details, and view history for a chaos experiment in Azure Chaos Studio Preview. -# Run and manage an experiment in Azure Chaos Studio +# Run and manage an experiment in Azure Chaos Studio Preview -You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. This article provides an overview of how to use a chaos experiment that you have previously created. +You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. This article provides an overview of how to use Azure Chaos Studio Preview with a chaos experiment that you've previously created. ## Start an experiment 1. Open the [Azure portal](https://portal.azure.com). -2. Search for **Chaos Studio (preview)** in the search bar. +1. Search for **Chaos Studio (preview)** in the search bar. -3. Click on **Experiments**. This is the experiment list view you can start, stop, or delete experiments in bulk or create a new experiment. +1. Select **Experiments**. This experiment list view is where you can start, stop, or delete experiments in bulk. You can also create a new experiment. - ![Experiment list in the portal](images/run-experiment-list.png) + ![Screenshot that shows the experiment list in the portal.](images/run-experiment-list.png) -4. Click on your experiment. The experiment overview page allows you to start, stop, and edit your experiment, view essential details about the resource, and view history. Click the **Start** button then click **OK** to start your experiment. +1. Select your experiment. On the experiment **Overview** page, you can start, stop, and edit your experiment. You can also view essential details about the resource and its history. Select **Start** and then select **OK** to start your experiment. - ![Start experiment](images/run-experiment-start.png) + ![Screenshot that shows the Start this experiment pane.](images/run-experiment-start.png) -5. The experiment status shows *PreProcessingQueued*, then *WaitingToStart*, and finally *Running*. +1. The experiment status shows as *PreProcessingQueued*, then *WaitingToStart*, and finally *Running*. ## View experiment history and details -1. Once the experiment is running, click **Details** on the current run under **History** to see detailed status and errors. +1. After the experiment is running, under **History**, select **Details** on the current run to see status and errors. - ![Run history](images/run-experiment-history.png) + ![Screenshot that shows the run history.](images/run-experiment-history.png) -2. The experiment details view shows the execution status of each step, branch, and fault. Click on a fault. +1. The experiment **Details** view shows the execution status of each step, branch, and fault. Select a fault. - ![Experiment details](images/run-experiment-details.png) + ![Screenshot that shows the Details view.](images/run-experiment-details.png) -3. Fault details shows additional information about the fault execution including which targets have failed or succeeded and why. If there is an error running your experiment, debugging information appears here. +1. **Fault details** shows other information about the fault execution. It includes which targets have failed or succeeded and why. If there's an error running your experiment, debugging information appears here. - ![Fault details](images/run-experiment-fault.png) + ![Screenshot that shows Fault details.](images/run-experiment-fault.png) -## Edit experiment +## Edit an experiment -1. Return to the Experiment Overview and click the **Edit** button. +1. Return to the experiment **Overview** page and select **Edit**. - ![Edit experiment](images/run-edit.png) + ![Screenshot that shows the Edit button.](images/run-edit.png) -2. This is the same experiment designer as was used to create the experiment. You can add or remove steps, branches, and faults, and edit fault parameters and targets. To edit a fault, click on the **...** beside the fault. +1. This experiment designer is the same as the one you used to create the experiment. You can add or remove steps, branches, and faults. You can also edit fault parameters and targets. To edit a fault, select **...** next to the fault. - ![Edit fault](images/run-edit-ellipses.png) + ![Screenshot that shows preparing to edit a fault.](images/run-edit-ellipses.png) -3. When you are finished editing, click **Save**. If you want to discard your changes without saving, click the **Close (X)** button in the top right. - ![Save experiment](images/run-edit-save.png) +1. When you're finished editing, select **Save**. If you want to discard your changes without saving, select the **Close** button in the upper-right corner. + ![Screenshot that shows saving the experiment.](images/run-edit-save.png) > [!WARNING] > If you added targets to your experiment, remember to add a role assignment on the target resource for your experiment identity. -## Delete experiment -1. Return to the experiment list and check the experiment(s) you want to delete. Click **Delete** in the toolbar above the experiment list. You may need to click the ellipsis (...) to see the delete option depending on screen resolution. +## Delete an experiment - ![Delete experiment](images/run-delete.png) +1. Return to the **Experiments** list and select the checkbox next to the experiment you want to delete. Select **Delete**. You might need to select **...** to see the delete option depending on your screen resolution. -2. Click **Yes** to confirm you want to delete the resource. + ![Screenshot that shows deleting an experiment.](images/run-delete.png) -3. Alternatively, you can open an experiment and click the **Delete** button in the toolbar. +1. Select **Yes** to confirm that you want to delete the resource. ++1. Alternatively, you can open an experiment and select **Delete**. |
chaos-studio | Chaos Studio Samples Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-samples-rest-api.md | Title: Use the REST APIs to manage Azure Chaos Studio experiments -description: Run and manage a chaos experiment with Azure Chaos Studio using REST APIs. + Title: Use the REST APIs to manage Azure Chaos Studio Preview experiments +description: Run and manage a chaos experiment with Azure Chaos Studio Preview by using REST APIs. -> Injecting faults can impact your application or service. Be careful not to disrupt customers. +> Injecting faults can affect your application or service. Be careful not to disrupt customers. -The Chaos Studio API provides support for starting experiments programmatically. You can also use the ARM client and the Azure CLI to execute these commands from the console. These examples are for the Azure CLI. +The Azure Chaos Studio Preview API provides support for starting experiments programmatically. You can also use the Azure Resource Manager client and the Azure CLI to execute these commands from the console. The examples in this article are for the Azure CLI. > [!Warning] > These APIs are still under development and subject to change. ## REST APIs -The Chaos Studio REST APIs can be used to: -* Start, stop, and manage experiments -* View and manage targets -* Query experiment status -* Query and delete subscription configurations +You can use the Chaos Studio REST APIs to: +* Start, stop, and manage experiments. +* View and manage targets. +* Query experiment status. +* Query and delete subscription configurations. -The `AZ CLI` utility can be used to perform these actions from the command line. +Use the `AZ CLI` utility to perform these actions from the command line. > [!TIP]-> To get more verbose output with the AZ CLI, append `--verbose` to the end of each command. This will return more metadata when commands execute, including `x-ms-correlation-request-id` which aids in debugging. +> To get more verbose output with the AZ CLI, append `--verbose` to the end of each command. This variable returns more metadata when commands execute, including `x-ms-correlation-request-id`, which aids in debugging. -### Chaos Provider Commands +### Chaos Studio provider commands -#### List details about the `Microsoft.Chaos` Resource Provider +This section lists the Chaos Studio provider commands. ++#### List details about the Microsoft.Chaos resource provider ```azurecli az rest --method get --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Chaos?api-version={apiVersion}" --resource "https://management.azure.com" ``` -#### List all the operations of the Chaos Studio Resource Provider +#### List all the operations of the Microsoft.Chaos resource provider ```azurecli az rest --method get --url "https://management.azure.com/providers/Microsoft.Chaos/operations?api-version={apiVersion}" --resource "https://management.azure.com" az rest --method get --urlΓÇ»"https://management.azure.com/subscriptions/{subscr az rest --method put --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.chaos/chaosProviderConfigurations/{chaosProviderType}?api-version={apiVersion}" --body @{providerSettings.json} --resource "https://management.azure.com" ``` -### Chaos Target and Agent Commands +### Chaos Studio target and agent commands ++This section lists the Chaos Studio target and agent commands. -#### List all the Targets or Agents under a subscription +#### List all the targets or agents under a subscription ```azurecli az rest --method get --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Chaos/chaosTargets/?api-version={apiVersion}" --url-parameter "chaosProviderType={chaosProviderType}" --resource "https://management.azure.com" ``` -### Chaos Experiment Commands +### Chaos Studio experiment commands ++This section lists the Chaos Studio experiment commands. -#### List all experiments in a resource group +#### List all the experiments in a resource group ```azurecli az rest --method get --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Chaos/chaosExperiments?api-version={apiVersion}" --resource "https://management.azure.com" az rest --method post --url "https://management.azure.com/{experimentId}/start?a az rest --method get --url "https://management.azure.com/{experimentId}/statuses?api-version={apiVersion}" --resource "https://management.azure.com" ``` -#### Get status of an experiment +#### Get the status of an experiment ```azurecli az rest --method get --url "https://management.azure.com/{experimentId}/status?api-version={apiVersion}" --resource "https://management.azure.com" az rest --method get --url "https://management.azure.com/{experimentId}/executio az rest --method get --url "https://management.azure.com/{experimentId}/executiondetails/{executionDetailsId}?api-version={apiVersion}" --resource "https://management.azure.com" ``` -## Parameter Definitions +## Parameter definitions -| Parameter Name | Definition | Lookup | +| Parameter name | Definition | Lookup | | | | |-| {apiVersion} | Version of the API to be used when executing the command provided | Can be found in the [API documentation](/rest/api/chaosstudio/) | -| {experimentId} | Azure Resource ID for the experiment | Can be found in the [Chaos Studio Experiment Page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.chaos%2Fchaosexperiments) | -| {chaosProviderType} | Type or Name of Chaos Studio Provider | Available providers can be found in the [List of current Provider Config Types](chaos-studio-fault-providers.md) | -| {experimentName.json} | JSON containing the configuration of the chaos experiment | Generated by the user | -| {subscriptionId} | Subscription ID where the target resource is located | Can be found in the [Subscriptions Page](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) | -| {resourceGroupName} | Name of the resource group where the target resource is located | Can be fond in the [Resource Groups Page](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups) | -| {executionDetailsId} | Execution ID of an experiment execution | Can be found in the [Chaos Studio Experiment Page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.chaos%2Fchaosexperiments) | +| {apiVersion} | Version of the API to use when you execute the command provided | Can be found in the [API documentation](/rest/api/chaosstudio/) | +| {experimentId} | Azure Resource ID for the experiment | Can be found on the [Chaos Studio Experiment page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.chaos%2Fchaosexperiments) | +| {chaosProviderType} | Type or Name of Chaos Studio provider | Available providers can be found in the [List of current Provider Config Types](chaos-studio-fault-providers.md) | +| {experimentName.json} | JSON that contains the configuration of the chaos experiment | Generated by the user | +| {subscriptionId} | Subscription ID where the target resource is located | Can be found on the [Subscriptions page](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) | +| {resourceGroupName} | Name of the resource group where the target resource is located | Can be found on the [Resource groups page](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups) | +| {executionDetailsId} | Execution ID of an experiment execution | Can be found on the [Chaos Studio Experiment page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.chaos%2Fchaosexperiments) | |
chaos-studio | Chaos Studio Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-service-limits.md | Title: Azure Chaos Studio service limits -description: Understand the throttling and usage limits for Azure Chaos Studio + Title: Azure Chaos Studio Preview service limits +description: Understand the throttling and usage limits for Azure Chaos Studio. -# Azure Chaos Studio service limits -This article provides service limits for Azure Chaos Studio. +# Azure Chaos Studio Preview service limits +This article provides service limits for Azure Chaos Studio Preview. + ## Experiment and target limits Chaos Studio applies limits to the number of objects, duration of activities, and retention of data. | Limit | Value |-| -- | -- | +|--|--| | Actions per experiment | 9 | | Branches per experiment | 9 | | Steps per experiment | 4 | Chaos Studio applies limits to the number of objects, duration of activities, an ## API throttling limits -Chaos Studio applies limits to all ARM operations. Requests made over the limit are throttled. All request limits are applied for a five-minute interval unless otherwise specified. +Chaos Studio applies limits to all Azure Resource Manager operations. Requests made over the limit are throttled. All request limits are applied for a five-minute interval unless otherwise specified. | Operation | Requests |-| -- | -- | +|--|--| | Microsoft.Chaos/experiments/write | 100 | | Microsoft.Chaos/experiments/read | 300 | | Microsoft.Chaos/experiments/delete | 100 | Chaos Studio applies limits to all ARM operations. Requests made over the limit | Microsoft.Chaos/targets/read | 600 | | Microsoft.Chaos/targets/delete | 200 | | Microsoft.Chaos/targets/capabilities/write | 600 |-| Microsoft.Chaos/targets/capabilities/read | 1800 | +| Microsoft.Chaos/targets/capabilities/read | 1,800 | | Microsoft.Chaos/targets/capabilities/delete | 600 | | Microsoft.Chaos/locations/targetTypes/read | 50 | | Microsoft.Chaos/locations/targetTypes/capabilityTypes/read | 50 | |
chaos-studio | Chaos Studio Targets Capabilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-targets-capabilities.md | Title: Targets and capabilities in Azure Chaos Studio -description: Understand how to control resource onboarding in Azure Chaos Studio by using targets and capabilities. + Title: Targets and capabilities in Azure Chaos Studio Preview +description: Understand how to control resource onboarding in Azure Chaos Studio Preview by using targets and capabilities. Last updated 11/01/2021 -# Targets and capabilities in Azure Chaos Studio +# Targets and capabilities in Azure Chaos Studio Preview -Before you can inject a fault against an Azure resource, the resource must first have corresponding targets and capabilities enabled. Targets and capabilities control which resources are enabled for fault injection and which faults can run against those resources. Using targets and capabilities [along with other security measures](chaos-studio-permissions-security.md) you can avoid accidental or malicious fault injection with Chaos Studio. For example, with targets and capabilities you can allow the CPU pressure fault to run against your production virtual machines while preventing the kill process fault from running against them. +Before you can inject a fault against an Azure resource, the resource must first have corresponding targets and capabilities enabled. Targets and capabilities control which resources are enabled for fault injection and which faults can run against those resources. ++By using targets and capabilities [along with other security measures](chaos-studio-permissions-security.md), you can avoid accidental or malicious fault injection with Azure Chaos Studio Preview. For example, with targets and capabilities, you can allow the CPU pressure fault to run against your production virtual machines while preventing the kill process fault from running against them. ## Targets -A chaos **target** enables Chaos Studio to interact with a resource for a particular target type. A **target type** represents the method of injecting faults against a resource. Resource types that only support service-direct faults have one target type, for example the `Microsoft-CosmosDB` type for Azure Cosmos DB. Resource types that support service-direct and agent-based faults have two target types: one for the service-direct faults (for example, `Microsoft-VirtualMachine`), and one for the agent-based faults (always `Microsoft-Agent`). +A chaos *target* enables Chaos Studio to interact with a resource for a particular target type. A *target type* represents the method of injecting faults against a resource. Resource types that only support service-direct faults have one target type. An example is the `Microsoft-CosmosDB` type for Azure Cosmos DB. ++Resource types that support service-direct and agent-based faults have two target types. One target type is for service-direct faults (for example, `Microsoft-VirtualMachine`). The other target type is for agent-based faults (always `Microsoft-Agent`). -A target is an extension resource created as a child of the resource that is being onboarded to Chaos Studio (for example, a Virtual Machine or Network Security Group). A target defines the target type that is enabled on the resource. For example, if onboarding an Azure Cosmos DB instance with this resource ID: +A target is an extension resource created as a child of the resource that's being onboarded to Chaos Studio. Examples are a virtual machine or a network security group. A target defines the target type that's enabled on the resource. For example, if you're onboarding an Azure Cosmos DB instance with this resource ID: ``` /subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/chaosstudiodemo/providers/Microsoft.DocumentDB/databaseAccounts/myDB ``` -The Azure Cosmos DB resource will have a child resource formatted like this: +The Azure Cosmos DB resource has a child resource formatted like this example: ``` /subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/chaosstudiodemo/providers/Microsoft.DocumentDB/databaseAccounts/myDB/providers/Microsoft.Chaos/targets/Microsoft-CosmosDB Only resources with a target created off of them are targetable for fault inject ## Capabilities -A **capability** enables Chaos Studio to run a particular fault against a resource, such a shutting down a virtual machine. Capabilities are unique per target type and represent the fault that they enable, for example, `CPUPressure-1.0`. [Visit the Chaos Studio fault library](chaos-studio-fault-library.md) to understand all available faults and their corresponding capability names and target types. +A *capability* enables Chaos Studio to run a particular fault against a resource, such as shutting down a virtual machine. Capabilities are unique per target type. They represent the fault that they enable, for example, `CPUPressure-1.0`. To understand all available faults and their corresponding capability names and target types, see the [Chaos Studio fault library](chaos-studio-fault-library.md). -A capability is an extension resource created as a child of a target. For example, if enabling the shutdown fault on a Virtual Machine with a service-direct target ID: +A capability is an extension resource created as a child of a target. For example, if you're enabling the shutdown fault on a virtual machine with a service-direct target ID: ``` /subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine ``` -The target resource will have a child resource formatted like this: +The target resource has a child resource formatted like this example: ``` /subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine/capabilities/shutdown-1.0 ``` -An experiment can only inject faults on onboarded targets with the corresponding capabilities enabled. +An experiment can only inject faults on onboarded targets with the corresponding capabilities enabled. -## Listing capability names and parameters -For reference, a list of capability names, fault URNs, and parameters is available [in our fault library](chaos-studio-fault-library.md), but you can use the HTTP response to creating a capability or do a GET on an existing capability to get this information on demand. For example, doing a GET on a VM shutdown capability: +## List capability names and parameters +For reference, a list of capability names, fault URNs, and parameters is available [in our fault library](chaos-studio-fault-library.md). You can use the HTTP response to create a capability or do a GET on an existing capability to get this information on demand. For example, to do a GET on a VM shutdown capability: ```azurecli az rest --method get --url "https://management.azure.com/subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine/capabilities/shutdown-1.0?api-version=2021-08-11-preview" ``` -Will return the following JSON: +Returns the following JSON: ```JSON { Will return the following JSON: } ``` -The `properties.urn` property is used to define the fault you want to run in a chaos experiment. To understand the schema for this fault's parameters, you can GET the schema referenced by `properties.parametersSchema`. +The `properties.urn` property is used to define the fault you want to run in a chaos experiment. To understand the schema for this fault's parameters, you can GET the schema referenced by `properties.parametersSchema`: ```azurecli az rest --method get --url "https://schema-tc.eastus.chaos-prod.azure.com/targetTypes/Microsoft-VirtualMachine/capabilityTypes/Shutdown-1.0/parametersSchema.json" ``` -returns the following JSON: +Returns the following JSON: ```JSON { "$schema": "https://json-schema.org/draft-07/schema", returns the following JSON: ``` ## Next steps-Now that you understand what targets and capabilities are, you are ready to: +Now that you understand what targets and capabilities are, you're ready to: - [Learn about faults and actions](chaos-studio-faults-actions.md) - [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md) |
cognitive-services | Category Taxonomy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/Category-Taxonomy.md | dark_fire dark_fireworks -sky_object +dark_light food_ indoor_room indoor_venue -dark_light +object_screen ++object_sculpture others_ outdoor_oceanbeach outdoor_playground +outdoor_pool + outdoor_railway outdoor_road people_portrait people_show +people_swimming + people_tattoo people_young plant_leaves plant_tree -object_screen --object_sculpture - sky_cloud -sky_sun --people_swimming +sky_object -outdoor_pool +sky_sun text_ trans_bus trans_car -trans_trainstation +trans_trainstation |
cognitive-services | Background Removal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/how-to/background-removal.md | Where we used this helper function to read the value of an environment variable: #### [REST API](#tab/rest) -Authentication is done by adding the HTTP request header **Ocp-Apim-Subscription-Key** and setting it to your vision key. The call is made to the URL `https://<endpoint>/computervision/imageanalysis:segment&api-version=2023-02-01-preview`, where `<endpoint>` is your unique computer vision endpoint URL. See [Select a mode ](./background-removal.md#select-a-mode) section for another query string you add to this URL. +Authentication is done by adding the HTTP request header **Ocp-Apim-Subscription-Key** and setting it to your vision key. The call is made to the URL `https://<endpoint>/computervision/imageanalysis:segment?api-version=2023-02-01-preview`, where `<endpoint>` is your unique computer vision endpoint URL. See [Select a mode ](./background-removal.md#select-a-mode) section for another query string you add to this URL. |
cognitive-services | Embedded Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/embedded-speech.md | Follow these steps to install the Speech SDK for Java using Apache Maven: <dependency> <groupId>com.microsoft.cognitiveservices.speech</groupId> <artifactId>client-sdk-embedded</artifactId>- <version>1.28.0</version> + <version>1.29.0</version> </dependency> </dependencies> </project> Be sure to use the `@aar` suffix when the dependency is specified in `build.grad ``` dependencies {- implementation 'com.microsoft.cognitiveservices.speech:client-sdk-embedded:1.28.0@aar' + implementation 'com.microsoft.cognitiveservices.speech:client-sdk-embedded:1.29.0@aar' } ``` ::: zone-end |
cognitive-services | Create Translator Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/create-translator-resource.md | The Translator service can be accessed through two different resource types: * Each subscription has a free tier. * The free tier has the same features and functionality as the paid plans and doesn't expire. * Only one free tier is available per subscription.- * Document Translation isn't supported in the free tier. Select Standard S1 to try that feature. + * Document Translation is only supported in paid tiers. We suggest that you select Standard S1 to try the feature. 1. If you've created a multi-service resource, you need to confirm more usage details via the check boxes. |
cognitive-services | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/release-notes.md | This page presents the latest feature, improvement, bug fix, and known issue rel #### Custom Translator platform upgrade -  ≡ƒåò The ***Model Upgrade Wizard*** feature is added to **Workspace settings** to help guide customers through the V1-model-upgrade-to-new-platform process. For more information, *see* [Custom Translator platform upgrade](platform-upgrade.md). +  ≡ƒåò ***Model Upgrade Wizard*** is now available in **Workspace settings** to help guide customers through the V1-model-upgrade-to-new-platform process. For more information, *see* [Custom Translator platform upgrade](platform-upgrade.md). #### Custom Translator copy model -  ≡ƒåò The ***Copy Model*** feature is added to **Model details** to enable the copying of models from one workspace to another. This feature enables model lifecycle management (development ΓåÆ testing ΓåÆ production) and/or scaling. For more information, *see* [Copy a custom model](how-to/copy-model.md). +  ≡ƒåò ***Copy Model*** is now available in **Model details** to enable the copying of models from one workspace to another. This feature enables model lifecycle management (development ΓåÆ testing ΓåÆ production) and/or scaling. For more information, *see* [Copy a custom model](how-to/copy-model.md). #### Restrict access to published models -   Published model security is enhanced and restricted access is enabled within **Workspace settings** to allow only linked Translator resources to request translation. +   Published model security is now enhanced and restricted access is now enabled within **Workspace settings** to allow only linked Translator resources to request translation. #### June language model updates -  Supported language pairs are listed in the following table. For higher quality, we encourage you to retrain your models accordingly. For more information, *see* [Language support](../language-support.md#custom-translator-language-pairs). +  Current supported language pairs are listed in the following table. For higher quality, we encourage you to retrain your models accordingly. For more information, *see* [Language support](../language-support.md#custom-translator-language-pairs). |Source Language|Target Language| |:-|:-| This page presents the latest feature, improvement, bug fix, and known issue rel | Turkish (tr-tr) | English (en-us) | | Vietnamese (vi-vn) | English (en-us) | | Chinese Simplified (zh-cn) | English (en-us) |-|| ## 2022-November release |
cognitive-services | Get Started With Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/document-translation/quickstarts/get-started-with-rest-api.md | To get started, you need: 1. After your resource has successfully deployed, select **Go to resource**. -> [!div class="nextstepaction"] -> [I ran into an issue with the prerequisites.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Prerequisites) +<!-- > [!div class="nextstepaction"] +> [I ran into an issue with the prerequisites.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Prerequisites) --> ### Retrieve your key and document translation endpoint To get started, you need: :::image type="content" source="../media/document-translation-key-endpoint.png" alt-text="Screenshot showing the get your key field in Azure portal."::: -> [!div class="nextstepaction"] -> [I ran into an issue retrieving my key and endpoint.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Retrieve-your-keys-and-endpoint) +<!-- > [!div class="nextstepaction"] +> [I ran into an issue retrieving my key and endpoint.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Retrieve-your-keys-and-endpoint) --> ## Create Azure Blob Storage containers The `sourceUrl` , `targetUrl` , and optional `glossaryUrl` must include a Share > * If you're translating a **single** file (blob) in an operation, **delegate SAS access at the blob level**. > * As an alternative to SAS tokens, you can use a [**system-assigned managed identity**](../how-to-guides/create-use-managed-identities.md) for authentication. -> [!div class="nextstepaction"] -> [I ran into an issue creating blob storage containers with authentication.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Create-blob-storage-containers) +<!-- > [!div class="nextstepaction"] +> [I ran into an issue creating blob storage containers with authentication.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Create-blob-storage-containers) --> ### Sample document |
cognitive-services | Quickstart Translator Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/quickstart-translator-rest-api.md | |
cognitive-services | Cognitive Services Virtual Networks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/cognitive-services-virtual-networks.md | You can manage default network access rules for Cognitive Services resources thr 1. Display the status of the default rule for the Cognitive Services resource. ```azurepowershell-interactive- $parameters = @{ - -ResourceGroupName "myresourcegroup" - -Name "myaccount" - } + $parameters = @{ + "ResourceGroupName"= "myresourcegroup" + "Name"= "myaccount" +} (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).DefaultAction ``` You can manage virtual network rules for Cognitive Services resources through th 1. List virtual network rules. ```azurepowershell-interactive- $parameters = @{ - -ResourceGroupName "myresourcegroup" - -Name "myaccount" - } + $parameters = @{ + "ResourceGroupName"= "myresourcegroup" + "Name"= "myaccount" +} (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).VirtualNetworkRules ``` You can manage IP network rules for Cognitive Services resources through the Azu 1. List IP network rules. ```azurepowershell-interactive- $parameters = @{ - -ResourceGroupName "myresourcegroup" - -Name "myaccount" - } + $parameters = @{ + "ResourceGroupName"= "myresourcegroup" + "Name"= "myaccount" +} (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).IPRules ``` |
cognitive-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-named-entity-recognition/how-to/call-api.md | -# Query deployment to extract entities +# Query your custom model After the deployment is added successfully, you can query the deployment to extract entities from your text based on the model you assigned to the deployment.-You can query the deployment programmatically using the [Prediction API](https://aka.ms/ct-runtime-api) or through the Client libraries (Azure SDK). +You can query the deployment programmatically using the [Prediction API](https://aka.ms/ct-runtime-api) or through the client libraries (Azure SDK). ## Test deployed model You can use Language Studio to submit the custom entity recognition task and visualize the results. + - ## Send an entity recognition request to your model # [Language Studio](#tab/language-studio) # [REST API](#tab/rest-api) -First you will need to get your resource key and endpoint: +First you need to get your resource key and endpoint: + ### Submit a custom NER task First you will need to get your resource key and endpoint: # [Client libraries (Azure SDK)](#tab/client) -First you will need to get your resource key and endpoint: +First you need to get your resource key and endpoint: 3. Download and install the client library package for your language of choice: |
cognitive-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-text-analytics-for-health/how-to/call-api.md | You can query the deployment programmatically using the [Prediction API](https:/ You can use Language Studio to submit the custom Text Analytics for health task and visualize the results. ++ ## Send a custom text analytics for health request to your model # [Language Studio](#tab/language-studio) + # [REST API](#tab/rest-api) First you will need to get your resource key and endpoint: + ### Submit a custom Text Analytics for health task |
cognitive-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-text-classification/how-to/call-api.md | You can query the deployment programmatically [Prediction API](https://aka.ms/ct You can use Language Studio to submit the custom text classification task and visualize the results. ++ - ## Send a text classification request to your model You can use Language Studio to submit the custom text classification task and vi # [Language Studio](#tab/language-studio) + # [REST API](#tab/rest-api) -First you will need to get your resource key and endpoint: +First you need to get your resource key and endpoint: ++ ### Submit a custom text classification task First you will need to get your resource key and endpoint: # [Client libraries (Azure SDK)](#tab/client-libraries) -First you will need to get your resource key and endpoint: +First you'll need to get your resource key and endpoint: [!INCLUDE [Get keys and endpoint Azure Portal](../includes/get-keys-endpoint-azure.md)] |
cognitive-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/sentiment-opinion-mining/overview.md | Sentiment analysis and opinion mining are features offered by [Azure Cognitive S Both sentiment analysis and opinion mining work with a variety of [written languages](./language-support.md). -* [**Quickstarts**](quickstart.md) are getting-started instructions to guide you through making requests to the service. -* [**How-to guides**](how-to/call-api.md) contain instructions for using the service in more specific or customized ways. - ## Sentiment analysis The sentiment analysis feature provides sentiment labels (such as "negative", "neutral" and "positive") based on the highest confidence score found by the service at a sentence and document-level. This feature also returns confidence scores between 0 and 1 for each document & sentences within it for positive, neutral and negative sentiment. Opinion mining is a feature of sentiment analysis. Also known as aspect-based se [!INCLUDE [development options](./includes/development-options.md)] + ## Responsible AI -An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for sentiment analysis](/legal/cognitive-services/language-service/transparency-note-sentiment-analysis?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: +An AI system includes not only the technology, but also the people who use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for sentiment analysis](/legal/cognitive-services/language-service/transparency-note-sentiment-analysis?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: [!INCLUDE [Developer reference](../includes/reference-samples-text-analytics.md)] |
cognitive-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/custom/how-to/data-formats.md | + + Title: Prepare data for custom summarization ++description: Learn about how to select and prepare data, to be successful in creating custom summarization projects. ++++++ Last updated : 06/01/2022+++++# Format data for custom Summarization ++This page contains information about how to select and prepare data in order to be successful in creating custom summarization projects. ++> [!NOTE] +> Throughout this document, we refer to a summary of a document as a ΓÇ£labelΓÇ¥. ++## Custom summarization document sample format ++In the abstractive document summarization scenario, each document (whether it has a provided label or not) is expected to be provided in a plain .txt file. The file contains one or more lines. If multiple lines are provided, each is assumed to be a paragraph of the document. The following is an example document with three paragraphs. ++*At Microsoft, we have been on a quest to advance AI beyond existing techniques, by taking a more holistic, human-centric approach to learning and understanding. As Chief Technology Officer of Azure AI Cognitive Services, I have been working with a team of amazing scientists and engineers to turn this quest into a reality.* ++*In my role, I enjoy a unique perspective in viewing the relationship among three attributes of human cognition: monolingual text (X), audio or visual sensory signals, (Y) and multilingual (Z). At the intersection of all three, thereΓÇÖs magicΓÇöwhat we call XYZ-code as illustrated in Figure 1ΓÇöa joint representation to create more powerful AI that can speak, hear, see, and understand humans better. We believe XYZ-code will enable us to fulfill our long-term vision: cross-domain transfer learning, spanning modalities and languages.* ++*The goal is to have pre-trained models that can jointly learn representations to support a broad range of downstream AI tasks, much in the way humans do today. Over the past five years, we have achieved human performance on benchmarks in conversational speech recognition, machine translation, conversational question answering, machine reading comprehension, and image captioning. These five breakthroughs provided us with strong signals toward our more ambitious aspiration to produce a leap in AI capabilities, achieving multi-sensory and multilingual learning that is closer in line with how humans learn and understand. I believe the joint XYZ-code is a foundational component of this aspiration, if grounded with external knowledge sources in the downstream AI tasks.* ++## Custom summarization conversation sample format ++In the abstractive conversation summarization scenario, each conversation (whether it has a provided label or not) is expected to be provided in a plain .txt file. Each conversation turn must be provided in a single line that is formatted as Speaker + ΓÇ£: ΓÇ£ + text (I.e., Speaker and text are separated by a colon followed by a space). The following is an example conversation of three turns between two speakers (Agent and Customer). ++Agent: Hello, how can I help you? ++Customer: How do I upgrade office? I have been getting error messages all day. ++Agent: Please press the upgrade button, then sign in and follow the instructions. +++## Custom summarization document and sample mapping JSON format ++In both document and conversation summarization scenarios, a set of documents and corresponding labels can be provided in a single JSON file that references individual document/conversation and summary files. ++<! The JSON file is expected to contain the following fields: ++```json +projectFileVersion": TODO, +"stringIndexType": TODO, +"metadata": { + "projectKind": TODO, + "storageInputContainerName": TODO, + "projectName": a string project name, + "multilingual": TODO, + "description": a string project description, + "language": TODO: +}, +"assets": { + "projectKind": TODO, + "documents": a list of document-label pairs, each is defined with three fields: + [ + { + "summaryLocation": a string path to the summary txt file, + "location": a string path to the document txt file, + "language": TODO + } + ] +} +``` > ++The following is an example mapping file for the abstractive document summarization scenario with three documents and corresponding labels. ++```json +{ + "projectFileVersion": "2022-10-01-preview", + "stringIndexType": "Utf16CodeUnit", + "metadata": { + "projectKind": "CustomAbstractiveSummarization", + "storageInputContainerName": "abstractivesummarization", + "projectName": "sample_custom_summarization", + "multilingual": false, + "description": "Creating a custom summarization model", + "language": "en-us" + } + "assets": { + "projectKind": "CustomAbstractiveSummarization", + "documents": [ + { + "summaryLocation": "doc1_summary.txt", + "location": "doc1.txt", + "language": "en-us" + }, + { + "summaryLocation": "doc2_summary.txt", + "location": "doc2.txt", + "language": "en-us" + }, + { + "summaryLocation": "doc3_summary.txt", + "location": "doc3.txt", + "language": "en-us" + } + ] + } +} +``` ++## Next steps ++[Get started with custom summarization](../../custom/quickstart.md) |
cognitive-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/custom/how-to/deploy-model.md | + + Title: Deploy a custom summarization model ++description: Learn about deploying a model for Custom summarization. ++++++ Last updated : 06/02/2023++++# Deploy a custom summarization model ++Once you're satisfied with how your model performs, it's ready to be deployed and used to summarize text documents. Deploying a model makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger). ++<!--## Prerequisites ++* A successfully [created project](create-project.md) with a configured Azure storage account. +* Text data that has [been uploaded](design-schema.md#data-preparation) to your storage account. +* [Labeled data](label-data.md) and a successfully [trained model](train-model.md). +* Reviewed the [model evaluation details](view-model-evaluation.md) to determine how your model is performing. ++For more information, see [project development lifecycle](../overview.md#project-development-lifecycle).--> ++## Deploy model ++After you've reviewed your model's performance and decided it can be used in your environment, you need to assign it to a deployment. Assigning the model to a deployment makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger). It is recommended to create a deployment named *production* to which you assign the best model you have built so far and use it in your system. You can create another deployment called *staging* to which you can assign the model you're currently working on to be able to test it. You can have a maximum of 10 deployments in your project. ++ +## Swap deployments ++After you are done testing a model assigned to one deployment and you want to assign this model to another deployment you can swap these two deployments. Swapping deployments involves taking the model assigned to the first deployment, and assigning it to the second deployment. Then taking the model assigned to second deployment, and assigning it to the first deployment. You can use this process to swap your *production* and *staging* deployments when you want to take the model assigned to *staging* and assign it to *production*. +++## Delete deployment +++## Assign deployment resources ++You can [deploy your project to multiple regions](../../../concepts/custom-features/multi-region-deployment.md) by assigning different Language resources that exist in different regions. +++## Unassign deployment resources ++When unassigning or removing a deployment resource from a project, you will also delete all the deployments that have been deployed to that resource's region. +++## Next steps ++Check out the [summarization feature overview](../../overview.md). |
cognitive-services | Test Evaluate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/custom/how-to/test-evaluate.md | + + Title: Test and evaluate models in custom summarization ++description: Learn about how to test and evaluate custom summarization models. ++++++ Last updated : 06/01/2022++++# Test and evaluate your custom summarization models ++As you create your custom summarization model, you want to be sure to ensure that you end up with a quality model. You need to test and evaluate your custom summarization model to ensure it performs well. ++## Guidance on split test and training sets ++An important stage of creating a customized summarization model is validating that the created model is satisfactory in terms of quality and generates summaries as expected. That validation process has to be performed with a separate set of examples (called test examples) than the examples used for training. There are three important guidelines we recommend following when splitting the available data into training and testing: ++- **Size**: To establish enough confidence about the model's quality, the test set should be of a reasonable size. Testing the model on just a handful of examples can give misleading outcome evaluation times. We recommend evaluating on hundreds of examples. When a large number of documents/conversations is available, we recommend reserving at least 10% of them for testing. +- **No Overlap**: It's crucial to make sure that the same document isn't used for training and testing at the same time. Testing should be performed on documents that were never used for training at any stage, otherwise the quality of the model will be highly overestimated. +- **Diversity**: The test set should cover as many possible input characteristics as possible. For example, it's always better to include documents of different lengths, topics, styles, .. etc. when applicable. Similarly for conversation summarization, it's always a good idea to include conversations of different number of turns and number of speakers. ++## Guidance to evaluate a custom summarization model ++When evaluating a custom model, we recommend using both automatic and manual evaluation together. Automatic evaluation helps quickly judge the quality of summaries produced for the entire test set, hence covering a wide range of input variations. However, automatic evaluation gives an approximation of the quality and isn't enough by itself to establish confidence in the model quality. So, we also recommend inspecting the summaries produced for as many test documents as possible. ++### Automatic evaluation ++Currently, we use a metric called ROUGE (Recall-Oriented Understudy for Gisting Evaluation). This technique includes measures for automatically determining the quality of a summary by comparing it to ideal summaries created by humans. The measures count the number of overlapping units, like n-gram, word sequences, and word pairs between the computer-generated summary being evaluated and the ideal summaries. To learn more about Rouge, see the [ROUGE Wikipedia entry](https://en.wikipedia.org/wiki/ROUGE_(metric)) and the [paper on the ROUGE package](https://aclanthology.org/W04-1013.pdf). ++### Manual evaluation ++When you manually inspect the quality of a summary, there are general qualities of a summary that we recommend checking for besides any desired expectations that the custom model was trained to adhere to such as style, format, or length. The general qualities we recommend checking are: ++- **Fluency**: The summary should have no formatting problems, capitalization errors or ungrammatical sentences. +- **Coherence**: The summary should be well-structured and well-organized. The summary shouldn't just be a heap of related information, but should build from sentence to sentence into a coherent body of information about a topic. +- **Coverage**: The summary should cover all important information in the document/conversation. +- **Relevance**: The summary should include only important information from the source document/conversation without redundancies. +- **Hallucinations**: The summary doesn't contain wrong information not supported by the source document/conversation. ++To learn more about summarization evaluation, see the [MIT Press article on SummEval](https://direct.mit.edu/tacl/article/doi/10.1162/tacl_a_00373/100686/SummEval-Re-evaluating-Summarization-Evaluation). |
cognitive-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/custom/quickstart.md | + + Title: Quickstart - Custom summarization (preview) ++description: Quickly start building an AI model to summarize text. ++++++ Last updated : 05/26/2023++zone_pivot_groups: usage-custom-language-features +++# Quickstart: custom summarization (preview) ++Use this article to get started with creating a custom Summarization project where you can train custom models on top of Summarization. A model is artificial intelligence software that's trained to do a certain task. For this system, the models summarize text and are trained by learning from imported data. ++In this article, we use Language Studio to demonstrate key concepts of custom summarization. As an example weΓÇÖll build a custom summarization model to extract the Facility or treatment location from short discharge notes. ++<! >::: zone pivot="language-studio" > +++<!::: zone-end +++++## Next steps ++* [Summarization overview](../overview.md) |
cognitive-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/language-support.md | Conversation summarization supports the following languages: +## Languages supported by custom summarization ++Custom summarization supports the following languages: ++| Language | Language code | Notes | +|--||| +| English | `en` | | + ## Next steps * [Summarization overview](overview.md) |
cognitive-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/summarization/overview.md | +Custom Summarization enables users to build custom AI models to summarize unstructured text, such as contracts or novels. By creating a Custom Summarization project, developers can iteratively label data, train, evaluate, and improve model performance before making it available for consumption. The quality of the labeled data greatly impacts model performance. To simplify building and customizing your model, the service offers a custom web portal that can be accessed through the [Language studio](https://aka.ms/languageStudio). You can easily get started with the service by following the steps in this [quickstart](custom/quickstart.md). + # [Document summarization](#tab/document-summarization) This documentation contains the following article types: |
confidential-computing | Confidential Vm Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-vm-overview.md | Confidential VMs support the following VM sizes: Confidential VMs support the following OS options: - Ubuntu 20.04 LTS - Ubuntu 22.04 LTS+- RHEL 9.2 [Tech Preview](https://techcommunity.microsoft.com/t5/azure-confidential-computing/rhel-9-2-preview-confidential-image-is-now-available-on/ba-p/3823616) - Windows Server 2019 Datacenter - x64 Gen 2 - Windows Server 2019 Datacenter Server Core - x64 Gen 2 - Windows Server 2022 Datacenter - x64 Gen 2 |
container-apps | Ingress Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/ingress-overview.md | HTTP ingress adds headers to pass metadata about the client request to your cont | `X-Forwarded-Proto` | Protocol used by the client to connect with the Container Apps service. | `http` or `https` | | `X-Forwarded-For` | The IP address of the client that sent the request. | | | `X-Forwarded-Host` | The host name the client used to connect with the Container Apps service. | |+| `X-Forwarded-Client-Cert` | The client certificate if `clientCertificateMode` is set. | Semicolon seperated list of Hash, Cert, and Chain. For example: `Hash=....;Cert="...";Chain="...";` | ### <a name="tcp"></a>TCP |
container-instances | Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/availability-zones.md | az deployment group create \ To verify the container group deployed successfully into an availability zone, view the container group details with the [az container show][az-container-show] command: ```azurecli-az containershow --name acilinuxcontainergroup --resource-group myResourceGroup +az container show --name acilinuxcontainergroup --resource-group myResourceGroup ``` ## Next steps |
container-instances | Container Instances Quotas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-quotas.md | - Title: Service quotas and region availability -description: Quotas, limits, and region availability of the Azure Container Instances service. ----- Previously updated : 06/17/2022--# Quotas and limits for Azure Container Instances --All Azure services include certain default limits and quotas for resources and features. This article details the default quotas and limits for Azure Container Instances. --Availability of compute, memory, and storage resources for Azure Container Instances varies by region and operating system. For details, see [Resource availability for Azure Container Instances](container-instances-region-availability.md). --Use the [List Usage](/rest/api/container-instances/2022-09-01/location/list-usage) API to review current quota usage in a region for a subscription. --## Service quotas and limits ---## Next steps --Certain default limits and quotas can be increased. To request an increase of one or more resources that support such an increase, please submit an [Azure support request][azure-support] (select "Quota" for **Issue type**). --<!-- LINKS - External --> -[azure-support]: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest |
container-instances | Container Instances Region Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-region-availability.md | Values presented are the maximum resources available per deployment of a [contai > [!NOTE] > Container groups created within these resource limits are subject to availability within the deployment region. When a region is under heavy load, you may experience a failure when deploying instances. To mitigate such a deployment failure, try deploying instances with lower resource settings, or try your deployment at a later time or in a different region with available resources. -For information about quotas and other limits in your deployments, see [Quotas and limits for Azure Container Instances](container-instances-quotas.md). +For information about quotas and other limits in your deployments, see [Quotas and limits for Azure Container Instances](container-instances-resource-and-quota-limits.md). ## Linux container groups |
container-instances | Container Instances Resource And Quota Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-resource-and-quota-limits.md | The following resources are available in all Azure Regions supported by Azure Co | 4 | 16 | 20 | Y | ## GPU Resources (Preview) +> **Warning** +> K80 and P100 GPU SKUs are retiring by August 31st, 2023. This is due to the retirement of the underlying VMs used: [NC Series](https://learn.microsoft.com/azure/virtual-machines/nc-series-retirement) and [NCv2 Series](https://learn.microsoft.com/azure/virtual-machines/ncv2-series-retirement) Although V100 SKUs will be available, it is receommended to use Azure Kubernetes Service instead. GPU resources are not fully supported and should not be used for production workloads. Use the following resources to migrate to AKS today: [How to Migrate to AKS](https://learn.microsoft.com/azure/aks/aks-migration). -> [!IMPORTANT] +> **Note** > Not all limit increase requests are guaranteed to be approved. > Deployments with GPU resources are not supported in an Azure virtual network deployment and are only available on Linux container groups. > Using GPU resources (preview) is not fully supported yet and any support is provided on a best-effort basis. |
container-instances | Container Instances Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-vnet.md | -For networking scenarios and limitations, see [Virtual network scenarios and resources for Azure Container Instances](container-instances-virtual-network-concepts.md). +> [!IMPORTANT] +> Before deploying container groups in virtual networks, we suggest checking the limitation first. For networking scenarios and limitations, see [Virtual network scenarios and resources for Azure Container Instances](container-instances-virtual-network-concepts.md). > [!IMPORTANT] > Container group deployment to a virtual network is generally available for Linux and Windows containers, in most regions where Azure Container Instances is available. For details, see [available-regions][available-regions]. |
cosmos-db | Managed Identity Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/managed-identity-based-authentication.md | In this step, you'll assign a role to the function app's system-assigned managed echo $principal ``` -1. Create a new JSON object with the configuration of the new custom role. +1. Create a new JSON file with the configuration of the new custom role. ```json { In this step, you'll assign a role to the function app's system-assigned managed } ``` + > [!TIP] + > You can create a file in the Azure Cloud Shell using either `touch <filename>` or the built-in editor (`code .`). For more information, see [Azure Cloud Shell editor](../cloud-shell/using-cloud-shell-editor.md) + 1. Use [``az cosmosdb sql role definition create``](/cli/azure/cosmosdb/sql/role/definition#az-cosmosdb-sql-role-definition-create) to create a new role definition named ``Read Azure Cosmos DB Metadata`` using the custom JSON object. ```azurecli-interactive |
cosmos-db | Partial Document Update | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/partial-document-update.md | Partial document update feature improves this experience significantly. The clie - **Performance improvements**: Avoids extra CPU cycles on the client side, reduces end-to-end latency and network bandwidth. - **Multi-region writes**: Supports automatic and transparent conflict resolution with partial updates on discrete paths within the same document. -> [!NOTE] -> *Partial document update* operation is based on the [RFC spec](https://www.rfc-editor.org/rfc/rfc6902#appendix-A.14). To escape a ~ character you need to add 0 or a 1 to the end. +> [!NOTE] +> _Partial document update_ operation is based on the [RFC spec](https://www.rfc-editor.org/rfc/rfc6902#appendix-A.14). To escape a ~ character you need to add 0 or a 1 to the end. An example target JSON document: An example target JSON document: }, "used": false, "categoryId": "road-bikes",- "tags": [ - "r-series" - ] + "tags": ["r-series"] } ``` A JSON Patch document: { "op": "remove", "path": "/used" }, { "op": "set", "path": "/price", "value": 355.45 } { "op": "incr", "path": "/inventory/quantity", "value": 10 },- { "op": "add", "path": "/tags/-", "value": "featured-bikes" } + { "op": "add", "path": "/tags/-", "value": "featured-bikes" }, + { "op": "move", "from": "/color", "path": "/inventory/color" } ] ``` The resulting JSON document: "name": "R-410 Road Bicycle", "price": 355.45, "inventory": {- "quantity": 25 + "quantity": 25, + "color": "silver" }, "categoryId": "road-bikes",- "color": "silver", - "tags": [ - "r-series", - "featured-bikes" - ] + "tags": ["r-series", "featured-bikes"] } ``` The resulting JSON document: This table summarizes the operations supported by this feature. -> [!NOTE] -> *target path* refers to a location within the JSON document +> [!NOTE] +> _target path_ refers to a location within the JSON document -| Operation type | Description | -| | | -| **Add** | `Add` performs one of the following, depending on the target path: <br/> • If the target path specifies an element that doesn't exist, it's added. <br/> • If the target path specifies an element that already exists, its value is replaced. <br/> • If the target path is a valid array index, a new element isΓÇ»insertedΓÇ»into the array at the specified index. This shifts existing elements after the new element. <br/> • If the index specified isΓÇ»equalΓÇ»to the length of the array, it appendsΓÇ»an element to the array. Instead of specifying an index, you can also use the `-` character. It also results in the element being appended to the array.<br /> **Note**: Specifying an index greater than the array length results in an error. | -| **Set** | `Set` operation is similar to `Add` except with the Array data type. If the target path is a valid array index, the existing element at that index isΓÇ»updated. | -| **Replace** | `Replace` operation is similar to `Set` except it follows *strict* replace only semantics. In case the target path specifies an element or an array that doesn't exist, it results in an error. | -| **Remove** | `Remove` performs one of the following, depending on the target path: <br/> • If the target path specifies an element that doesn't exist, it results in an error. <br/> • If the target path specifies an element that already exists, it's removed. <br/> • If the target path is an array index, it's deleted and any elements above the specified index are shifted back one position.<br /> **Note**: Specifying an index equal to or greater than the array length would result in an error. | -| **Increment** | This operator increments a field by the specified value. It can accept both positive and negative values. If the field doesn't exist, it creates the field and sets it to the specified value. | +| Operation type | Description | +| -- | -- | +| **Add** | `Add` performs one of the following, depending on the target path: <br/> • If the target path specifies an element that doesn't exist, it's added. <br/> • If the target path specifies an element that already exists, its value is replaced. <br/> • If the target path is a valid array index, a new element isΓÇ»insertedΓÇ»into the array at the specified index. This shifts existing elements after the new element. <br/> • If the index specified isΓÇ»equalΓÇ»to the length of the array, it appendsΓÇ»an element to the array. Instead of specifying an index, you can also use the `-` character. It also results in the element being appended to the array.<br /> **Note**: Specifying an index greater than the array length results in an error. | +| **Set** | `Set` operation is similar to `Add` except with the Array data type. If the target path is a valid array index, the existing element at that index isΓÇ»updated. | +| **Replace** | `Replace` operation is similar to `Set` except it follows _strict_ replace only semantics. In case the target path specifies an element or an array that doesn't exist, it results in an error. | +| **Remove** | `Remove` performs one of the following, depending on the target path: <br/> • If the target path specifies an element that doesn't exist, it results in an error. <br/> • If the target path specifies an element that already exists, it's removed. <br/> • If the target path is an array index, it's deleted and any elements above the specified index are shifted back one position.<br /> **Note**: Specifying an index equal to or greater than the array length would result in an error. | +| **Increment** | This operator increments a field by the specified value. It can accept both positive and negative values. If the field doesn't exist, it creates the field and sets it to the specified value. | +| **Move** | This operator removes the value at a specified location and adds it to the target location. The operation object MUST contain a "from" member, which is a string containing a JSON Pointer value that references the location in the target document to move the value from. The "from" location MUST exist for the operation to be successful.If the "path" location suggests an object that does not exist, it will create the object and set the value equal to the value at "from" location<br/> •If the "path" location suggests an object that already exists, it will replace the value at "path" location with the value at "from" location<br/> •"Path" attribute cannot be a JSON child of the "from" JSON location<br /> | ## Supported modes Let's compare the similarities and differences between the supported modes. `Set` operation adds a property if it doesn't already exist (except if there was an `Array`). `Replace` operation fails if the property doesn't exist (applies to `Array` data type as well). -> [!NOTE] +> [!NOTE] > `Replace` is a good candidate where the user expects some of the properties to be always present and allows you to assert/enforce that. ## REST API reference for Partial document update |
cosmos-db | Concepts Multi Tenant Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/concepts-multi-tenant-monitoring.md | + + Title: Multi-tenant monitoring - Azure Cosmos DB for PostgreSQL +description: Review multi-tenant metrics on Azure Cosmos DB for PostgreSQL +++++ Last updated : 06/05/2023+++# Multi-tenant monitoring +++> [!IMPORTANT] +> Applicable to Citus 11.3 & newer versions ++Tenant monitoring is a crucial aspect of managing a multi-tenant SaaS platform. The feature offers insights into CPU usage and the overall query volume, attributed to specific tenants. Tracking of statistics is done locally on nodes where tenant resides and are made accessible at both tenant and node level of granularity. The collected statistics allows in quick identification of noisy neighbors & helps in better optimizing the resource usage in your cluster. ++## Conceptual model ++Azure Cosmos DB for PostgreSQL uses row-based sharding at core, which means that each distributed table contains a distributed column - denoted as tenant key. Tenant key enables splitting data across shards, where each shard contains one or more tenants. Shards themselves are distributed among the nodes in the cluster, enabling horizontal scaling of your database. +++The CPU time is measured in seconds, consumed by tenant, across all available cores on a node in a cluster. Total CPU time available on cluster, can be estimated as: `number_of_vcores * citus.stat_tenants_period * number_of_nodes`. ++## Node parameters ++### citus.stat_tenants_log_level (text) +Controls which message levels are written to the server log. Valid values are `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `DEBUG`, `LOG`, `INFO`, `NOTICE`, `WARNING`, `ERROR`. Default is `LOG`. ++### citus.stat_tenants_limit (int) +Controls the number of tenants (top `N`) tracked within a single time window. Default is `100`. ++### citus.stat_tenants_period (int) +Controls the time window (in seconds) to which tenant statistics are allocated. Default is `60 * 60 * 24` seconds. ++### citus.stat_tenants_track (boolean) +Enables or disables the tracking of tenant statistics. Default is `None`. Modification to the node parameter requires a restart. ++## Statistics views ++### pg_catalog.citus_stat_tenants ++The `citus_stat_tenants` view tracks these statistics within time buckets. Once a period ends, its statistics are stored in the last period, providing you with ongoing and completed period insights. Metrics currently tracked within the view include read query count, overall query count & CPU cycle consumed at the node, colocation group & tenant granularity. ++| ColumnName | Type | Description | +|--|-|| +| nodeid | INTEGER | Autogenerated identifier for an individual node. | +| colocation_id | INTEGER | [Colocation group](concepts-colocation.md) to which this table belongs. | +| tenant_attribute | TEXT | The distribution column\shard key. | +| read_count_in_this_period | INTEGER | SELECT queries in current citus.stat_tenants_period. | +| read_count_in_last_period | INTEGER | SELECT queries in completed citus.stat_tenants_period. | +| query_count_in_this_period | INTEGER | SELECT, INSERT, UPDATE and DELETE queries in current citus.stat_tenants_period. | +| query_count_in_last_period | INTEGER | SELECT, INSERT, UPDATE and DELETE queries in completed citus.stat_tenants_period. | +| cpu_usage_in_this_period | DOUBLE PRECISION | Seconds of CPU time consumed in current period. | +| cpu_usage_in_last_period | DOUBLE PRECISION | Seconds of CPU time consumed in completed period. | ++> [!Note] +> Privileges (`execute`,`select`) on view is granted to the role `pg_monitor`. +> +> Tracking tenant level statistics adds an overhead, and `by default is disabled`. ++### pg_catalog.citus_stat_tenants_reset() +The function resets the collected metrics within citus_stat_tenants view. ++## Operations tracked ++In a multi-tenant environment, each tenant typically has access to their own dataset, and as a result, queries are filtered based on tenant keys. Any query in such systems, which operates across tenants gets initiated by the system administrator and aren't traced back to individual tenants. For example, to generate a report that includes aggregated data from all tenants - cross-tenant query is needed which can't be attributed to a specific tenant. ++```postgresql +CREATE TABLE organizations (id BIGSERIAL PRIMARY KEY, name TEXT); ++SELECT create_distributed_table ('organizations', 'id'); ++INSERT INTO organizations (name) VALUES ('Teleflora'); -- tracked +INSERT INTO organizations (name) VALUES ('BloomThat'); -- tracked +INSERT INTO organizations (name) VALUES ('UrbanStems');-- tracked ++SELECT COUNT(*) FROM organizations where id = 1; -- tracked +``` +```text + count +- + 1 +(1 row) +``` +```postgresql +SELECT COUNT(*) FROM organizations where id IN (1,2); -- untracked +``` +```text + count +- + 1 +(1 row) +``` +```postgresql +UPDATE organizations SET name = 'Bloomers' WHERE id = 2; -- tracked +``` +```text +UPDATE 1 +``` +```postgresql +DELETE FROM organizations WHERE id = 3; -- tracked +``` +```text +DELETE 1 +``` ++```postgresql +SELECT tenant_attribute, + read_count_in_this_period, + query_count_in_this_period, + cpu_usage_in_this_period +FROM citus_stat_tenants; +``` +```text + tenant_attribute | read_count_in_this_period | query_count_in_this_period | cpu_usage_in_this_period +++-+--+ 1 | 2 | 3 | 0 + 2 | 0 | 2 | 0 + 3 | 0 | 2 | 0 +(3 rows) +``` ++> [!Note] +> Both `COPY` & `\COPY` command isn't tracked with the feature. ++## Next steps +Learn more about modeling multi-tenant schema and reviewing statistics. +> [!div class="nextstepaction"] +> [How to review tenants stats in Multi-Tenant schema](howto-monitor-tenant-stats.md) ++>[!div class="nextstepaction"] +> [Model schema for Multi_tenant application](quickstart-build-scalable-apps-model-multi-tenant.md) |
cosmos-db | Howto Monitor Tenant Stats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/howto-monitor-tenant-stats.md | + + Title: Monitor statistics with multi-tenant monitoring on Azure Cosmos DB for PostgreSQL +description: how to monitor multi-tenant stats on Azure Cosmos DB for PostgreSQL +++++ Last updated : 06/05/2023+++# How to review tenant statistics using multi-tenant monitoring in Azure Cosmos DB for PostgreSQL +++> [!IMPORTANT] +> Applicable to Citus 11.3 & newer versions ++This article shows how to gain insights into resource usage by tenants, by using the `citus_stat_tenants` view. The view tracks listed metrics for tenants ++* Count of read queries (SELECT queries). +* Count of total queries (SELECT, INSERT, DELETE, and UPDATE queries). +* Total CPU usage in seconds. ++You'll learn how to use the `citus_stat_tenants` view for making informed decisions and how to configure the feature to best fit your application. ++> [!Note] +> * Privileges (`execute`, `select`) on view is granted to the role `pg_monitor`. ++## Monitor your top tenants with citus_stat_tenants ++You can control the number of tenants tracked with the `citus.stat_tenants_limit` parameter. Additionally using `citus.stat_tenants_period`, you can define the time bucket of monitoring. Once a period ends, its statistics are stored in the last period, providing you with the ongoing and last completed period of measurement. ++> [!Note] +> * Default for citus.stat_tenants_period is `60 seconds`. +> +> * Default for citus.stat_tenants_limit is `100`. ++Learn more by reviewing a sample multi-tenant application, which helps companies run their ad-campaigns. ++```postgresql +CREATE TABLE companies (company_id BIGSERIAL PRIMARY KEY, name TEXT); +SELECT create_distributed_table ('companies', 'company_id'); ++CREATE TABLE campaigns (id BIGSERIAL, company_id BIGINT, name TEXT, PRIMARY KEY (id, company_id)); +SELECT create_distributed_table ('campaigns', 'company_id'); +``` ++`companies` & `campaigns` tables both are sharded on a common tenant key `company_id`. You can now add companies and the ad campaigns data using commands: ++```postgresql +INSERT INTO companies (company_id, name) VALUES (1, 'GigaMarket'); +INSERT INTO campaigns (id, company_id, name) VALUES (1, 1, 'Crazy Wednesday'), (2, 1, 'Frozen Food Frenzy'); +INSERT INTO campaigns (id, company_id, name) VALUES (3, 1, 'Spring Cleaning'), (4, 1, 'Bread&Butter'); +INSERT INTO campaigns (id, company_id, name) VALUES (5, 1, 'Personal Care Refresh'), (6, 1, 'Lazy Lunch'); ++INSERT INTO companies (company_id, name) VALUES (2, 'White Bouquet Flowers'); +INSERT INTO campaigns (id, company_id, name) VALUES (7, 2, 'Bonjour Begonia'), (8, 2, 'April Selection'), (9, 2, 'May Selection'); ++INSERT INTO companies (company_id, name) VALUES (3, 'Smart Pants Co.'); +INSERT INTO campaigns (id, company_id, name) VALUES (10, 3, 'Short Shorts'), (11, 3, 'Tailors Cut'); +INSERT INTO campaigns (id, company_id, name) VALUES (12, 3, 'Smarter Casual'); +``` ++Let's run a few more `SELECT` and `UPDATE` queries and see the changes to the `citus_stat_tenants` view upon executing individual command. ++```postgresql +SELECT COUNT(*) FROM campaigns WHERE company_id = 1; +``` +```text +count +- + 6 +(1 row) +``` +```postgresql +SELECT name FROM campaigns WHERE company_id = 2 AND name LIKE '%Selection'; +``` +```text + name +-- + April Selection + May Selection +(2 rows) +``` +```postgresql +UPDATE campaigns SET name = 'Tailor''s Cut' WHERE company_id = 3 AND name = 'Tailors Cut'; +``` ++```postgresql +SELECT tenant_attribute, + read_count_in_this_period, + query_count_in_this_period, + cpu_usage_in_this_period +FROM citus_stat_tenants; +``` ++Let's now review the resultset captured in the `citus_stat_tenants` view. For tenant_attribute `1`, during this ongoing period, there were 5 queries executed, resulting in a relatively low CPU usage of 0.000299. Additionally, there was 1 read count recorded. We observed queries in last 60 seconds for the 3 tenants, which appear in resultset. Ordering of Top N tenants depends on `query_count_in_this_period` field. ++```text +tenant_attribute | read_count_in_this_period | query_count_in_this_period | cpu_usage_in_this_period +++-+--+ 1 | 1 | 5 | 0.000299 + 3 | 0 | 3 | 0.000314 + 2 | 2 | 4 | 0.000295 +(3 rows) +``` ++> [!Important] +> * Tracking tenant level statistics adds an overhead, and `by default is disabled`. +> +> * set citus.stat_tenants_track = 'all' to enable tracking. ++## Next steps +Learn about the concepts related to multi-tenant monitoring and rebalancing active tenants. +> [!div class="nextstepaction"] +> [Multi-tenant monitoring](concepts-multi-tenant-monitoring.md) ++> [!div class="nextstepaction"] +> [Zero-Downtime rebalancing](howto-scale-rebalance.md) |
cosmos-db | Synapse Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/synapse-link.md | The following image shows the Azure Synapse Link integration with Azure Cosmos D :::image type="content" source="./media/synapse-link/synapse-analytics-cosmos-db-architecture.png" alt-text="Architecture diagram for Azure Synapse Analytics integration with Azure Cosmos DB" border="false"::: ## <a id="synapse-link-benefits"></a> Benefits+To analyze large operational datasets while minimizing any effects on the performance of mission-critical transactional workloads, Azure Cosmos DB customers traditionally export the operational data. These operations are performed by Extract-Transform-Load (ETL) pipelines, which require many layers of data and jobs management, resulting in operational complexity and performance effects on your transactional workloads. It also increases the latency to analyze the operational data from the time of origin. -To analyze large operational datasets while minimizing any effects on the performance of mission-critical transactional workloads, traditionally Azure Cosmos DB extracts and processes the operational data. These operations are performed by using Extract-Transform-Load (ETL) pipelines. ETL pipelines require many layers of data movement resulting in much operational complexity, and performance effects on your transactional workloads. It also increases the latency to analyze the operational data from the time of origin. +When compared to traditional ETL-based solutions, Azure Synapse Link for Azure Cosmos DB offers several advantages such as: -When compared to the traditional ETL-based solutions, Azure Synapse Link for Azure Cosmos DB offers several advantages such as: +### Reduced complexity with no ETL jobs to manage -### Reduced complexity with No ETL jobs to manage --Azure Synapse Link allows you to directly access Azure Cosmos DB analytical store using Azure Synapse Analytics without complex data movement. Any updates made to the operational data are visible in the analytical store in near real-time with no ETL or change feed jobs. You can run large-scale analytics against analytical store, from Azure Synapse Analytics, without extra data transformation. +Azure Synapse Link allows you to directly access Azure Cosmos DB analytical store using Azure Synapse Analytics without complex data movement. Any updates made to the operational data are visible in the analytical store in near real-time with no ETL or change feed jobs. You can run large-scale analytics against analytical store, from Azure Synapse Analytics, without extra data transformation. ### Near real-time insights into your operational data You can run analytical queries effectively against the nearest regional copy of ## Enable HTAP scenarios for your operational data -Azure Synapse Link brings together Azure Cosmos DB analytical store with Azure Synapse Analytics runtime support. This integration enables you to build cloud native HTAP (Hybrid transactional/analytical processing) solutions that generate insights based on real-time updates to your operational data over large datasets. It unlocks new business scenarios to raise alerts based on live trends, build near real-time dashboards, and business experiences based on user behavior. +Azure Synapse Link brings together Azure Cosmos DB analytical store with Azure Synapse Analytics runtime support. This integration enables you to build cloud native HTAP solutions that generate insights based on real-time updates to your operational data over large datasets. It unlocks new business scenarios to raise alerts based on live trends, build near real-time dashboards, and business experiences based on user behavior. ### Azure Cosmos DB analytical store For more information on Azure Synapse Analytics runtime support for Azure Cosmos ## When to use Azure Synapse Link for Azure Cosmos DB? -Azure Synapse Link is recommended in the following cases: --* If you're an Azure Cosmos DB customer and you want to run analytics, BI, and machine learning over your operational data. In such cases, Azure Synapse Link provides a more integrated analytics experience without impacting your transactional storeΓÇÖs provisioned throughput. For example: +Azure Synapse Link is recommended if you're an Azure Cosmos DB customer and you want to run analytics, BI, and machine learning over your operational data. For example: - * If you're running analytics or BI on your Azure Cosmos DB operational data directly using separate connectors today, or +* If you're running analytics or BI on your Azure Cosmos DB operational data directly using separate connectors today, or - * If you're running ETL processes to extract operational data into a separate analytics system. +* If you're running ETL processes to extract operational data into a separate analytics system. In such cases, Azure Synapse Link provides a more integrated analytics experience without impacting your transactional storeΓÇÖs provisioned throughput. Azure Synapse Link isn't recommended if you're looking for traditional data ware ## Limitations -* Azure Synapse Link for Azure Cosmos DB isn't supported for Cassandra, and Table APIs. It's supported for API for NoSQL and MongoDB. And it is in preview for Gremlin API. +* Azure Synapse Link for Azure Cosmos DB is supported for NoSQL and MongoDB APIs. It is not supported for Cassandra or Table APIs and remains in preview for Gremlin API. * Accessing the Azure Cosmos DB analytics store with Azure Synapse Dedicated SQL Pool currently isn't supported. |
cost-management-billing | Understand Cost Mgt Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/understand-cost-mgt-data.md | If you don't see a specific tag in Cost Management, consider the following quest - Was the tag applied directly to the resource? - Was the tag applied more than 24 hours ago?-- Does the resource type support tags? The following resource types don't support tags in usage data as of December 1, 2019. See [Tags support for Azure resources](../../azure-resource-manager/management/tag-support.md) for the full list of what is supported.- - Azure Active Directory B2C Directories - - Azure Bastion - - Azure Firewalls - - Azure NetApp Files - - Data Factory - - Databricks - - Load balancers - - Machine Learning workspace Compute instances - - Network Watcher - - Notification Hubs - - Service Bus - - Time Series Insights +- Does the resource type support tags? Some resource types don't support tags in usage data. See [Tags support for Azure resources](../../azure-resource-manager/management/tag-support.md) for the full list of what is supported. Here are a few tips for working with tags: |
data-factory | Connector Amazon Simple Storage Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-amazon-simple-storage-service.md | This Amazon S3 connector is supported for the following capabilities: | Supported capabilities|IR | || --| |[Copy activity](copy-activity-overview.md) (source/-)|① ②|-|[Mapping data flow](concepts-data-flow-overview.md) (source/-)|① | +|[Mapping data flow](concepts-data-flow-overview.md) (source/sink)|① | |[Lookup activity](control-flow-lookup-activity.md)|① ②| |[GetMetadata activity](control-flow-get-metadata-activity.md)|① ②| |[Delete activity](delete-activity.md)|① ②| |
data-factory | Connector Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-overview.md | |
ddos-protection | Ddos Response Strategy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-response-strategy.md | Azure DDoS Protection identifies and mitigates DDoS attacks without any user int ### When to contact Microsoft support -Azure DDoS Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. See [DDoS Rapid Response](ddos-rapid-response.md) for more details, including when you should engage the DRR team. +Azure DDoS Network Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. For more details, including when you should engage the DRR team, see [DDoS Rapid Response](ddos-rapid-response.md). Azure DDoS IP Protection customers should create a request to connect with Microsoft support. To learn more, see [Create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md). ## Post-attack steps If you suspect you're under a DDoS attack, escalate through your normal Azure Su ## Next steps - Learn how to [configure metric alerts through portal](alerts.md).-- Learn how to [engage DDoS Rapid Response](ddos-rapid-response.md).+- Learn how to [engage DDoS Rapid Response](ddos-rapid-response.md). |
defender-for-cloud | Concept Agentless Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-agentless-containers.md | Title: Agentless Container Posture for Microsoft Defender for Cloud description: Learn how Agentless Container Posture offers discovery, visibility, and vulnerability assessment for Containers without installing an agent on your machines. Previously updated : 05/16/2023- Last updated : 05/30/2023+ # Agentless Container Posture (Preview) |
defender-for-cloud | Concept Data Security Posture Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-data-security-posture-prepare.md | The table summarizes support for data-aware posture management. What Azure data resources can I discover? | [Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/> Storage accounts encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: [Public network access is disabled](../storage/common/storage-network-security.md#change-the-default-network-access-rule); Storage account is defined as [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md). What AWS data resources can I discover? | AWS S3 buckets<br/><br/> Defender for Cloud can discover KMS-encrypted data, but not data encrypted with a customer-managed key. What permissions do I need for discovery? | Storage account: Subscription Owner<br/> **or**<br/> Microsoft.Authorization/roleAssignments/* (read, write, delete) **and** Microsoft.Security/pricings/* (read, write, delete) **and** Microsoft.Security/pricings/SecurityOperators (read, write)<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role).-What file types are supported for sensitive data discovery? | Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, .xlsx, .xlt, .csv, .json, .psv, .ssv, .tsv, .txt., xml, .parquet, .avro, .orc. +What file types are supported for sensitive data discovery? | Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .gz, .odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, .xlsx, .xlt, .csv, .json, .psv, .ssv, .tsv, .txt., xml, .parquet, .avro, .orc. What Azure regions are supported? | You can discover Azure storage accounts in:<br/><br/> Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil South; Canada Central; Canada East; Central India; Central US; East Asia; East US; East US 2; France Central; Germany West Central; Japan East; Japan West: Jio India West: North Central US; North Europe; Norway East; South Africa North: South Central US; South India; Sweden Central; Switzerland North; UAE North; UK South; UK West: West Central US; West Europe; West US, West US3.<br/><br/> Discovery is done locally in the region. What AWS regions are supported? | Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/> Discovery is done locally in the region. Do I need to install an agent? | No, discovery is agentless. |
defender-for-cloud | Create Custom Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/create-custom-recommendations.md | You can use the following links to learn more about Kusto queries: - [KQL Quick Reference](/azure/data-explorer/kql-quick-reference) - [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)-- [Must Learn KQL Part 1: Tools and Resources](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/) +- [Must Learn KQL Part 1: Tools and Resources](https://rodtrent.substack.com/p/must-learn-kql-part-1-tools-and-resources) - [What are security policies, initiatives, and recommendations?](security-policy-concept.md) |
defender-for-cloud | Defender For Sql Scan Results | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-scan-results.md | + + Title: How to consume and export scan results +description: Learn how to consume and export Defender for SQL's scan results. ++ Last updated : 06/04/2023+++# How to consume and export scan results ++Defender for SQL's Vulnerability Assessment (VA) ability scans your databases on a weekly basis and produces reports on any misconfigurations that are identified. ++All findings are stored in Azure Resource Graph (ARG) which is also the source for most of the Defender for SQL UI experience. When findings are written to ARG, they're also enriched with other Microsoft Defender for Cloud settings such as disabled rules or exempt recommendations so that consuming the data from ARG represents the effective status of all findings and recommendations. ++This article describes several ways to consume and export your scan results. ++## Query and export findings in ARG with Defender for Cloud ++**To query and export your findings with ARG with Defender for Cloud**: ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**. ++1. Search for and select either: ++ - For Azure SQL databases - `SQL databases should have vulnerability findings resolved`. + + - For SQL on machines - `SQL servers on machines should have vulnerability findings resolved`. ++1. Select **Open Query**. ++1. Select either ++ - **Query returning affected resources** - Returns a list of the resources that are currently affected (recommendation status per resource). + - **Query returning security findings** - Returns a list of all security findings (findings and subassessments aggregated per applicable resources). ++1. Select **Run query**. ++1. Select **Download a CSV**, to export your results to a CSV file. ++These queries are editable and can be customized to a specific resource, set of findings, findings status or more. ++## Query and export findings in ARG ++**To query and export your findings with ARG**: ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Navigate to **Resource Graph Explorer**. ++1. Edit and enter the following query: ++ ```bash + securityresources + | where type =~ "microsoft.security/assessments/subassessments" + | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id) + | extend resourceIdTemp = iff(properties.resourceDetails.id != "", properties.resourceDetails.id, extract("(.+)/providers/Microsoft.Security", 1, id)) + | extend resourceId = iff(properties.resourceDetails.source =~ "OnPremiseSql", strcat(resourceIdTemp, "/servers/", properties.resourceDetails.serverName, "/databases/" , properties.resourceDetails.databaseName), resourceIdTemp) + | where resourceId =~ "/subscriptions/resourcegroups/rgname/providers/microsoft.sql/servers/servername/databases/dbname" + | where assessmentKey =~ "82e20e14-edc5-4373-bfc4-f13121257c37" + | project resourceId, + assessmentKey, + subAssessmentId, + name=properties.displayName, + description=properties.description, + severity=properties.status.severity, + status=properties.status.code, + cause=properties.status.cause, + category=properties.category, + impact=properties.impact, + remediation=properties.remediation, + benchmarks=properties.additionalData.benchmarks + ``` ++1. Select **Run query**. ++1. Select **Download a CSV**, to export your results to a CSV file. ++ :::image type="content" source="media/defender-for-sql-scan-results/run-and-download.png" alt-text="Screenshot that shows you where the run query button and the download as csv button are located." lightbox="media/defender-for-sql-scan-results/run-and-download.png"::: ++This query is editable and can be customized to a specific resource, set of findings, findings status or more. ++## Open a Query from your SQL database ++**To open a query from your SQL database**: ++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. Navigate to `Your SQL database` > **Microsoft Defender for Cloud**. ++1. Select **Open Query**. ++ :::image type="content" source="media/defender-for-sql-scan-results/open-query.png" alt-text="Screenshot that shows where the open query button is located." lightbox="media/defender-for-sql-scan-results/open-query.png"::: ++1. Select **Run query**. ++1. Select **Download a CSV**, to export your results to a CSV file. ++ :::image type="content" source="media/defender-for-sql-scan-results/run-and-download.png" alt-text="Screenshot that shows you where the run query button and the download as csv button are located." lightbox="media/defender-for-sql-scan-results/run-and-download.png"::: ++This query is editable and can be customized to a specific resource, set of findings, findings status or more. ++## Automate email notifications with LogicApps ++Azure Logic Apps is a low-code or no-code cloud-based service that provides you with a way to automate workflows and integrate data and services across different systems, both in the cloud and on-premises. You can use Logic App to automate the reports of your vulnerability assessment findings across all supported versions of SQL, to send a weekly vulnerability report summary for any servers that were scanned. You can customize Logic App to run on different schedules such as daily, weekly, monthly or more. You can also customize Logic App to report on different scopes such as per database, server, resource group or more. ++You can use [these instructions](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workflow%20automation/Notify-SQLVulnerabilityReport), to learn how to use Logic Apps to automate email notifications using an example template. ++This example Logic App template automates a weekly email report that summarizes the vulnerability scan results for every database from a selected list of servers. After you deploy the template, you must authorize the Office 365 connector to generate a valid access token to authenticate your credentials. ++The recipients will then receive emails with the findings of the scan results. ++Sample email Azure SQL server: +++Sample email SQL VM: +++## Other options ++You can use [workflow automations](workflow-automation.md) to trigger actions based on changes to the recommendation's status. ++You can also use the [Vulnerability Assessments workbook](defender-for-sql-on-machines-vulnerability-assessment.md#view-vulnerabilities-in-graphical-interactive-reports) to view an interactive report of your findings. The data from the workbook can be exported, and a copy of the workbook can be customized and stored. Learn how to [create rich, interactive reports of Defender for Cloud data](custom-dashboards-azure-workbooks.md) ++You can also enable [Continuous export](continuous-export.md) to stream alerts and recommendations as they're generated or to define a schedule to send periodic snapshots of all of the new data. ++## Next steps ++[Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |
defender-for-cloud | Express Configuration Azure Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-azure-commands.md | + + Title: Express configuration Azure Command Line Interface (CLI) commands reference +description: In this article, you can review the Express configuration Azure Command Line Interface (CLI) commands reference and copy example scripts to use in your environments. +++ Last updated : 06/04/2023+++# Express configuration Azure Command Line Interface (CLI) commands reference ++This article lists the Azure Command Line Interface (CLI) commands that can be used with SQL vulnerability assessment express configuration. ++- [Set SQL vulnerability assessment baseline on system database](#set-sql-vulnerability-assessment-baseline-on-system-database) +- [Get SQL vulnerability assessment baseline on system database](#get-sql-vulnerability-assessment-baseline-on-system-database) +- [Set SQL vulnerability assessment baseline on user database](#set-sql-vulnerability-assessment-baseline-on-user-database) +- [Get SQL vulnerability assessment baseline on user database](#get-sql-vulnerability-assessment-baseline-on-user-database) +- [Set SQL vulnerability assessment baseline rule on system database](#set-sql-vulnerability-assessment-baseline-rule-on-system-database) +- [Get SQL vulnerability assessment baseline rule on system database](#get-sql-vulnerability-assessment-baseline-rule-on-system-database) +- [Remove SQL vulnerability assessment baseline rule on system database](#remove-sql-vulnerability-assessment-baseline-rule-on-system-database) +- [Set SQL vulnerability assessment baseline rule on user database](#set-sql-vulnerability-assessment-baseline-rule-on-user-database) +- [Get SQL vulnerability assessment baseline rule on user database](#get-sql-vulnerability-assessment-baseline-rule-on-user-database) +- [Remove SQL vulnerability assessment baseline rule on user database](#remove-sql-vulnerability-assessment-baseline-rule-on-user-database) +- [Get SQL vulnerability assessment scan results on system database](#get-sql-vulnerability-assessment-scan-results-on-system-database) +- [Get SQL vulnerability assessment scan results on user database](#get-sql-vulnerability-assessment-scan-results-on-user-database) +- [Get SQL vulnerability assessment scans on system database](#get-sql-vulnerability-assessment-scans-on-system-database) +- [Get SQL vulnerability assessment scans on user database](#get-sql-vulnerability-assessment-scans-on-user-database) +- [Invoke SQL vulnerability assessment scan on system database](#invoke-sql-vulnerability-assessment-scan-on-system-database) +- [Invoke SQL vulnerability assessment scan on user database](#invoke-sql-vulnerability-assessment-scan-on-user-database) +- [Get SQL vulnerability assessment server setting](#get-sql-vulnerability-assessment-server-setting) +- [Set SQL vulnerability assessment server setting](#set-sql-vulnerability-assessment-server-setting) +- [Remove SQL vulnerability assessment server setting](#remove-sql-vulnerability-assessment-server-setting) ++### Set SQL vulnerability assessment baseline on system database ++**Example 1**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master --body '{ "properties": { "latestScan": true, "results": {} }}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA2060": [ + [ + "False" + ] + ], + "VA2061": [ + [ + "True" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master --body '{\"properties\": { \"latestScan\": false, \"results\": {\"VA2063\": [[\"AllowAll\",\"0.0.0.0\",\"255.255.255.255\" ]]}}}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA2063": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" +} +``` ++### Get SQL vulnerability assessment baseline on system database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/master/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA2060": [ + [ + "False" + ] + ], + "VA2061": [ + [ + "True" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master +{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA2060": [ + [ + "False" + ] + ], + "VA2061": [ + [ + "True" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" + } + ] +} +``` ++### Set SQL vulnerability assessment baseline on user database ++**Example 1**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview --body '{ "properties": { "latestScan": true, "results": {} }}' +{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA1143": [ + [ + "True" + ] + ], + "VA1219": [ + [ + "False" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview --body '{\"properties\": { \"latestScan\": false, \"results\": {\"VA2062\": [[\"AllowAll\",\"0.0.0.0\",\"255.255.255.255\" ]]}}}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA2062": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++### Get SQL vulnerability assessment baseline on user database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview +{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA1143": [ + [ + "True" + ] + ], + "VA1219": [ + [ + "False" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines?api-version=2022-02-01-preview ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default", + "name": "Default", + "properties": { + "results": { + "VA1143": [ + [ + "True" + ] + ], + "VA1219": [ + [ + "False" + ] + ] + } + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" + } + ] +} +``` ++### Set SQL vulnerability assessment baseline rule on system database ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master --body '{ \"properties\": { \"latestScan\": false, \"results\": [ [ \"AllowAll\", \"0.0.0.0\", \"255.255.255.255\" ] ] }}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2065", + "name": "VA2065", + "properties": { + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" + } +``` ++### Get SQL vulnerability assessment baseline rule on system database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master +{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2065", + "name": "VA2065", + "properties": { + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default/rules?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2060", + "name": "VA2060", + "properties": { + "results": [ + [ + "False" + ] + ] + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2061", + "name": "VA2061", + "properties": { + "results": [ + [ + "True" + ] + ] + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2065", + "name": "VA2065", + "properties": { + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines" + } + ] +} +``` ++### Remove SQL vulnerability assessment baseline rule on system database ++```azurecli +az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master +``` ++### Set SQL vulnerability assessment baseline rule on user database ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview --body '{ \"properties\": { \"latestScan\": false, \"results\": [ [ \"AllowAll\", \"0.0.0.0\", \"255.255.255.255\" ] ] }}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062", + "name": "VA2062", + "properties": { + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++### Get SQL vulnerability assessment baseline rule on user database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062", + "name": "VA2062", + "properties": { + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default/rules?api-version=2022-02-01-preview ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA1143", + "name": "VA1143", + "properties": { + "results": [ + [ + "True" + ] + ] + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA1219", + "name": "VA1219", + "properties": { + "results": [ + [ + "False" + ] + ] + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines" + } + ] +} +``` ++### Remove SQL vulnerability assessment baseline rule on user database ++```azurecli +az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId?api-version=2022-02-01-preview +``` ++### Get SQL vulnerability assessment scan results on system database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/scans/$ScanId/scanresults/$RuleId?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master +{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/VA2065/scanResults/VA2065", + "name": "VA2065", + "properties": { + "baselineAdjustedResult": null, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [], + "remediation": { + "automated": false, + "description": "Evaluate each of the server-level firewall rules. Remove any rules that grant unnecessary access and set the rest as a baseline. Deviations from the baseline will be identified and brought to your attention in subsequent scans.", + "portalLink": "ReviewServerFirewallRules", + "scripts": [] + }, + "ruleId": "VA2065", + "ruleMetadata": { + "benchmarkReferences": [], + "category": "SurfaceAreaReduction", + "description": "The Azure SQL server-level firewall helps protect your data by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request.\n\nServer-level firewall rules can be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more details please see: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure.\n\nThis check enumerates all the server-level firewall rules so that any changes made to them can be identified and addressed.", + "queryCheck": { + "columnNames": [ + "Firewall Rule Name", + "Start Address", + "End Address" + ], + "expectedResult": [], + "query": "SELECT name AS [Firewall Rule Name]\n ,start_ip_address AS [Start Address]\n ,end_ip_address AS [End Address]\nFROM sys.firewall_rules" + }, + "rationale": "Firewall rules should be strictly configured to allow access only to client computers that have a valid need to connect to the database server. Any superfluous entries in the firewall may pose a threat by allowing an unauthorized source access to your databases.", + "ruleId": "VA2065", + "ruleType": "BaselineExpected", + "severity": "High", + "title": "Server-level firewall rules should be tracked and maintained at a strict minimum" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/scans/$ScanId/scanresults?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/VA1223/scanResults/VA1223", + "name": "VA1223", + "properties": { + "baselineAdjustedResult": null, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [], + "remediation": { + "automated": false, + "description": "Create new certificates, re-encrypt the data/sign-data using the new key, and drop the affected keys.", + "portalLink": "", + "scripts": [] + }, + "ruleId": "VA1223", + "ruleMetadata": { + "benchmarkReferences": [ + { + "benchmark": "FedRAMP", + "reference": null + } + ], + "category": "DataProtection", + "description": "Certificate keys are used in RSA and other encryption algorithms to protect data. These keys need to be of enough length to secure the user's data. This rule checks that the key's length is at least 2048 bits for all certificates.", + "queryCheck": { + "columnNames": [ + "Certificate Name", + "Thumbprint" + ], + "expectedResult": [], + "query": "SELECT name AS [Certificate Name], thumbprint AS [Thumbprint]\nFROM sys.certificates\nWHERE key_length < 2048" + }, + "rationale": "Key length defines the upper-bound on the encryption algorithm's security. Using short keys in encryption algorithms may lead to weaknesses in data-at-rest protection.", + "ruleId": "VA1223", + "ruleType": "NegativeList", + "severity": "High", + "title": "Certificate keys should use at least 2048 bits" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/VA2060/scanResults/VA2060", + "name": "VA2060", + "properties": { + "baselineAdjustedResult": { + "baseline": { + "expectedResults": [ + [ + "False" + ] + ], + "updatedTime": "2023-05-15T12:36:39.9688256+00:00" + }, + "resultsNotInBaseline": [], + "resultsOnlyInBaseline": [], + "status": "NonFinding" + }, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [ + [ + "False" + ] + ], + "remediation": { + "automated": false, + "description": "It is recommended to enable SQL Threat Detection at the server level so that all activities on the server itself and the databases that belong to it are protected.", + "portalLink": "EnableAds", + "scripts": [] + }, + "ruleId": "VA2060", + "ruleMetadata": { + "benchmarkReferences": [], + "category": "DataProtection", + "description": "SQL Threat Detection provides a layer of security, which detects potential vulnerabilities and anomalous activity in databases, such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected, Threat Detection sends an actionable real-time alert by email and in Azure Security Center, which includes clear investigation and remediation steps for the specific threat. For more information please see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection.\nThis check verifies that SQL Threat Detection is enabled", + "queryCheck": { + "columnNames": [ + "Violation" + ], + "expectedResult": [ + [ + "0" + ] + ], + "query": "SELECT CASE WHEN EXISTS\n ( SELECT * FROM sys.audits WHERE name LIKE '%SqlDbThreatDetection_ServerAudit%' ) THEN 0\n ELSE 1\n END AS [Violation]" + }, + "rationale": "Even when database systems apply thorough security measures, breaches can occur and it is important to have a detection mechanism in place. SQL Threat Detection should be enabled to detect any such potential threats that may compromise the data stored in Azure SQL Databases.", + "ruleId": "VA2060", + "ruleType": "Binary", + "severity": "Medium", + "title": "SQL Threat Detection should be enabled at the server level" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults" + }, + ] +} +``` ++### Get SQL vulnerability assessment scan results on user database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/scans/$ScanId/scanresults/$RuleId?api-version=2022-02-01-preview +{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA2062/scanResults/VA2062", + "name": "VA2062", + "properties": { + "baselineAdjustedResult": { + "baseline": { + "expectedResults": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ], + "updatedTime": "2023-05-15T12:52:17.0297386+00:00" + }, + "resultsNotInBaseline": [], + "resultsOnlyInBaseline": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ], + "status": "Finding" + }, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [], + "remediation": { + "automated": false, + "description": "Remove database firewall rules that grant excessive access", + "portalLink": "", + "scripts": [] + }, + "ruleId": "VA2062", + "ruleMetadata": { + "benchmarkReferences": [], + "category": "SurfaceAreaReduction", + "description": "The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request.\n\nDatabase-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules which can also be created and managed using the Azure portal or PowerShell). For more details please see: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n\nThis check verifies that each database-level firewall rule does not grant access to more than 255 IP addresses.", + "queryCheck": { + "columnNames": [ + "Firewall Rule Name", + "Start Address", + "End Address" + ], + "expectedResult": [], + "query": "SELECT name AS [Firewall Rule Name]\n ,start_ip_address AS [Start Address]\n ,end_ip_address AS [End Address]\nFROM sys.database_firewall_rules\nWHERE ( \n (CONVERT(bigint, parsename(end_ip_address, 1)) +\n CONVERT(bigint, parsename(end_ip_address, 2)) * 256 + \n CONVERT(bigint, parsename(end_ip_address, 3)) * 65536 + \n CONVERT(bigint, parsename(end_ip_address, 4)) * 16777216 ) \n - \n (CONVERT(bigint, parsename(start_ip_address, 1)) +\n CONVERT(bigint, parsename(start_ip_address, 2)) * 256 + \n CONVERT(bigint, parsename(start_ip_address, 3)) * 65536 + \n CONVERT(bigint, parsename(start_ip_address, 4)) * 16777216 )\n ) > 255" + }, + "rationale": "Often, administrators add rules that grant excessive access as part of a troubleshooting process - to eliminate the firewall as the source of a problem, they simply create a rule that allows all traffic to pass to the affected database.\n\nGranting excessive access using database firewall rules is a clear security concern, as it violates the principle of least privilege by allowing unnecessary access to your database. In fact, it's the equivalent of placing the database outside of the firewall.", + "ruleId": "VA2062", + "ruleType": "NegativeList", + "severity": "High", + "title": "Database-level firewall rules should not grant excessive access" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/scans/$ScanId/scanresults?api-version=2022-02-01-preview ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA1020/scanResults/VA1020", + "name": "VA1020", + "properties": { + "baselineAdjustedResult": null, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [], + "remediation": { + "automated": true, + "description": "Remove the special user GUEST from all roles.", + "portalLink": "", + "scripts": [] + }, + "ruleId": "VA1020", + "ruleMetadata": { + "benchmarkReferences": [ + { + "benchmark": "FedRAMP", + "reference": null + } + ], + "category": "AuthenticationAndAuthorization", + "description": "The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user.", + "queryCheck": { + "columnNames": [ + "Role" + ], + "expectedResult": [], + "query": "SELECT roles.[name] AS [Role]\nFROM sys.database_role_members AS drms\nINNER JOIN sys.database_principals AS roles ON drms.role_principal_id = roles.principal_id\nINNER JOIN sys.database_principals AS users ON drms.member_principal_id = users.principal_id\nWHERE users.[name] = 'guest'" + }, + "rationale": "Database Roles are the basic building block at the heart of separation of duties and the principle of least permission. Granting the Guest user membership to specific roles defeats this purpose.", + "ruleId": "VA1020", + "ruleType": "NegativeList", + "severity": "High", + "title": "Database user GUEST should not be a member of any role" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA1054/scanResults/VA1054", + "name": "VA1054", + "properties": { + "baselineAdjustedResult": null, + "errorMessage": null, + "isTrimmed": false, + "queryResults": [], + "remediation": { + "automated": false, + "description": "Revoke unnecessary permissions granted to PUBLIC", + "portalLink": "", + "scripts": [] + }, + "ruleId": "VA1054", + "ruleMetadata": { + "benchmarkReferences": [ + { + "benchmark": "FedRAMP", + "reference": null + } + ], + "category": "AuthenticationAndAuthorization", + "description": "Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This rule displays a GetList of all securable objects or columns that are accessible to all users through the PUBLIC role.", + "queryCheck": { + "columnNames": [ + "Permission", + "Schema", + "Object" + ], + "expectedResult": [], + "query": "SELECT permission_name AS [Permission]\n ,schema_name AS [Schema]\n ,object_name AS [Object]\nFROM (\n SELECT objs.TYPE COLLATE database_default AS object_type\n ,schema_name(schema_id) COLLATE database_default AS schema_name\n ,objs.name COLLATE database_default AS object_name\n ,user_name(grantor_principal_id) COLLATE database_default AS grantor_principal_name\n ,permission_name COLLATE database_default AS permission_name\n ,perms.TYPE COLLATE database_default AS TYPE\n ,STATE COLLATE database_default AS STATE\n FROM sys.database_permissions AS perms\n INNER JOIN sys.objects AS objs\n ON objs.object_id = perms.major_id\n WHERE perms.class = 1 -- objects or columns. Other cases are handled by VA1095 which has different remediation syntax\n AND grantee_principal_id = DATABASE_PRINCIPAL_ID('public')\n AND [state] IN (\n 'G'\n ,'W'\n )\n AND NOT (\n -- These permissions are granted by default to public\n permission_name = 'EXECUTE'\n AND schema_name(schema_id) = 'dbo'\n AND STATE = 'G'\n AND objs.name IN (\n 'fn_sysdac_is_dac_creator'\n ,'fn_sysdac_is_currentuser_sa'\n ,'fn_sysdac_is_login_creator'\n ,'fn_sysdac_get_username'\n ,'sp_sysdac_ensure_dac_creator'\n ,'sp_sysdac_add_instance'\n ,'sp_sysdac_add_history_entry'\n ,'sp_sysdac_delete_instance'\n ,'sp_sysdac_upgrade_instance'\n ,'sp_sysdac_drop_database'\n ,'sp_sysdac_rename_database'\n ,'sp_sysdac_setreadonly_database'\n ,'sp_sysdac_rollback_committed_step'\n ,'sp_sysdac_update_history_entry'\n ,'sp_sysdac_resolve_pending_entry'\n ,'sp_sysdac_rollback_pending_object'\n ,'sp_sysdac_rollback_all_pending_objects'\n ,'fn_sysdac_get_currentusername'\n )\n OR permission_name = 'SELECT'\n AND schema_name(schema_id) = 'sys'\n AND STATE = 'G'\n AND objs.name IN (\n 'firewall_rules'\n ,'database_firewall_rules'\n ,'ipv6_database_firewall_rules'\n ,'bandwidth_usage'\n ,'database_usage'\n ,'external_library_setup_errors'\n ,'sql_feature_restrictions'\n ,'resource_stats'\n ,'elastic_pool_resource_stats'\n ,'dm_database_copies'\n ,'geo_replication_links'\n ,'database_error_stats'\n ,'event_log'\n ,'database_connection_stats'\n )\n OR permission_name = 'SELECT'\n AND schema_name(schema_id) = 'dbo'\n AND STATE = 'G'\n AND objs.name IN (\n 'sysdac_instances_internal'\n ,'sysdac_history_internal'\n ,'sysdac_instances'\n )\n )\n\n ) t" + }, + "rationale": "Database Roles are the basic building block at the heart of separation of duties and the principle of least permission. Granting permissions to principals through the default PUBLIC role defeats this purpose.", + "ruleId": "VA1054", + "ruleType": "NegativeList", + "severity": "Low", + "title": "Excessive permissions should not be granted to PUBLIC role on objects or columns" + }, + "status": "NonFinding" + }, + "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults" + } + ] +} +``` ++### Get SQL vulnerability assessment scans on system database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/scans/$ScanId?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++ { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "name": "ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "properties": { + "database": "master", + "endTime": "2023-04-24T07:07:15.4704608Z", + "highSeverityFailedRulesCount": 0, + "isBaselineApplied": true, + "lowSeverityFailedRulesCount": 0, + "mediumSeverityFailedRulesCount": 0, + "scanId": "ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-24T07:07:15.4079623Z", + "state": "Passed", + "totalFailedRulesCount": 0, + "totalPassedRulesCount": 9, + "totalRulesCount": 9, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/scans?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++{ + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "name": "ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "properties": { + "database": "master", + "endTime": "2023-04-24T07:07:15.4704608Z", + "highSeverityFailedRulesCount": 0, + "isBaselineApplied": true, + "lowSeverityFailedRulesCount": 0, + "mediumSeverityFailedRulesCount": 0, + "scanId": "ab58a4de-6bd6-4e54-bfa7-1d5e97ece68d", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-24T07:07:15.4079623Z", + "state": "Passed", + "totalFailedRulesCount": 0, + "totalPassedRulesCount": 9, + "totalRulesCount": 9, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/f3ec698b-104c-40a7-b1eb-251ff83bcf4e", + "name": "f3ec698b-104c-40a7-b1eb-251ff83bcf4e", + "properties": { + "database": "master", + "endTime": "2023-04-24T07:07:15.4079623Z", + "highSeverityFailedRulesCount": 0, + "isBaselineApplied": true, + "lowSeverityFailedRulesCount": 1, + "mediumSeverityFailedRulesCount": 1, + "scanId": "f3ec698b-104c-40a7-b1eb-251ff83bcf4e", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-24T07:02:05.6581079Z", + "state": "Failed", + "totalFailedRulesCount": 2, + "totalPassedRulesCount": 7, + "totalRulesCount": 9, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" + }, + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default/scans/8c26af1e-79d6-4238-b7cf-bc7941714f34", + "name": "8c26af1e-79d6-4238-b7cf-bc7941714f34", + "properties": { + "database": "master", + "endTime": "2023-04-24T07:02:05.6581079Z", + "highSeverityFailedRulesCount": 1, + "isBaselineApplied": false, + "lowSeverityFailedRulesCount": 1, + "mediumSeverityFailedRulesCount": 0, + "scanId": "8c26af1e-79d6-4238-b7cf-bc7941714f34", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-17T12:52:45.2387704Z", + "state": "Failed", + "totalFailedRulesCount": 2, + "totalPassedRulesCount": 7, + "totalRulesCount": 9, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans" + } + ] +} +``` +++### Get SQL vulnerability assessment scans on user database ++**Example 1**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/scans/$ScanId?api-version=2022-02-01-preview ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessments/Default/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "name": "f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "properties": { + "database": "db", + "endTime": "2023-04-17T12:52:41.5235755Z", + "highSeverityFailedRulesCount": 1, + "isBaselineApplied": true, + "lowSeverityFailedRulesCount": 0, + "mediumSeverityFailedRulesCount": 0, + "scanId": "f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-17T12:52:41.4142209Z", + "state": "Failed", + "totalFailedRulesCount": 1, + "totalPassedRulesCount": 23, + "totalRulesCount": 24, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans" +} +``` ++**Example 2**: ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/scans?api-version=2022-02-01-preview ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessments/Default/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "name": "f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "properties": { + "database": "db", + "endTime": "2023-04-17T12:52:41.5235755Z", + "highSeverityFailedRulesCount": 1, + "isBaselineApplied": true, + "lowSeverityFailedRulesCount": 0, + "mediumSeverityFailedRulesCount": 0, + "scanId": "f64d81a1-9d7b-4516-a623-a1bfc845ed7e", + "server": "vulnerabilityaseessmenttest", + "sqlVersion": "16.0.5100", + "startTime": "2023-04-17T12:52:41.4142209Z", + "state": "Failed", + "totalFailedRulesCount": 1, + "totalPassedRulesCount": 23, + "totalRulesCount": 24, + "triggerType": "OnDemand" + }, + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans" +} +``` ++### Invoke SQL vulnerability assessment scan on system database ++```azurecli +az rest --method Post --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default/initiateScan?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master ++{ + "operation": "ExecuteDatabaseVulnerabilityAssessmentScan", + "startTime": "2023-05-15T13:07:56.837Z" +} +``` ++### Invoke SQL vulnerability assessment scan on user database ++```azurecli +az rest --method Post --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/default/initiateScan?api-version=2022-02-01-preview ++{ + "operation": "ExecuteDatabaseVulnerabilityAssessmentScan", + "startTime": "2023-05-15T13:07:08.277Z" +} +``` ++### Get SQL vulnerability assessment server setting ++```azurecli +az rest --method Get --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default", + "name": "Default", + "properties": { + "state": "Enabled" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" +} +``` ++### Set SQL vulnerability assessment server setting ++**Example 1**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview --body '{ \"properties\": { \"state\": \"Enabled\" }}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default", + "name": "Default", + "properties": { + "state": "Enabled" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" +} +``` +**Example 2**: ++```azurecli +az rest --method Put --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview --body '{ \"properties\": { \"state\": \"Disabled\" }}' ++{ + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default", + "name": "Default", + "properties": { + "state": "Disabled" + }, + "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments" +} +``` ++### Remove SQL vulnerability assessment server setting ++```azurecli +az rest --method Delete --uri /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview +``` +## Next steps ++[Find and remediate vulnerabilities in your Azure SQL databases](sql-azure-vulnerability-assessment-find.md) |
defender-for-cloud | Express Configuration Powershell Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-powershell-commands.md | + + Title: Express configuration PowerShell commands reference +description: In this article, you can review the Express configuration PowerShell commands reference and copy example scripts to use in your environments. +++ Last updated : 06/04/2023+++# Express configuration PowerShell commands reference ++This article lists the PowerShell commands that can be used with SQL vulnerability assessment express configuration. ++Make a local copy of the script located on [Express configuration PowerShell wrapper module](express-configuration-sql-commands.md), and save the file with the following file name `SqlVulnerabilityAssessmentCommands.psm1`, which can be referenced with the following commands: +++- [Set SQL vulnerability assessment baseline](#set-sql-vulnerability-assessment-baseline) +- [Get SQL vulnerability assessment baseline](#get-sql-vulnerability-assessment-baseline) +- [Set SQL vulnerability assessment baseline rule](#set-sql-vulnerability-assessment-baseline-rule) +- [Remove SQL vulnerability assessment baseline rule](#remove-sql-vulnerability-assessment-baseline-rule) +- [Get SQL vulnerability assessment scan results](#get-sql-vulnerability-assessment-scan-results) +- [Get SQL vulnerability assessment scan](#get-sql-vulnerability-assessment-scan) +- [Invoke SQL vulnerability assessment scan](#invoke-sql-vulnerability-assessment-scan) +- [Get SQL vulnerability assessment server setting](#get-sql-vulnerability-assessment-server-setting) +- [Set SQL vulnerability assessment server setting](#set-sql-vulnerability-assessment-server-setting) +- [Remove SQL vulnerability assessment server setting](#remove-sql-vulnerability-assessment-server-setting) ++### Set SQL vulnerability assessment baseline ++**Example 1**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ "properties": { "latestScan": true, "results": {} }}' ++Results: ++Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} +Version : 1.1 +StatusCode : 200 +Method : PUT +Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219":[["False"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/serv + ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} +``` ++**Example 2**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ + "properties": { + "latestScan": false, + "results": { + "VA2062": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + } +}' ++Results: ++Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} +Version : 1.1 +StatusCode : 200 +Method : PUT +Content : {"properties":{"results":{"VA2062":[["AllowAll","0.0.0.0","255.255.255.255"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microso + ft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baseline + s"} +``` ++### Get SQL vulnerability assessment baseline ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db ++Results: ++Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-reads, System.String[]], [x-ms-correlation-request-id, System.String[]]...} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219":[["False"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/serv + ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} +``` ++### Set SQL vulnerability assessment baseline rule ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Set-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 -Body '{ + "properties": { + "latestScan": false, + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + }' ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : PUT +Content : {"properties":{"results":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/dat + abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Mic + rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} +``` ++### Get SQL vulnerability assessment baseline rule ++**Example 1**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"properties":{"results":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/dat + abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Mic + rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} +``` ++**Example 2**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"value":[{"properties":{"results":[["True"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/r + esourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerab + ilityAssessments/Default/baselines/default/rules/VA1143","name":"VA1143","type":"Microsoft.Sql/servers/dat + abases/sqlVulnerabilityAssessments/baselines"},{"properties":{"results":[["False"]]},"id":"/subscriptions/ + 00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/m + igrationsql1/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA1219","name":"VA1 + 219","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"},{"properties":{"resul + ts":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/ + resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnera + bilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Microsoft.Sql/servers/da + tabases/sqlVulnerabilityAssessments/baselines"}]} +``` ++### Remove SQL vulnerability assessment baseline rule ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Remove-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : DELETE +Content : +``` ++### Get SQL vulnerability assessment scan results ++**Example 1**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest -RuleId VA2062 ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"properties":{"ruleId":"VA2062","status":"NonFinding","errorMessage":null,"isTrimmed":false,"queryResults + ":[],"remediation":{"description":"Remove database firewall rules that grant excessive access","scripts":[ + ],"automated":false,"portalLink":""},"baselineAdjustedResult":null,"ruleMetadata":{"ruleId":"VA2062","seve + rity":"High","category":"SurfaceAreaReduction","ruleType":"NegativeList","title":"Database-level firewall + rules should not grant excessive access","description":"The Azure SQL Database-level firewall helps protec + t your data by preventing all access to your database until you specify which IP addresses have permission + . Database-level firewall rules grant access to the specific database based on the originating IP address + of each request.\n\nDatabase-level firewall rules for master and user databases can only be created and ma + naged through Transact-SQL (unlike server-level firewall rules which can also be created and managed using + the Azure portal or PowerShell). For more details please see: https://docs.microsoft.com/en-us/azure/sql- + database/sql-database-firewall-configure\n\nThis check verifies that each database-level firewall rule doe + s not grant access to more than 255 IP addresses.","rationale":"Often, administrators add rules that grant + excessive access as part of a troubleshooting process - to eliminate the firewall as the source of a prob + lem, they simply create a rule that allows all traffic to pass to the affected database.\n\nGranting exces + sive access using database firewall rules is a clear security concern, as it violates the principle of lea + st privilege by allowing unnecessary access to your database. In fact, it's the equivalent of placing the + database outside of the firewall.","queryCheck":{"query":"SELECT name AS [Firewall Rule Name]\n ,start_ + ip_address AS [Start Address]\n ,end_ip_address AS [End Address]\nFROM sys.database_firewall_rules\nWHE + RE ( \n (CONVERT(bigint, parsename(end_ip_address, 1)) +\n CONVERT(bigint, parsename(end_ip + _address, 2)) * 256 + \n CONVERT(bigint, parsename(end_ip_address, 3)) * 65536 + \n CONVER + T(bigint, parsename(end_ip_address, 4)) * 16777216 ) \n - \n (CONVERT(bigint, parsename(star + t_ip_address, 1)) +\n CONVERT(bigint, parsename(start_ip_address, 2)) * 256 + \n CONVERT(b + igint, parsename(start_ip_address, 3)) * 65536 + \n CONVERT(bigint, parsename(start_ip_address, 4) + ) * 16777216 )\n ) > 255","expectedResult":[],"columnNames":["Firewall Rule Name","Start Address","En + d Address"]},"benchmarkReferences":[]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resource + Groups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAs + sessments/Default/scans/VA2062/scanResults/VA2062","name":"VA2062","type":"Microsoft.Sql/servers/databases + /sqlVulnerabilityAssessments/scans/scanResults"} +``` ++**Example 2**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"value":[ + {"properties":{"ruleId":"VA1219","status":"No + nFinding","errorMessage":null,"isTrimmed":false,"queryResults":[["False"]],"remediation":{"description":"E + nable TDE on the affected databases","scripts":[],"automated":false,"portalLink":"EnableTDE"},"baselineAdj + ustedResult":{"baseline":{"expectedResults":[["False"]],"updatedTime":"2023-05-15T08:52:39.3476874+00:00"} + ,"status":"NonFinding","resultsNotInBaseline":[],"resultsOnlyInBaseline":[]},"ruleMetadata":{"ruleId":"VA1 + 219","severity":"Medium","category":"DataProtection","ruleType":"Binary","title":"Transparent data encrypt + ion should be enabled","description":"Transparent data encryption (TDE) helps to protect the database file + s against information disclosure by performing real-time encryption and decryption of the database, associ + ated backups, and transaction log files 'at rest', without requiring changes to the application. This rule + checks that TDE is enabled on the database.","rationale":"Transparent Data Encryption (TDE) protects data + 'at rest', meaning the data and log files are encrypted when stored on disk.","queryCheck":{"query":"SELE + CT CASE\n WHEN EXISTS (\n SELECT *\n FROM sys.databases\n + WHERE db_name(database_id) = db_name()\n AND is_encrypted = 0\n )\n + THEN 1\n ELSE 0\n END AS [Violation]","expectedResult":[["0"]],"columnNames":["Vi + olation"]},"benchmarkReferences":[{"benchmark":"FedRAMP","reference":null}]}},"id":"/subscriptions/f000000 + 00-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/ + vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA1219/scanResults/VA1219","name":"VA1219"," + type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults"},{"prope + rties":{"ruleId":"VA1223","status":"NonFinding","errorMessage":null,"isTrimmed":false,"queryResults":[],"r + emediation":{"description":"Create new certificates, re-encrypt the data/sign-data using the new key, and + drop the affected keys.","scripts":[],"automated":false,"portalLink":""},"baselineAdjustedResult":null,"ru + leMetadata":{"ruleId":"VA1223","severity":"High","category":"DataProtection","ruleType":"NegativeList","ti + tle":"Certificate keys should use at least 2048 bits","description":"Certificate keys are used in RSA and + other encryption algorithms to protect data. These keys need to be of enough length to secure the user's d + ata. This rule checks that the key's length is at least 2048 bits for all certificates.","rationale":"Key + length defines the upper-bound on the encryption algorithm's security. Using short keys in encryption algo + rithms may lead to weaknesses in data-at-rest protection.","queryCheck":{"query":"SELECT name AS [Certific + ate Name], thumbprint AS [Thumbprint]\nFROM sys.certificates\nWHERE key_length < 2048","expectedResult":[] + ,"columnNames":["Certificate Name","Thumbprint"]},"benchmarkReferences":[{"benchmark":"FedRAMP","reference + ":null}]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/p + roviders/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA122 + 3/scanResults/VA1223","name":"VA1223","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/ + scans/scanResults"}]} +``` ++### Get SQL vulnerability assessment scan ++**Example 1**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"properties":{"scanId":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","triggerType":"OnDemand","state":"Passed"," + startTime":"2023-04-17T12:52:41.4142209Z","endTime":"2023-04-17T12:52:41.5235755Z","server":"vulnerabilityaseessmenttest + ","database":"db","sqlVersion":"16.0.5100","highSeverityFailedRulesCount":0,"mediumSeverityFailedRulesCou + nt":0,"lowSeverityFailedRulesCount":0,"totalPassedRulesCount":24,"totalFailedRulesCount":0,"totalRulesCoun + t":24,"isBaselineApplied":true},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/m + igrationscripttests/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessments/D + efault/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e","name":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","type":"M + icrosoft.Sql/servers/databases/vulnerabilityAssessments/scans"} +``` ++**Example 2**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"value":[{"properties":{"scanId":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","triggerType":"OnDemand","state": + "Passed","startTime":"2023-04-17T12:52:41.4142209Z","endTime":"2023-04-17T12:52:41.5235755Z","server": + "vulnerabilityaseessmenttest","database":"db","sqlVersion":"16.0.5100","highSeverityFailedRulesCount":0,"mediumSeverityFail + edRulesCount":0,"lowSeverityFailedRulesCount":0,"totalPassedRulesCount":24,"totalFailedRulesCount":0,"tota + lRulesCount":24,"isBaselineApplied":true},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resour + ceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAss + essments/Default/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e","name":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e" + ,"type":"Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans"}]} +``` ++### Invoke SQL vulnerability assessment scan ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Invoke-SqlVulnerabilityAssessmentScan -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Location, System.String[]], [Retry-After, S + ystem.String[]]…} +Version : 1.1 +StatusCode : 202 +Method : POST +Content : {"operation":"ExecuteDatabaseVulnerabilityAssessmentScan","startTime":"2023-05-15T10:58:48.367Z"} +``` ++### Get SQL vulnerability assessment server setting ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Get-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : GET +Content : {"properties":{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups + /vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default"," + name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} +``` ++### Set SQL vulnerability assessment server setting ++**Example 1**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 'Enabled' ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : PUT +Content : {"properties":{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups + /vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default"," + name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} +``` ++**Example 2**: ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 'Disabled' ++Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} +Version : 1.1 +StatusCode : 200 +Method : PUT +Content : {"properties":{"state":"Disabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroup + s/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default", + "name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} +``` ++### Remove SQL vulnerability assessment server setting ++```azurepowershell-interactive +Connect-AzAccount -Subscription 00000000-1111-2222-3333-444444444444 +Import-Module .\SqlVulnerabilityAssessmentCommands.psm1 +Remove-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest +++Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-deletes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} +Version : 1.1 +StatusCode : 200 +Method : DELETE +Content : +``` ++## Next steps ++[Find and remediate vulnerabilities in your Azure SQL databases](sql-azure-vulnerability-assessment-find.md) |
defender-for-cloud | Express Configuration Sql Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-sql-commands.md | + + Title: Express configuration PowerShell wrapper module +description: In this article, you can review the express configuration SQL vulnerability assessment PowerShell commands reference and copy example scripts to use in your environments. +++ Last updated : 06/01/2023+++# Express configuration PowerShell wrapper module ++This article contains the PowerShell wrapper for SQL vulnerability assessment express configuration. ++You should make a local copy of the script and save the file with the following file name `SqlVulnerabilityAssessmentCommands.psm1`. +++After you have made a local copy of the wrapper you should use the [Express configuration PowerShell commands reference](express-configuration-powershell-commands.md). ++## SqlVulnerabilityAssessmentCommands.psm1 ++```powershell +#Requires -Modules @{ ModuleName="Az.Sql"; ModuleVersion="3.11.0" } +#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.9.1" } +#Requires -Version 5.1 ++######SQL Vulnerability Assessment PowerShell Commands ###### +############################################################# ++###Sql Vulnerability Assessment Baseline### ++# Create Or Update +function Set-SqlVulnerabilityAssessmentBaseline([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, [parameter(mandatory)] [string] $Body) { + <# + .SYNOPSIS + Sets vulnerability assessment baselines on the database. ++ .DESCRIPTION + Sets vulnerability assessment baselines on the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER Body + Baseline. ++ .EXAMPLE + Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444 -ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ "properties": { "latestScan": true, "results": {} }}' + Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} + Version : 1.1 + StatusCode : 200 + Method : PUT + Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219":[["False"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/serv + ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} ++ .EXAMPLE + Set-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -Body '{ + "properties": { + "latestScan": false, + "results": { + "VA2062": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + } + }' + Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-writes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} + Version : 1.1 + StatusCode : 200 + Method : PUT + Content : {"properties":{"results":{"VA2062":[["AllowAll","0.0.0.0","255.255.255.255"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microso + ft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baseline + s"} + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview" + } ++ return SendRestRequest -Method "Put" -Uri $Uri -Body $Body +} ++# Get +function Get-SqlVulnerabilityAssessmentBaseline([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName) { + <# + .SYNOPSIS + Gets vulnerability assessment baselines for the user database. ++ .DESCRIPTION + Gets vulnerability assessment baselines for the user database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentBaseline -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db + Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-reads, System.String[]], [x-ms-correlation-request-id, System.String[]]...} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"properties":{"results":{"VA1143":[["True"]],"VA1219":[["False"]]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/serv + ers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/baselines/Default","name":"Default","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} + #> ++ if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview" + } + return SendRestRequest -Method "Get" -Uri $Uri +} ++###Database Sql Vulnerability Assessment Rule Baselines### ++# Create Or Update +function Set-SqlVulnerabilityAssessmentBaselineRule([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, [parameter(mandatory)] [string] $RuleId, [parameter(mandatory)] [string] $Body) { + <# + .SYNOPSIS + Sets vulnerability assessment baseline for a specific rule on the database. ++ .DESCRIPTION + Sets vulnerability assessment baseline for a specific rule on the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER RuleId + Rule id. ++ .PARAMETER Body + Baseline. ++ .EXAMPLE + Set-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 -Body '{ + "properties": { + "latestScan": false, + "results": [ + [ + "AllowAll", + "0.0.0.0", + "255.255.255.255" + ] + ] + } + }' + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : PUT + Content : {"properties":{"results":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/dat + abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Mic + rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview" + } ++ return SendRestRequest -Method "Put" -Uri $Uri -Body $Body +} ++# Get +function Get-SqlVulnerabilityAssessmentBaselineRule([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, $RuleId) { + <# + .SYNOPSIS + Gets vulnerability assessment baseline for a specific rule from the database. ++ .DESCRIPTION + Gets vulnerability assessment baseline for a specific rule from the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER RuleId + Rule id. ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"properties":{"results":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/dat + abases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Mic + rosoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"} ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"value":[{"properties":{"results":[["True"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/r + esourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerab + ilityAssessments/Default/baselines/default/rules/VA1143","name":"VA1143","type":"Microsoft.Sql/servers/dat + abases/sqlVulnerabilityAssessments/baselines"},{"properties":{"results":[["False"]]},"id":"/subscriptions/ + 00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/m + igrationsql1/databases/db/sqlVulnerabilityAssessments/Default/baselines/default/rules/VA1219","name":"VA1 + 219","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines"},{"properties":{"resul + ts":[["AllowAll","0.0.0.0","255.255.255.255"]]},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/ + resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnera + bilityAssessments/Default/baselines/default/rules/VA2062","name":"VA2062","type":"Microsoft.Sql/servers/da + tabases/sqlVulnerabilityAssessments/baselines"}]} + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview" + } ++ return SendRestRequest -Method "Get" -Uri $Uri +} ++# Remove +function Remove-SqlVulnerabilityAssessmentBaselineRule([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, [parameter(mandatory)] [string] $RuleId) { + <# + .SYNOPSIS + Deletes vulnerability assessment baseline for a specific rule from the database. ++ .DESCRIPTION + Deletes vulnerability assessment baseline for a specific rule from the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER RuleId + Rule id. ++ .EXAMPLE + Remove-SqlVulnerabilityAssessmentBaselineRule -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -RuleId VA2062 + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : DELETE + Content : + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default/rules/$RuleId" + "?api-version=2022-02-01-preview" + } ++ return SendRestRequest -Method "Delete" -Uri $Uri +} ++###Sql Vulnerability Assessment Scan Result### ++# Get +function Get-SqlVulnerabilityAssessmentScanResults([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, [parameter(mandatory)] [string] $ScanId, $RuleId) { + <# + .SYNOPSIS + Gets vulnerability assessment scan results for a specific rule from the database. ++ .DESCRIPTION + Gets vulnerability assessment scan results for a specific rule from the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER ScanId + Scan id. ++ .PARAMETER RuleId + Rule id. ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest -RuleId VA2062 + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"properties":{"ruleId":"VA2062","status":"NonFinding","errorMessage":null,"isTrimmed":false,"queryResults + ":[],"remediation":{"description":"Remove database firewall rules that grant excessive access","scripts":[ + ],"automated":false,"portalLink":""},"baselineAdjustedResult":null,"ruleMetadata":{"ruleId":"VA2062","seve + rity":"High","category":"SurfaceAreaReduction","ruleType":"NegativeList","title":"Database-level firewall + rules should not grant excessive access","description":"The Azure SQL Database-level firewall helps protec + t your data by preventing all access to your database until you specify which IP addresses have permission + . Database-level firewall rules grant access to the specific database based on the originating IP address + of each request.\n\nDatabase-level firewall rules for master and user databases can only be created and ma + naged through Transact-SQL (unlike server-level firewall rules which can also be created and managed using + the Azure portal or PowerShell). For more details please see: https://docs.microsoft.com/en-us/azure/sql- + database/sql-database-firewall-configure\n\nThis check verifies that each database-level firewall rule doe + s not grant access to more than 255 IP addresses.","rationale":"Often, administrators add rules that grant + excessive access as part of a troubleshooting process - to eliminate the firewall as the source of a prob + lem, they simply create a rule that allows all traffic to pass to the affected database.\n\nGranting exces + sive access using database firewall rules is a clear security concern, as it violates the principle of lea + st privilege by allowing unnecessary access to your database. In fact, it's the equivalent of placing the + database outside of the firewall.","queryCheck":{"query":"SELECT name AS [Firewall Rule Name]\n ,start_ + ip_address AS [Start Address]\n ,end_ip_address AS [End Address]\nFROM sys.database_firewall_rules\nWHE + RE ( \n (CONVERT(bigint, parsename(end_ip_address, 1)) +\n CONVERT(bigint, parsename(end_ip + _address, 2)) * 256 + \n CONVERT(bigint, parsename(end_ip_address, 3)) * 65536 + \n CONVER + T(bigint, parsename(end_ip_address, 4)) * 16777216 ) \n - \n (CONVERT(bigint, parsename(star + t_ip_address, 1)) +\n CONVERT(bigint, parsename(start_ip_address, 2)) * 256 + \n CONVERT(b + igint, parsename(start_ip_address, 3)) * 65536 + \n CONVERT(bigint, parsename(start_ip_address, 4) + ) * 16777216 )\n ) > 255","expectedResult":[],"columnNames":["Firewall Rule Name","Start Address","En + d Address"]},"benchmarkReferences":[]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resource + Groups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAs + sessments/Default/scans/VA2062/scanResults/VA2062","name":"VA2062","type":"Microsoft.Sql/servers/databases + /sqlVulnerabilityAssessments/scans/scanResults"} ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentScanResults -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"value":[ + {"properties":{"ruleId":"VA1219","status":"No + nFinding","errorMessage":null,"isTrimmed":false,"queryResults":[["False"]],"remediation":{"description":"E + nable TDE on the affected databases","scripts":[],"automated":false,"portalLink":"EnableTDE"},"baselineAdj + ustedResult":{"baseline":{"expectedResults":[["False"]],"updatedTime":"2023-05-15T08:52:39.3476874+00:00"} + ,"status":"NonFinding","resultsNotInBaseline":[],"resultsOnlyInBaseline":[]},"ruleMetadata":{"ruleId":"VA1 + 219","severity":"Medium","category":"DataProtection","ruleType":"Binary","title":"Transparent data encrypt + ion should be enabled","description":"Transparent data encryption (TDE) helps to protect the database file + s against information disclosure by performing real-time encryption and decryption of the database, associ + ated backups, and transaction log files 'at rest', without requiring changes to the application. This rule + checks that TDE is enabled on the database.","rationale":"Transparent Data Encryption (TDE) protects data + 'at rest', meaning the data and log files are encrypted when stored on disk.","queryCheck":{"query":"SELE + CT CASE\n WHEN EXISTS (\n SELECT *\n FROM sys.databases\n + WHERE db_name(database_id) = db_name()\n AND is_encrypted = 0\n )\n + THEN 1\n ELSE 0\n END AS [Violation]","expectedResult":[["0"]],"columnNames":["Vi + olation"]},"benchmarkReferences":[{"benchmark":"FedRAMP","reference":null}]}},"id":"/subscriptions/f000000 + 00-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/ + vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA1219/scanResults/VA1219","name":"VA1219"," + type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults"},{"prope + rties":{"ruleId":"VA1223","status":"NonFinding","errorMessage":null,"isTrimmed":false,"queryResults":[],"r + emediation":{"description":"Create new certificates, re-encrypt the data/sign-data using the new key, and + drop the affected keys.","scripts":[],"automated":false,"portalLink":""},"baselineAdjustedResult":null,"ru + leMetadata":{"ruleId":"VA1223","severity":"High","category":"DataProtection","ruleType":"NegativeList","ti + tle":"Certificate keys should use at least 2048 bits","description":"Certificate keys are used in RSA and + other encryption algorithms to protect data. These keys need to be of enough length to secure the user's d + ata. This rule checks that the key's length is at least 2048 bits for all certificates.","rationale":"Key + length defines the upper-bound on the encryption algorithm's security. Using short keys in encryption algo + rithms may lead to weaknesses in data-at-rest protection.","queryCheck":{"query":"SELECT name AS [Certific + ate Name], thumbprint AS [Thumbprint]\nFROM sys.certificates\nWHERE key_length < 2048","expectedResult":[] + ,"columnNames":["Certificate Name","Thumbprint"]},"benchmarkReferences":[{"benchmark":"FedRAMP","reference + ":null}]}},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/vulnerabilityaseessmenttestRg/p + roviders/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/sqlVulnerabilityAssessments/Default/scans/VA122 + 3/scanResults/VA1223","name":"VA1223","type":"Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/ + scans/scanResults"}]} + #> ++ if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/scans/$ScanId/scanResults/$RuleId" + "?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/scans/$ScanId/scanResults/$RuleId" + "?api-version=2022-02-01-preview" + } + return SendRestRequest -Method "Get" -Uri $Uri +} ++###Sql Vulnerability Assessment Scans### ++# Get +function Get-SqlVulnerabilityAssessmentScans([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName, $ScanId) { + <# + .SYNOPSIS + Gets vulnerability assessment scan summary from the database. ++ .DESCRIPTION + Gets vulnerability assessment scan summary from the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .PARAMETER ScanId + Scan id. ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db -ScanId latest + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"properties":{"scanId":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","triggerType":"OnDemand","state":"Passed"," + startTime":"2023-04-17T12:52:41.4142209Z","endTime":"2023-04-17T12:52:41.5235755Z","server":"vulnerabilityaseessmenttest + ","database":"db","sqlVersion":"16.0.5100","highSeverityFailedRulesCount":0,"mediumSeverityFailedRulesCou + nt":0,"lowSeverityFailedRulesCount":0,"totalPassedRulesCount":24,"totalFailedRulesCount":0,"totalRulesCoun + t":24,"isBaselineApplied":true},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/m + igrationscripttests/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAssessments/D + efault/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e","name":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","type":"M + icrosoft.Sql/servers/databases/vulnerabilityAssessments/scans"} ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentScans -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"value":[{"properties":{"scanId":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e","triggerType":"OnDemand","state": + "Passed","startTime":"2023-04-17T12:52:41.4142209Z","endTime":"2023-04-17T12:52:41.5235755Z","server": + "vulnerabilityaseessmenttest","database":"db","sqlVersion":"16.0.5100","highSeverityFailedRulesCount":0,"mediumSeverityFail + edRulesCount":0,"lowSeverityFailedRulesCount":0,"totalPassedRulesCount":24,"totalFailedRulesCount":0,"tota + lRulesCount":24,"isBaselineApplied":true},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resour + ceGroups/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/databases/db/vulnerabilityAss + essments/Default/scans/f64d81a1-9d7b-4516-a623-a1bfc845ed7e","name":"f64d81a1-9d7b-4516-a623-a1bfc845ed7e" + ,"type":"Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans"}]} + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/scans/$ScanId" + "?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/scans/$ScanId" + "?api-version=2022-02-01-preview" + } + return SendRestRequest -Method "Get" -Uri $Uri +} +++###Sql Vulnerability Assessment Execute Scan### ++# Invoke +function Invoke-SqlVulnerabilityAssessmentScan([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $DatabaseName) { + <# + .SYNOPSIS + Runs vulnerability assessment scan on the database. ++ .DESCRIPTION + Runs vulnerability assessment scan on the database. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER DatabaseName + Database name. ++ .EXAMPLE + Invoke-SqlVulnerabilityAssessmentScan -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -DatabaseName db + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Location, System.String[]], [Retry-After, S + ystem.String[]]…} + Version : 1.1 + StatusCode : 202 + Method : POST + Content : {"operation":"ExecuteDatabaseVulnerabilityAssessmentScan","startTime":"2023-05-15T10:58:48.367Z"} + #> + if ($DatabaseName -eq 'master') { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview&systemDatabaseName=master" + } else { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview" + } + SendRestRequest -Method "Post" -Uri $Uri +} +++###Sql Vulnerability Assessments Settings### ++# Get +function Get-SqlVulnerabilityAssessmentServerSetting([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName) { + <# + .SYNOPSIS + Gets vulnerability assessment settings of the server. ++ .DESCRIPTION + Gets vulnerability assessment settings of the server. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .EXAMPLE + Get-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : GET + Content : {"properties":{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups + /vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default"," + name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} + #> + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview" + return SendRestRequest -Method "Get" -Uri $Uri +} ++# Set +function Set-SqlVulnerabilityAssessmentServerSetting([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName, [parameter(mandatory)] [string] $State) { + <# + .SYNOPSIS + Sets vulnerability assessment settings on the server. ++ .DESCRIPTION + Sets vulnerability assessment settings on the server. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .PARAMETER State + Setting's state. ++ .EXAMPLE + Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 'Enabled' + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : PUT + Content : {"properties":{"state":"Enabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups + /vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default"," + name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} ++ .EXAMPLE + Set-SqlVulnerabilityAssessmentServerSetting -SubscriptionId 00000000-1111-2222-3333-444444444444-ResourceGroupName vulnerabilityaseessmenttestRg -ServerName vulnerabilityaseessmenttest -State 'Disabled' + Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [Server, + System.String[]]…} + Version : 1.1 + StatusCode : 200 + Method : PUT + Content : {"properties":{"state":"Disabled"},"id":"/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroup + s/vulnerabilityaseessmenttestRg/providers/Microsoft.Sql/servers/vulnerabilityaseessmenttest/sqlVulnerabilityAssessments/Default", + "name":"Default","type":"Microsoft.Sql/servers/sqlVulnerabilityAssessments"} + #> + $Body = @{ + properties = @{ + state = $State + } + } + $Body = $Body | ConvertTo-Json ++ $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview" + return SendRestRequest -Method "Put" -Uri $Uri -Body $Body +} ++# Remove +function Remove-SqlVulnerabilityAssessmentServerSetting([parameter(mandatory)] [string] $SubscriptionId, [parameter(mandatory)] [string] $ResourceGroupName, [parameter(mandatory)] [string] $ServerName) { + <# + .SYNOPSIS + Deletes vulnerability assessment settings on the server. ++ .DESCRIPTION + Deletes vulnerability assessment settings on the server. ++ .PARAMETER SubscriptionId + Subscription id. ++ .PARAMETER ResourceGroupName + Resource group name. ++ .PARAMETER ServerName + Server name. ++ .EXAMPLE + Headers : {[Pragma, System.String[]], [x-ms-request-id, System.String[]], [x-ms-ratelimit-remaining-subscription-deletes, System.String[]], [x-ms-correlation-request-id, System.String[]]...} + Version : 1.1 + StatusCode : 200 + Method : DELETE + Content : + #> ++ $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview" + return SendRestRequest -Method "Delete" -Uri $Uri +} +++function SendRestRequest( + [Parameter(Mandatory = $True)] + [string] $Method, + [Parameter(Mandatory = $True)] + [string] $Uri, + [parameter( Mandatory = $false )] + [string] $Body = "DEFAULT") { ++ $Params = @{ + Method = $Method + Path = $Uri + } ++ if (!($Body -eq "DEFAULT")) { + $Params = @{ + Method = $Method + Path = $Uri + Payload = $Body + } + } ++ Invoke-AzRestMethod @Params +} ++# Exported functions +Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentBaseline +Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentBaseline ++Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentBaselineRule +Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentBaselineRule +Export-ModuleMember -Function Remove-SqlVulnerabilityAssessmentBaselineRule ++Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentScanResults ++Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentScans ++Export-ModuleMember -Function Invoke-SqlVulnerabilityAssessmentScan ++Export-ModuleMember -Function Get-SqlVulnerabilityAssessmentServerSetting +Export-ModuleMember -Function Set-SqlVulnerabilityAssessmentServerSetting +Export-ModuleMember -Function Remove-SqlVulnerabilityAssessmentServerSetting +``` ++## Next steps ++[Express configuration PowerShell commands reference](express-configuration-powershell-commands.md) |
defender-for-cloud | Governance Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/governance-rules.md | -# Drive your organization to remediate security recommendations with governance +# Drive remediation with security governance Security teams are responsible for improving the security posture of their organizations but they may not have the resources or authority to actually implement security recommendations. [Assigning owners with due dates](#manually-assigning-owners-and-due-dates-for-recommendation-remediation) and [defining governance rules](#building-an-automated-process-for-improving-security-with-governance-rules) creates accountability and transparency so you can drive the process of improving the security posture in your organization. You can see the list of owners and recommendations for the selected rules, and t In this article, you learned how to set up a process for assigning owners and due dates to tasks so that owners are accountable for taking steps to improve your security posture. Check out how owners can [set ETAs for tasks](review-security-recommendations.md#manage-the-owner-and-eta-of-recommendations-that-are-assigned-to-you) so that they can manage their progress.++Learn how to [Implement security recommendations in Microsoft Defender for Cloud](implement-security-recommendations.md). |
defender-for-cloud | How To Enable Agentless Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-enable-agentless-containers.md | description: Learn how to onboard Agentless Containers Previously updated : 05/15/2023 Last updated : 05/30/2023 # Onboard Agentless Container posture in Defender CSPM -Onboarding Agentless Container posture in Defender CSPM will allow you to gain all its [capabilities](concept-agentless-containers.md#agentless-container-posture-preview). +Onboarding Agentless Container posture in Defender CSPM will allow you to gain all its [capabilities](concept-agentless-containers.md#capabilities). **To onboard Agentless Container posture in Defender CSPM:** |
defender-for-cloud | Integration Defender For Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/integration-defender-for-endpoint.md | If you've already enabled the integration with **Defender for Endpoint for Windo Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new machines created after the integration has been enabled, onboarding takes up to an hour. > [!NOTE]- > The next time you return to this page of the Azure portal, the **Enable for Linux machines** button won't be shown. To disable the integration for Linux, you'll need to disable it for Windows too by clearing the checkbox for **Allow Microsoft Defender for Endpoint to access my data**, and selecting **Save**. + > The next time you return to this page of the Azure portal, the **Enable for Linux machines** button won't be shown. To disable the integration for Linux, you'll need to disable it for Windows too by turning the toggle **off** in **Endpoint Protection**, and selecting **Continue**. 1. To verify installation of Defender for Endpoint on a Linux machine, run the following shell command on your machines: |
defender-for-cloud | Onboard Machines With Defender For Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/onboard-machines-with-defender-for-endpoint.md | + + Title: Onboard non-Azure machines with Defender for Endpoint +description: Learn how to connect your non-Azure machines directly to Microsoft Defender for Cloud with Microsoft Defender for Endpoint. + Last updated : 06/04/2023+++++# Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint ++Defender for Cloud allows you to directly onboard your non-Azure servers by deploying the Defender for Endpoint agent. This provides protection for both your cloud and non-cloud assets under a single, unified offering. ++> [!NOTE] +> To connect your non-Azure machines via Azure Arc, see [Connect your non-Azure machines to Microsoft Defender for Cloud with Azure Arc](quickstart-onboard-machines.md). ++This tenant-level setting allows you to automatically and natively onboard any non-Azure server running Defender for Endpoint to Defender for Cloud, without any extra agent deployments. This onboarding path is ideal for customers with mixed and hybrid server estate who wish to consolidate server protection under Defender for Servers. ++## Availability ++| Aspect | Details | +| - | | +| Release state | GA | +| Supported operating systems | All [Windows](/microsoft-365/security/defender-endpoint/minimum-requirements#supported-windows-versions) and [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux#system-requirements) **Server** operating systems supported by Defender for Endpoint | +| Required roles and permissions | To manage this setting, you need **Subscription Owner** (on the chosen subscription), and **AAD Global Administrator** or **AAD Security Administrator** | +| Environments | On-premises servers <br />Multicloud VMs ΓÇô limited support | +| Supported plans | Defender for Servers P1 <br />Defender for Servers P2 ΓÇô limited features | ++## How it works ++Direct onboarding is a seamless integration between Defender for Endpoint and Defender for Cloud that doesnΓÇÖt require extra software deployment on your servers. Once enabled, it also shows your non-Azure server devices onboarded to Defender for Endpoint in Defender for Cloud, under a designated Azure Subscription you configure (in addition to their regular representation in the Microsoft 365 Defender portal). The Azure Subscription is used for licensing, billing, alerts, and security insights but doesn't provide server management capabilities such as Azure Policy, Extensions, or Guest configuration. To enable server management capabilities, refer to the deployment of Azure Arc. ++## Enabling direct onboarding ++Enabling direct onboarding is an opt-in setting at the tenant level. It affects both existing and new servers onboarded to Defender for Endpoint in the same Azure AD tenant. Shortly after enabling this setting, your server devices will show under the designated subscription. Alerts, software inventory, and vulnerability data are integrated with Defender for Cloud, in a similar way to how it works with Azure VMs. ++Before you begin: ++- Make sure you have the [required permissions](#availability) +- If you have a Microsoft Defender for Endpoint for Servers license on your tenant, [make sure to indicate it](faq-defender-for-servers.yml#can-i-get-a-discount-if-i-already-have-a-microsoft-defender-for-endpoint-license-) in Defender for Cloud +- Review the [limitations section](#current-limitations) ++### Enabling in the Defender for Cloud portal ++1. Go to **Defender for Cloud** > **Environment Settings** > **Direct onboarding**. +2. Switch the **Direct onboarding** toggle to **On**. +3. Select the subscription you would like to use for servers onboarded directly with Defender for Endpoint +4. Select **Save**. +++You've now successfully enabled direct onboarding on your tenant. After you enable it for the first time, it may take up to 24 hours to see your non-Azure servers in your designated subscription. ++### Deploying Defender for Endpoint on your servers ++Deploying the Defender for Endpoint agent on your on-premises Windows and Linux servers is the same whether you use direct onboarding or not. Refer to the [Defender for Endpoint onboarding guide](/microsoft-365/security/defender-endpoint/onboarding) for further instructions. ++## Current limitations ++- **Plan support**: Direct onboarding provides access to all Defender for Servers Plan 1 features. However, certain features in Plan 2 still require the deployment of the Azure Monitor Agent, which is only available with Azure Arc on non-Azure machines. If you enable Plan 2 on your designated subscription, machines onboarded directly with Defender for Endpoint have access to all Defender for Servers Plan 1 features and the Defender Vulnerability Management Addon features included in Plan 2. ++- **Multi-cloud support**: You can directly onboard VMs in AWS and GCP using the Defender for Endpoint agent. However, if you plan to simultaneously connect your AWS or GCP account to Defender for Servers using multicloud connectors, it's currently still recommended to deploy Azure Arc. ++- **Simultaneous onboarding limited support**: Defender for Cloud makes a best effort to correlate servers onboarded using multiple billing methods. However, in certain server deployment use cases, there may be limitations where Defender for Cloud is unable to correlate your machines. This may result in overcharges on certain devices if direct onboarding is also enabled on your tenant. ++ The following are deployment use cases currently with this limitation when used with direct onboarding of your tenant: ++ | Location | Deployment use case | + | | | + | All | <u>Windows Server (all versions)</u> <br />Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint agent without the MDE.Windows or MDE.Linux Azure extensions. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extensions. | + | On-premises (not running Azure Arc) | <u>Windows Server 2019</u>:<br />Servers already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace<br /><br /><u>Windows Server 2012, 2016</u>: <br />Servers running the Defender for Endpoint modern unified agent, and already billed by Defender for Servers P2 via the Log Analytics workspace | + | AWS, GCP (not running Azure Arc) | <u>Windows Server 2019</u>:<br />Servers already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. <br /><br /><u>Windows Server 2012, 2016</u>: <br />AWS or GCP VMs using the modern unified Defender for Endpoint solution, already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. | ++## Next steps ++This page showed you how to add your non-Azure machines to Microsoft Defender for Cloud. To monitor their status, use the inventory tools as explained in the following page: ++- [Explore and manage your resources with asset inventory](asset-inventory.md) |
defender-for-cloud | Plan Defender For Servers Select Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/plan-defender-for-servers-select-plan.md | You can choose from two Defender for Servers paid plans: - All the functionality that's provided by Defender for Servers Plan 1. - More extended detection and response (XDR) capabilities.- ++> [!NOTE] +> Plan 1 and Plan 2 for Defender for Servers aren't the same as Plan 1 and Plan 2 for Defender for Endpoint. + ## Plan features | Feature | Details | Plan 1 | Plan 2 | |:|:|::|::|-| **Defender for Endpoint integration** | Defender for Servers integrates with Defender for Endpoint and protects servers with all the features, including:<br/><br/>- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) to lower the risk of attack.<br/><br/> - [Next-generation protection](/microsoft-365/security/defender-endpoint/next-generation-protection), including real-time scanning and protection and [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/next-generation-protection).<br/><br/> - EDR, including [threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics), [automated investigation and response](/microsoft-365/security/defender-endpoint/automated-investigations), [advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview), and [Microsoft Defender Experts](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications).<br/><br/> - Vulnerability assessment and mitigation provided by [Microsoft Defender Vulnerability Management (MDVM)](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities) as part of the Defender for Endpoint integration. With Plan 2, you can get premium MDVM features, provided by the [MDVM add-on](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities#vulnerability-managment-capabilities-for-servers).| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 1."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Licensing** | Defender for Servers covers licensing for Defender for Endpoint. Licensing is charged per hour instead of per seat, lowering costs by protecting virtual machines only when they're in use.| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 1."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Defender for Endpoint provisioning** | Defender for Servers automatically provisions the Defender for Endpoint sensor on every supported machine that's connected to Defender for Cloud.| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 1."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Unified view** | Defender for Endpoint alerts appear in the Defender for Cloud portal. You can get detailed information in the Defender for Endpoint portal.| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 1."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Threat detection for OS-level (agent-based)** | Defender for Servers and Defender for Endpoint detect threats at the OS level, including virtual machine behavioral detections and *fileless attack detection*, which generates detailed security alerts that accelerate alert triage, correlation, and downstream response time.<br>[Learn more](alerts-reference.md#alerts-windows) | :::image type="icon" source="./mediE](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Threat detection for network-level (agentless)** | Defender for Servers detects threats that are directed at the control plane on the network, including network-based detections for Azure virtual machines. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Microsoft Defender Vulnerability Management (MDVM) Add-on** | Enhance your vulnerability management program consolidated asset inventories, security baselines assessments, application block feature, and more. [Learn more](deploy-vulnerability-assessment-defender-vulnerability-management.md). | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Security Policy and Regulatory Compliance** | Customize a security policy for your subscription and also compare the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Learn more about [regulatory compliance](regulatory-compliance-dashboard.md) and [security policies](security-policy-concept.md) | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2.":::| -| **[Qualys vulnerability assessment](deploy-vulnerability-assessment-vm.md)** | As an alternative to Defender Vulnerability Management, Defender for Cloud can deploy a Qualys scanner and display the findings. You don't need a Qualys license or account. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2.":::| -**[Adaptive application controls](adaptive-application-controls.md)** | Adaptive application controls define allowlists of known safe applications for machines. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 |:::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **Free data ingestion (500 MB) in workspaces** | Free data ingestion is available for [specific data types](faq-defender-for-servers.yml#what-data-types-are-included-in-the-daily-allowance-). Data ingestion is calculated per node, per reported workspace, and per day. It's available for every workspace that has a *Security* or *AntiMalware* solution installed. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **[Just-in-time virtual machine access](just-in-time-access-overview.md)** | Just-in-time virtual machine access locks down machine ports to reduce the attack surface. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **[Adaptive network hardening](adaptive-network-hardening.md)** | Network hardening filters traffic to and from resources by using network security groups (NSGs) to improve your network security posture. Further improve security by hardening the NSG rules based on actual traffic patterns. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **[File integrity monitoring](file-integrity-monitoring-overview.md)** | File integrity monitoring examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -| **[Docker host hardening](harden-docker-hosts.md)** | Assesses containers hosted on Linux machines running Docker containers, and then compares them with the Center for Internet Security (CIS) Docker Benchmark. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -[Network map](protect-network-resources.md) | Provides a geographical view of recommendations for hardening your network resources. | Not supported in Plan 1| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: | -[Agentless scanning](concept-agentless-data-collection.md) | Scans Azure virtual machines by using cloud APIs to collect data. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: +| **Defender for Endpoint integration** | Defender for Servers integrates with Defender for Endpoint and protects servers with all the features, including:<br/><br/>- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) to lower the risk of attack.<br/><br/> - [Next-generation protection](/microsoft-365/security/defender-endpoint/next-generation-protection), including real-time scanning and protection and [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/next-generation-protection).<br/><br/> - EDR, including [threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics), [automated investigation and response](/microsoft-365/security/defender-endpoint/automated-investigations), [advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview), and [Microsoft Defender Experts](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications).<br/><br/> - Vulnerability assessment and mitigation provided by [Microsoft Defender Vulnerability Management (MDVM)](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities) as part of the Defender for Endpoint integration. With Plan 2, you can get premium MDVM features, provided by the [MDVM add-on](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities#vulnerability-managment-capabilities-for-servers).| :::image type="icon" source="./media/icons/yes-icon.png" ::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Licensing** | Defender for Servers covers licensing for Defender for Endpoint. Licensing is charged per hour instead of per seat, lowering costs by protecting virtual machines only when they're in use.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Defender for Endpoint provisioning** | Defender for Servers automatically provisions the Defender for Endpoint sensor on every supported machine that's connected to Defender for Cloud.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Unified view** | Defender for Endpoint alerts appear in the Defender for Cloud portal. You can get detailed information in the Defender for Endpoint portal.| :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Threat detection for OS-level (agent-based)** | Defender for Servers and Defender for Endpoint detect threats at the OS level, including virtual machine behavioral detections and *fileless attack detection*, which generates detailed security alerts that accelerate alert triage, correlation, and downstream response time.<br>[Learn more](alerts-reference.md#alerts-windows) | :::image type="icon" source="./mediE](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Threat detection for network-level (agentless)** | Defender for Servers detects threats that are directed at the control plane on the network, including network-based detections for Azure virtual machines. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Microsoft Defender Vulnerability Management (MDVM) Add-on** | Enhance your vulnerability management program consolidated asset inventories, security baselines assessments, application block feature, and more. [Learn more](deploy-vulnerability-assessment-defender-vulnerability-management.md). | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Security Policy and Regulatory Compliance** | Customize a security policy for your subscription and also compare the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Learn more about [regulatory compliance](regulatory-compliance-dashboard.md) and [security policies](security-policy-concept.md) | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png":::| +| **[Qualys vulnerability assessment](deploy-vulnerability-assessment-vm.md)** | As an alternative to Defender Vulnerability Management, Defender for Cloud can deploy a Qualys scanner and display the findings. You don't need a Qualys license or account. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png":::| +|**[Adaptive application controls](adaptive-application-controls.md)** | Adaptive application controls define allowlists of known safe applications for machines. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 |:::image type="icon" source="./media/icons/yes-icon.png"::: | +| **Free data ingestion (500 MB) to Log Analytics workspaces** | Free data ingestion is available for [specific data types](faq-defender-for-servers.yml#what-data-types-are-included-in-the-daily-allowance-) to Log Analytics workspaces. Data ingestion is calculated per node, per reported workspace, and per day. It's available for every workspace that has a *Security* or *AntiMalware* solution installed. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **[Just-in-time virtual machine access](just-in-time-access-overview.md)** | Just-in-time virtual machine access locks down machine ports to reduce the attack surface. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **[Adaptive network hardening](adaptive-network-hardening.md)** | Network hardening filters traffic to and from resources by using network security groups (NSGs) to improve your network security posture. Further improve security by hardening the NSG rules based on actual traffic patterns. To use this feature, Defender for Cloud must be enabled on the subscription. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **[File integrity monitoring](file-integrity-monitoring-overview.md)** | File integrity monitoring examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +| **[Docker host hardening](harden-docker-hosts.md)** | Assesses containers hosted on Linux machines running Docker containers, and then compares them with the Center for Internet Security (CIS) Docker Benchmark. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png"::: | +|[Network map](protect-network-resources.md) | Provides a geographical view of recommendations for hardening your network resources. | Not supported in Plan 1| :::image type="icon" source="./media/icons/yes-icon.png"::: | +|[Agentless scanning](concept-agentless-data-collection.md) | Scans Azure virtual machines by using cloud APIs to collect data. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png":::| ## Select a vulnerability assessment solution |
defender-for-cloud | Powershell Sample Vulnerability Assessment Azure Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql.md | description: In this article, learn how to enable vulnerability assessments on A Previously updated : 11/29/2022- Last updated : 05/30/2023 # Enable vulnerability assessments on Azure SQL databases with the express configuration This PowerShell script enables the express configuration of [vulnerability assessments](sql-azure-vulnerability-assessment-overview.md) on an Azure SQL Server. +If vulnerability assessment has already been configured using the classic configuration, this script migrates it to the express configuration and copy all of the pre-existing baseline definitions. +Your scan history isn't copied over to the new configuration. Your scan history remains accessible on the storage account that was previously used by the classic configuration. ++## Prerequisites + [!INCLUDE [sample-powershell-install](../../includes/sample-powershell-install-no-ssh.md)] [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] -## Sample script +- The user should have `Storage Blob Data Reader` role on the storage account. ++- Storage networking settings must be configured to allow access to the machine that executes the command. ++- You must have permission to create folders in the working directory used by the script. ++## Sample script - MigratingToExpressConfiguration.ps1 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] ```powershell+#Requires -Modules @{ ModuleName="Az.Sql"; ModuleVersion="3.11.0" } +#Requires -Modules @{ ModuleName="Az.Storage"; ModuleVersion="4.8.0" } +#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.9.1" } +#Requires -Version 5.1 + <# .SYNOPSIS- This script migrates an Azure SQL Server to the Vulnerability Assessment Express Configuration feature, and then scans all databases that belong to the selected server. + This script configured an Azure SQL Server to the express configuration Vulnerability Assessment feature, scans all databases that belong to the selected server and set baselines (if defined in classic configuration) from the storage that is configures in the policy. .DESCRIPTION- This script migrates Azure SQL Server to the Vulnerability Assessment Express Configuration feature. - It deletes the current Vulnerability Assessment settings (if exists), this step will reset all the Vulnerability Assessment scans and baseline for all databases. +This script migrates Azure SQL Server to express configuration Vulnerability Assessment feature by executing the following steps: +- It deletes the current Vulnerability Assessment settings (if exists). + This step will reset all the Vulnerability Assessment scans and baselines for all databases. +- It copies the current baselines (if exist) from the customer's storage. ++In order to revert this script follow the instructions as mentioned here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic-configuration. ++.PARAMETER ServerSubscriptionId + The Subscription id that the server belongs to ++.PARAMETER ServerResourceGroupName + The Resource Group that the server belongs to ++.PARAMETER ServerName + The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to. ++.PARAMETER Force + Will remove the old Vulnerability Assessment setting without asking for confirmation. ++.EXAMPLE + .\MigratingToExpressConfiguration.ps1 -SubscriptionId "25b642fc-05c3-11ed-b939-0242ac120002" -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -Force + .\MigratingToExpressConfiguration.ps1 -SubscriptionId "25b642fc-05c3-11ed-b939-0242ac120002" -ResourceGroupName "ResourceGroup01" -ServerName "Server01" #> +param +( + [Parameter(Mandatory = $True)] + [string]$SubscriptionId, ++ [Parameter(Mandatory = $True)] + [string]$ResourceGroupName, -$SubscriptionId = "<subscriptionid>" # The Subscription id that the server belongs to. -$ResourceGroupName = "<resource group>" # The Resource Group that the server belongs to. -$ServerName = "<server name>" # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix). -$Force = $false # Will remove the classic Vulnerability Assessment configurations without asking for confirmation. -$APIVersion = "2022-05-01-preview" + [Parameter(Mandatory = $True)] + [string]$ServerName, + [Parameter(Mandatory = $False)] + [switch]$Force +) ###### New SQL Vulnerability Assessment Commands ###### ####################################################### +function GetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, $ResourceGroupName, $ServerName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview" + return SendRestRequest -Method "Get" -Uri $Uri +} -function SetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, $ResourceGroupName, $ServerName){ - $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=" + $APIVersion +function SetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, $ResourceGroupName, $ServerName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=2022-02-01-preview" $Body = @{ properties = @{ state = "Enabled" function SetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, $ResourceGr return SendRestRequest -Method "Put" -Uri $Uri -Body $Body } -function RunSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){ - $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=" + $APIVersion +function SetSqlVulnerabilityAssessmentBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName, $Baseline) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview" + $convertedBaseline = $Baseline | ConvertFrom-Json + $properties = @{ + properties = @{ + latestScan = $false + results = @{} + } + } ++ if ($convertedBaseline.RuleBaselines.Count -eq 0) { + # baseline is null/empty. No need to send the API call. + return + } ++ foreach ($rule in $convertedBaseline.RuleBaselines) { + $ruleId = $rule.RuleId + $expectedResults = $rule.Properties.ExpectedResults ++ if ($ruleId -in $VABinaryRules) { + if ($expectedResults[0][0] -eq "1") { + $expectedResults[0][0] = "True" + } + else { + $expectedResults[0][0] = "False" + } + } ++ $properties.properties.results[$ruleId] = $expectedResults + } +++ $Body = $properties | ConvertTo-Json -Depth 5 + return SendRestRequest -Method "Put" -Uri $Uri -Body $Body +} ++function SetSqlVulnerabilityAssessmentBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName, $Baseline) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?api-version=2022-02-01-preview&systemDatabaseName=master" + $convertedBaseline = $Baseline | ConvertFrom-Json + $properties = @{ + properties = @{ + latestScan = $false + results = @{} + } + } ++ if ($convertedBaseline.RuleBaselines.Count -eq 0) { + # baseline is null/empty. No need to send the API call. + return + } ++ foreach ($rule in $convertedBaseline.RuleBaselines) { + $ruleId = $rule.RuleId + $expectedResults = $rule.Properties.ExpectedResults ++ if ($ruleId -in $VABinaryRules) { + if ($expectedResults[0][0] -eq "1") { + $expectedResults[0][0] = "True" + } + else { + $expectedResults[0][0] = "False" + } + } ++ $properties.properties.results[$ruleId] = $expectedResults + } +++ $Body = $properties | ConvertTo-Json -Depth 5 + return SendRestRequest -Method "Put" -Uri $Uri -Body $Body +} ++function RunSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview" SendRestRequest -Method "Post" -Uri $Uri } -function RunSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){ - $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/initiateScan?api-version=" + $APIVersion + "&systemDatabaseName=$DatabaseName" - SendRestRequest -Method "Post" -Uri $Uri +function RunSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName" + SendRestRequest -Method "Post" -Uri $Uri } -function SendRestRequest( - [Parameter(Mandatory=$True)] - [string] $Method, - [Parameter(Mandatory=$True)] - [string] $Uri, - [parameter( Mandatory=$false )] - [string] $Body = "DEFAULT") -{ - $AccessToken = Get-AzAccessToken - $Token = "Bearer $($AccessToken.Token)" +function GetSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/scans/latest?api-version=2022-02-01-preview" + return SendRestRequest -Method "Get" -Uri $Uri +} ++function GetSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName) { + $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/scans/latest?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName" + return SendRestRequest -Method "Get" -Uri $Uri +} - $headers = @{ - 'Authorization' = $Token - } ++function SendRestRequest( + [Parameter(Mandatory = $True)] + [string] $Method, + [Parameter(Mandatory = $True)] + [string] $Uri, + [parameter( Mandatory = $false )] + [string] $Body = "DEFAULT") { $Params = @{- Method = $Method - Uri = $Uri - Headers = $headers - ContentType = "application/json" + Method = $Method + Path = $Uri } - if(!($Body -eq "DEFAULT")) - { - $Params = @{ - Method = $Method - Uri = $Uri - Body = $Body - Headers = $headers - ContentType = "application/json" - } + if (!($Body -eq "DEFAULT")) { + $Params = @{ + Method = $Method + Path = $Uri + Payload = $Body + } }- - Invoke-RestMethod @Params ++ Invoke-AzRestMethod @Params } ####################################################### +function LogMessage { + [CmdletBinding()] + Param + ( + [Parameter(Mandatory=$true, Position=0)] + [string]$LogMessage + ) -function HaveVulnerabilityAssessmentSetting($ResourceGroupName, $ServerName, $Databases) -{ + Write-Host ("{0} - {1}" -f (Get-Date), $LogMessage) +} ++function LogError { + [CmdletBinding()] + Param + ( + [Parameter(Mandatory=$true, Position=0)] + [string]$LogMessage + ) ++ Write-Error ("{0} - {1}" -f (Get-Date), $LogMessage) +} ++####################################################### ++function Retry() { + param( + [Parameter(Mandatory = $true)][Action]$action, + [Parameter(Mandatory = $false)][int]$maxAttempts = 3 + ) ++ $attempts = 1 + do { + try { + $result = $action.Invoke(); + return $result + } + catch [Exception] { + LogMessage -LogMessage $_.Exception.Message + } ++ # exponential backoff delay + $attempts++ + if ($attempts -le $maxAttempts) { + $retryDelaySeconds = [math]::Pow(2, $attempts) + $retryDelaySeconds = $retryDelaySeconds - 1 # Exponential Backoff Max == (2^n)-1 + LogMessage -LogMessage ("Action failed. Waiting " + $retryDelaySeconds + " seconds before attempt " + $attempts + " of " + $maxAttempts + ".") + Start-Sleep $retryDelaySeconds + } + else { + LogError $_.Exception.Message + $ex = New-Object System.Exception($_.Exception.Message) + throw $ex + } + } while ($attempts -le $maxAttempts) +} +++function HaveVulnerabilityAssessmentSetting($ResourceGroupName, $ServerName, $Databases) { # Check if we have a server setting.- Write-Host "Check Vulnerability Assessment setting for '$($ServerName)' server" + LogMessage -LogMessage "Check Vulnerability Assessment setting for '$($ServerName)' server" $vaServerSetting = Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName- if(![string]::IsNullOrEmpty($vaServerSetting.StorageAccountName)) - { - return $true + if (![string]::IsNullOrEmpty($vaServerSetting.StorageAccountName)) { + return $true } # Check if we have a database setting for server- foreach ($database in $Databases) - { - Write-Host "Check VA settings for '$($database.DatabaseName)' database" - $vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName - if(![string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName)) - { - return $true - } + foreach ($database in $Databases) { + LogMessage -LogMessage "Check VA settings for '$($database.DatabaseName)' database" + $vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName + if (![string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName)) { + return $true + } + } ++ return $false +} ++function HaveExpressConfigurationVulnerabilityAssessmentSetting($SubscriptionId, $ResourceGroupName, $ServerName) { + # Check if we have a server setting. + LogMessage -LogMessage "Check express configuration Vulnerability Assessment setting for '$($ServerName)' server" + $Response = GetSqlVulnerabilityAssessmentServerSetting -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName + if ($Response.Content.Contains("Enabled")) { + return $true } return $false } +function GetBlobsFromStorage($ContainerName, $Context) { ++ # Use Get-AzStorageBlob to retrieve a list of blobs from the container + $blobs = Get-AzStorageBlob -Container $ContainerName -Context $Context ++ if ([string]::IsNullOrEmpty($blobs)) { + return + } ++ return $blobs +} +++function ExtractBaselineBlobName($ServerName, $DatabaseName) { + $prefix = "scans/$ServerName/$DatabaseName/baseline" ++ # Filter the list to include only blobs with names starting with "baseline" + $baselineBlobs = $blobs | Where-Object { $_.Name.StartsWith($prefix) } ++ if ($baselineBlobs.Count -eq 0) { + return + } + else { + # Sort the list by LastModified descending and get the first item + $mostRecentBlob = $baselineBlobs | Sort-Object LastModified -Descending | Select-Object -First 1 ++ # Get the name of the most recent blob + $mostRecentBlobName = $mostRecentBlob.Name ++ LogMessage -LogMessage "The most recent blob with the 'baseline' prefix is: $mostRecentBlobName" ++ return $mostRecentBlobName + } +} ++function ReadDatabaseBaselineFromStorage($ServerName, $BlobName, $ContainerName, $Context) { + # Use Get-AzStorageBlobContent to retrieve the blob content as a string + $blobContent = Get-AzStorageBlobContent -Blob $BlobName -Container $ContainerName -Context $Context + $blobContent = $blobContent.ICloudBlob.DownloadText() ++ if ([string]::IsNullOrEmpty($blobContent)) { + return + } ++ return $blobContent +} ++function GetBaselineConfigurationForDatabase($ServerName, $DatabaseName, $VaDatabasePolicyStorage, $VaDatabasePolicyContainer) { ++ # Get storage account context + $ctx = New-AzStorageContext -StorageAccountName $VaDatabasePolicyStorage ++ # Extract baseline blob name + $blobs = GetBlobsFromStorage -ContainerName $VaDatabasePolicyContainer -Context $ctx + if ([string]::IsNullOrEmpty($blobs)) { + $ex = New-Object System.Exception("Failed to get blobs from the storage. Verify that you have Storage Blob Data Reader role assignment on the storage.") + throw $ex + } ++ # Extract baseline blob name + $blobName = ExtractBaselineBlobName -ServerName $ServerName -DatabaseName $DatabaseName + if ([string]::IsNullOrEmpty($blobName)) { + LogMessage -LogMessage "No baseline blob was found for $DatabaseName database." + return + } ++ # Extract the baseline + $baseline = ReadDatabaseBaselineFromStorage -ServerName $ServerName -BlobName $blobName -ContainerName $VaDatabasePolicyContainer -Context $ctx + if ([string]::IsNullOrEmpty($baseline)) { + $ex = New-Object System.Exception("Failed to get blobs from the storage. Verify that you have Storage Blob Data Reader role assignment on the storage.") + throw $ex + } ++ LogMessage -LogMessage "Found baseline for $($DatabaseName) database." + return $baseline +} ++function ClearBaselineFolder() { + # Clean baseline folder + $scriptPath = Get-Location + $folderPath = Join-Path -Path $scriptPath.Path -ChildPath "scans" ++ if (Test-Path $folderPath) { + # Remove folder from previous runs + Remove-Item $folderPath -Recurse + } +} ++####################################################### ++$VABinaryRules = @("VA1018", "VA1022", "VA1023", "VA1024", "VA1043", "VA1044", "VA1045", "VA1051", "VA1052", "VA1053", "VA1058", "VA1059", "VA1067", "VA1071", "VA1072", "VA1091", "VA1092", "VA1093", "VA1102", "VA1143", "VA1219", "VA1230", "VA1235", "VA1245", "VA1264", "VA1265", "VA1277", "VA1279", "VA1283", "VA2060", "VA2061", "VA2121", "VA2122", "VA2128") ++####################################################### + # Connect-Connect-AzAccount -Set-AzContext $SubscriptionId +$subscription = Connect-AzAccount -Subscription $SubscriptionId +if ([string]::IsNullOrEmpty($subscription)) +{ + LogError "Failed to get the subscription. Migration cancelled. Fix errors and try again later." + return +} ++$srv = Get-AzSqlServer -ResourceGroupName $ResourceGroupName -ServerName $ServerName +if ([string]::IsNullOrEmpty($srv)) +{ + LogError "The server was not found. Migration cancelled. Fix errors and try again later." + return +} -$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"} +ClearBaselineFolder ++$baselines = @{} +$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | Where-Object { $_.DatabaseName -ne "master" } $haveVaSetting = HaveVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -Databases $databases+$haveExpressConfigurationVA = HaveExpressConfigurationVulnerabilityAssessmentSetting -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -if($haveVaSetting) -{ +if ($haveExpressConfigurationVA) { + LogMessage -LogMessage "Express configuration vulnerability assessment setting is already exist on this server. Cancelling script." + return +} ++if ($haveVaSetting) { + # Get server policy container path + $vaServerSetting = Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName + $vaServerPolicyStorage = $vaServerSetting.StorageAccountName + $vaServerPolicyContainer = $vaServerSetting.ScanResultsContainerName ++ $canRemoveVa = $true ++ # Go over each database and get the baseline (is exist). + $i = 0 + foreach ($database in $Databases) { + $i += 1 + $completed = ($i/$Databases.count) * 100 + Write-Progress -Activity "Processing" -Status "Progress:" -PercentComplete $completed + LogMessage -LogMessage "Starting to fetch baseline for $($database.DatabaseName) database." + $vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName + $adsDatabasePolicy = Get-AzSqlDatabaseAdvancedThreatProtectionSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName + $adsDatabasePolicyEnabled = (![string]::IsNullOrEmpty($adsDatabasePolicy.ThreatDetectionState) -and $adsDatabasePolicy.ThreatDetectionState -eq "Enabled") -or (![string]::IsNullOrEmpty($adsDatabasePolicy.AdvancedThreatProtectionState) -and $adsDatabasePolicy.AdvancedThreatProtectionState -eq "Enabled") # Handle breaking changes in the command. + $containsDatabasePolicy = $adsDatabasePolicyEnabled -and ![string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName) ++ if ($containsDatabasePolicy) { + # The database has database policy. Using the database policy storage. + $vaDatabasePolicyStorage = $vaDatabaseSetting.StorageAccountName + $vaDatabasePolicyContainer = $vaDatabaseSetting.ScanResultsContainerName + } + else { + $vaDatabasePolicyStorage = $vaServerPolicyStorage + $vaDatabasePolicyContainer = $vaServerPolicyContainer + } ++ try { + $baseline = GetBaselineConfigurationForDatabase -ServerName $ServerName -DatabaseName $database.DatabaseName -VaDatabasePolicyStorage $vaDatabasePolicyStorage -VaDatabasePolicyContainer $vaDatabasePolicyContainer + $baselines[$database.DatabaseName] = $baseline + LogMessage -LogMessage "Finished to fetch baseline for $($database.DatabaseName) database." + } + catch { + LogError "An error occurred: $($_.Exception.Message) while hndling $($database.DatabaseName) database." + $canRemoveVa = $false + } ++ } ++ # Get the baseline of master database (is exist). + try { + LogMessage -LogMessage "Starting to fetch baseline for master database." + $baseline = GetBaselineConfigurationForDatabase -ServerName $ServerName -DatabaseName "master" -VaDatabasePolicyStorage $vaServerPolicyStorage -VaDatabasePolicyContainer $vaServerPolicyContainer + $baselines["master"] = $baseline + LogMessage -LogMessage "Finished to fetch baseline for database master." + } + catch { + LogError "An error occurred: $($_.Exception.Message) while hndling master database." + $canRemoveVa = $false + } - Write-Host "Classic Configurations detected." + ClearBaselineFolder - if(!$Force) - { - Write-Host "We are going to remove the current Vulnerability Assessment setting for this server and underlying databases, this step will reset all the Vulnerability Assessment scans and baseline for all databases ($($databases.Count) under this server)" - $Confirmation = Read-Host -Prompt "Do you approve (y/n)?" - if($Confirmation -ne "y") - { - Write-Host "You chose not to approve the migration process. Existing VA settings will not be changed." - return + if ($canRemoveVa) { + if (!$Force) { + LogMessage -LogMessage "We are going to remove the current Vulnerability Assessment settings for this server and underlying databases." + $Confirmation = Read-Host -Prompt "Do you approve (y/n)?" + if ($Confirmation -ne "y") { + LogMessage -LogMessage "You chose to stop the migration process. Existing VA settings will not be changed." + return + } }++ # Clear all server and databases policies + $i = 0 + foreach ($database in $Databases) { + $i += 1 + $completed = ($i/$Databases.count) * 100 + Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed + LogMessage -LogMessage "Clear Vulnerability Assessment setting for '$($database.DatabaseName)' database." + Clear-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName + } ++ # Removing old server Vulnerability Assessment setting + LogMessage -LogMessage "Clear Vulnerability Assessment setting for '$($ServerName)' server." + Clear-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName }- - # Removing Classic Configuration database Vulnerability Assessment setting - foreach ($database in $Databases) - { - Write-Host "Clear Classic Configuration Vulnerability Assessment setting for '$($database.DatabaseName)' database" - Clear-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName + else { + LogError "Migration cancelled. Fix errors and try again later." + return }+} ++# Set new SQL Vulnerability Assessment Setting +LogMessage -LogMessage "Add express configuration Vulnerability Assessment feature setting for '$($ServerName)' server." +$Response = SetSqlVulnerabilityAssessmentServerSetting -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName - # Removing Classic Configuration server Vulnerability Assessment setting - Write-Host "Clear Classic Configuration Vulnerability Assessment setting for '$($ServerName)' server" - Clear-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName +if ($Response.Content.Contains("Enabled")) { + LogMessage -LogMessage "Congratulations, your server '$($ServerName)' server is set up with express configuration Vulnerability Assessment feature" +} +else { + LogMessage -LogMessage "There was a problem to enable express configuration Vulnerability Assessment feature on the '$($ServerName)' server, please try again" + return } -# Set Express Configuration SQL Vulnerability Assessment Setting -Write-Host "Add Express Configuration Vulnerability Assessment feature setting for '$($ServerName)' server" -$Respond = SetSqlVulnerabilityAssessmentServerSetting -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName +# Run a new scan on all the databases +$i = 0 +foreach ($database in $Databases) { + $i += 1 + $completed = ($i/$Databases.count) * 100 + Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed + LogMessage -LogMessage "Run scan on '$($database.DatabaseName)' database." + Retry -action { RunSqlVulnerabilityAssessmentScanOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName } +} -if( $Respond.properties.state.Equals("Enabled") ) -{ - Write-Host "Congratulations! your server '$($ServerName)' server is set up with Vulnerability Assessment Express Configuration!" +LogMessage -LogMessage "Run scan on 'master' database." +Retry -action { RunSqlVulnerabilityAssessmentScanOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName "master" } ++LogMessage -LogMessage "Wait for scan results.." +Start-Sleep 60 ++# Wait for scan results +$i = 0 +foreach ($database in $Databases) { + $i += 1 + $completed = ($i/$Databases.count) * 100 + Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed + try { + LogMessage -LogMessage "Waiting for results for $($database.DatabaseName) database." + Retry -action { GetSqlVulnerabilityAssessmentScanOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName } + LogMessage -LogMessage "Received results for $($database.DatabaseName) database." + } + catch { + LogMessage -LogMessage "Failed to get latest scan results for $($database.DatabaseName). Stopping the migration." + LogMessage -LogMessage "You can revert back to classic configuration. For more information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic-configuration" + return + } }-else -{ - Write-Host "There was a problem to enable Vulnerability Assessment Express Configuration on the '$($ServerName)' server, please try again" ++try { + LogMessage -LogMessage "Waiting for results for master database" + Retry -action { GetSqlVulnerabilityAssessmentScanOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName "master" } +} +catch { + LogMessage -LogMessage "Failed to get latest scan results for master. Stopping the migration" + LogMessage -LogMessage "You can revert back to classic configuration. For more information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic-configuration" return } -# Scan on all the databases -foreach ($database in $Databases) -{ - Write-Host "Run scan on '$($database.DatabaseName)' database" - RunSqlVulnerabilityAssessmentScanOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName +# Apply baselines from each database +$successMigration = @() +$failedMigration = @() +if (!$haveVaSetting) { + # no need to migrate baseline as there is no baseline to extract. + $successMigration = $databases }+else { + $i = 0 + foreach ($database in $Databases) { + $i += 1 + $completed = ($i/$Databases.count) * 100 + Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed + try { + if (![string]::IsNullOrEmpty($baselines[$database.DatabaseName])) { + LogMessage -LogMessage "Applying baseline for '$($database.DatabaseName)' database." + Retry -action { SetSqlVulnerabilityAssessmentBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName -Baseline $baselines[$database.DatabaseName] } + } + LogMessage -LogMessage "Baseline was successfully applied for '$($database.DatabaseName)' database." + $successMigration += $database.DatabaseName + } + catch { + LogError "Failed to set baseline for $($database.DatabaseName) database." + $failedMigration += $database.DatabaseName + } + } ++ try { + if (![string]::IsNullOrEmpty($baselines["master"])) { + LogMessage -LogMessage "Applying baseline for 'master' database." + Retry -action { SetSqlVulnerabilityAssessmentBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName "master" -Baseline $baselines["master"] } + $successMigration += "master" + } + } + catch { + LogError "Failed to set baseline for master database." + $failedMigration += "master" + } +} ++if ($successMigration.Count -eq 0) { + LogError "Failed to set baseline for all the databases." + LogMessage -LogMessage "You can revert back to classic configuration. For more information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic-configuration" +} +elseif ($failedMigration.Count -eq 0) { + LogMessage -LogMessage "The migration process completed successfuly." +} +else { + LogMessage -LogMessage "The migration process completed. The migration was seccessful for $($successMigration -join ',') and unseccessful for $($failedMigration -join ',')" + LogMessage -LogMessage "You can revert back to classic configuration. For more information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express#revert-back-to-the-classic-configuration" +} +``` ++For example: ++```powershell +Write-Host "-- Migrating To express configuration example --" -Write-Host "Run scan on 'master' database" -RunSqlVulnerabilityAssessmentScanOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName "master" +$ServerName = "<Your server name>" # The server name. +$SubscriptionId = "<Your subscription>" # The subscription id that the servers belong to. +$ResourceGroupName = "<Your resource group name>" # The resource group name that the servers belong to. -Write-Host "The migration process completed, the new scan results will be available in a couple of minutes." +.\MigratingToExpressConfiguration.ps1 -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName |